Home | History | Annotate | Download | only in x509 
      1 package org.bouncycastle.x509;
      2 
      3 import org.bouncycastle.util.Selector;
      4 
      5 import java.security.InvalidAlgorithmParameterException;
      6 import java.security.InvalidParameterException;
      7 import java.security.cert.PKIXBuilderParameters;
      8 import java.security.cert.PKIXParameters;
      9 import java.security.cert.TrustAnchor;
     10 import java.security.cert.X509CertSelector;
     11 import java.util.Collections;
     12 import java.util.HashSet;
     13 import java.util.Set;
     14 
     15 /**
     16  * This class contains extended parameters for PKIX certification path builders.
     17  *
     18  * @see java.security.cert.PKIXBuilderParameters
     19  * @see org.bouncycastle.jce.provider.PKIXCertPathBuilderSpi
     20  */
     21 public class ExtendedPKIXBuilderParameters extends ExtendedPKIXParameters
     22 {
     23 
     24     private int maxPathLength = 5;
     25 
     26     private Set excludedCerts = Collections.EMPTY_SET;
     27 
     28     /**
     29      * Excluded certificates are not used for building a certification path.
     30      * <p>
     31      * The returned set is immutable.
     32      *
     33      * @return Returns the excluded certificates.
     34      */
     35     public Set getExcludedCerts()
     36     {
     37         return Collections.unmodifiableSet(excludedCerts);
     38     }
     39 
     40     /**
     41      * Sets the excluded certificates which are not used for building a
     42      * certification path. If the <code>Set</code> is <code>null</code> an
     43      * empty set is assumed.
     44      * <p>
     45      * The given set is cloned to protect it against subsequent modifications.
     46      *
     47      * @param excludedCerts The excluded certificates to set.
     48      */
     49     public void setExcludedCerts(Set excludedCerts)
     50     {
     51         if (excludedCerts == null)
     52         {
     53             excludedCerts = Collections.EMPTY_SET;
     54         }
     55         else
     56         {
     57             this.excludedCerts = new HashSet(excludedCerts);
     58         }
     59     }
     60 
     61     /**
     62      * Creates an instance of <code>PKIXBuilderParameters</code> with the
     63      * specified <code>Set</code> of most-trusted CAs. Each element of the set
     64      * is a {@link TrustAnchor TrustAnchor}.
     65      *
     66      * <p>
     67      * Note that the <code>Set</code> is copied to protect against subsequent
     68      * modifications.
     69      *
     70      * @param trustAnchors a <code>Set</code> of <code>TrustAnchor</code>s
     71      * @param targetConstraints a <code>Selector</code> specifying the
     72      *            constraints on the target certificate or attribute
     73      *            certificate.
     74      * @throws InvalidAlgorithmParameterException if <code>trustAnchors</code>
     75      *             is empty.
     76      * @throws NullPointerException if <code>trustAnchors</code> is
     77      *             <code>null</code>
     78      * @throws ClassCastException if any of the elements of
     79      *             <code>trustAnchors</code> is not of type
     80      *             <code>java.security.cert.TrustAnchor</code>
     81      */
     82     public ExtendedPKIXBuilderParameters(Set trustAnchors,
     83             Selector targetConstraints)
     84             throws InvalidAlgorithmParameterException
     85     {
     86         super(trustAnchors);
     87         setTargetConstraints(targetConstraints);
     88     }
     89 
     90     /**
     91      * Sets the maximum number of intermediate non-self-issued certificates in a
     92      * certification path. The PKIX <code>CertPathBuilder</code> must not
     93      * build paths longer then this length.
     94      * <p>
     95      * A value of 0 implies that the path can only contain a single certificate.
     96      * A value of -1 does not limit the length. The default length is 5.
     97      *
     98      * <p>
     99      *
    100      * The basic constraints extension of a CA certificate overrides this value
    101      * if smaller.
