org.spongycastle.jcajce.PKIXExtendedParameters Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of prov Show documentation
Show all versions of prov Show documentation
Spongy Castle is a package-rename (org.bouncycastle.* to org.spongycastle.*) of Bouncy Castle
intended for the Android platform. Android unfortunately ships with a stripped-down version of
Bouncy Castle, which prevents easy upgrades - Spongy Castle overcomes this and provides a full,
up-to-date version of the Bouncy Castle cryptographic libs.
The newest version!
package org.spongycastle.jcajce;
import java.security.cert.CertPathParameters;
import java.security.cert.CertSelector;
import java.security.cert.CertStore;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.spongycastle.asn1.x509.GeneralName;
/**
* This class extends the PKIXParameters with a validity model parameter.
*/
public class PKIXExtendedParameters
implements CertPathParameters
{
/**
* This is the default PKIX validity model. Actually there are two variants
* of this: The PKIX model and the modified PKIX model. The PKIX model
* verifies that all involved certificates must have been valid at the
* current time. The modified PKIX model verifies that all involved
* certificates were valid at the signing time. Both are indirectly choosen
* with the {@link PKIXParameters#setDate(Date)} method, so this
* methods sets the Date when all certificates must have been
* valid.
*/
public static final int PKIX_VALIDITY_MODEL = 0;
/**
* This model uses the following validity model. Each certificate must have
* been valid at the moment where is was used. That means the end
* certificate must have been valid at the time the signature was done. The
* CA certificate which signed the end certificate must have been valid,
* when the end certificate was signed. The CA (or Root CA) certificate must
* have been valid, when the CA certificate was signed and so on. So the
* {@link PKIXParameters#setDate(Date)} method sets the time, when
* the end certificate must have been valid. It is used e.g.
* in the German signature law.
*/
public static final int CHAIN_VALIDITY_MODEL = 1;
/**
* Builder for a PKIXExtendedParameters object.
*/
public static class Builder
{
private final PKIXParameters baseParameters;
private final Date date;
private PKIXCertStoreSelector targetConstraints;
private List extraCertStores = new ArrayList();
private Map namedCertificateStoreMap = new HashMap();
private List extraCRLStores = new ArrayList();
private Map namedCRLStoreMap = new HashMap();
private boolean revocationEnabled;
private int validityModel = PKIX_VALIDITY_MODEL;
private boolean useDeltas = false;
private Set trustAnchors;
public Builder(PKIXParameters baseParameters)
{
this.baseParameters = (PKIXParameters)baseParameters.clone();
CertSelector constraints = baseParameters.getTargetCertConstraints();
if (constraints != null)
{
this.targetConstraints = new PKIXCertStoreSelector.Builder(constraints).build();
}
Date checkDate = baseParameters.getDate();
this.date = (checkDate == null) ? new Date() : checkDate