    102      *
    103      * @param maxPathLength the maximum number of non-self-issued intermediate
    104      *            certificates in the certification path
    105      * @throws InvalidParameterException if <code>maxPathLength</code> is set
    106      *             to a value less than -1
    107      *
    108      * @see org.bouncycastle.jce.provider.PKIXCertPathBuilderSpi
    109      * @see #getMaxPathLength
    110      */
    111     public void setMaxPathLength(int maxPathLength)
    112     {
    113         if (maxPathLength < -1)
    114         {
    115             throw new InvalidParameterException("The maximum path "
    116                     + "length parameter can not be less than -1.");
    117         }
    118         this.maxPathLength = maxPathLength;
    119     }
    120 
    121     /**
    122      * Returns the value of the maximum number of intermediate non-self-issued
    123      * certificates in the certification path.
    124      *
    125      * @return the maximum number of non-self-issued intermediate certificates
    126      *         in the certification path, or -1 if no limit exists.
    127      *
    128      * @see #setMaxPathLength(int)
    129      */
    130     public int getMaxPathLength()
    131     {
    132         return maxPathLength;
    133     }
    134 
    135     /**
    136      * Can alse handle <code>ExtendedPKIXBuilderParameters</code> and
    137      * <code>PKIXBuilderParameters</code>.
    138      *
    139      * @param params Parameters to set.
    140      * @see org.bouncycastle.x509.ExtendedPKIXParameters#setParams(java.security.cert.PKIXParameters)
    141      */
    142     protected void setParams(PKIXParameters params)
    143     {
    144         super.setParams(params);
    145         if (params instanceof ExtendedPKIXBuilderParameters)
    146         {
    147             ExtendedPKIXBuilderParameters _params = (ExtendedPKIXBuilderParameters) params;
    148             maxPathLength = _params.maxPathLength;
    149             excludedCerts = new HashSet(_params.excludedCerts);
    150         }
    151         if (params instanceof PKIXBuilderParameters)
    152         {
    153             PKIXBuilderParameters _params = (PKIXBuilderParameters) params;
    154             maxPathLength = _params.getMaxPathLength();
    155         }
    156     }
    157 
    158     /**
    159      * Makes a copy of this <code>PKIXParameters</code> object. Changes to the
    160      * copy will not affect the original and vice versa.
    161      *
    162      * @return a copy of this <code>PKIXParameters</code> object
    163      */
    164     public Object clone()
    165     {
    166         ExtendedPKIXBuilderParameters params = null;
    167         try
    168         {
    169             params = new ExtendedPKIXBuilderParameters(getTrustAnchors(),
    170                     getTargetConstraints());
    171         }
    172         catch (Exception e)
    173         {
    174             // cannot happen
    175             throw new RuntimeException(e.getMessage());
    176         }
    177         params.setParams(this);
    178         return params;
    179     }
    180 
    181     /**
    182      * Returns an instance of <code>ExtendedPKIXParameters</code> which can be
    183      * safely casted to <code>ExtendedPKIXBuilderParameters</code>.
    184      * <p>
    185      * This method can be used to get a copy from other
    186      * <code>PKIXBuilderParameters</code>, <code>PKIXParameters</code>,
    187      * and <code>ExtendedPKIXParameters</code> instances.
    188      *
    189      * @param pkixParams The PKIX parameters to create a copy of.
    190      * @return An <code>ExtendedPKIXBuilderParameters</code> instance.
    191      */
    192     public static ExtendedPKIXParameters getInstance(PKIXParameters pkixParams)
    193     {
    194         ExtendedPKIXBuilderParameters params;
    195         try
    196         {
    197             params = new ExtendedPKIXBuilderParameters(pkixParams
    198                     .getTrustAnchors(), X509CertStoreSelector
    199                     .getInstance((X509CertSelector) pkixParams
    200                             .getTargetCertConstraints()));
    201         }
    202         catch (Exception e)
    203         {
    204             // cannot happen
    205             throw new RuntimeException(e.getMessage());
    206         }
    207         params.setParams(pkixParams);
    208         return params;
    209     }
    210 }
    211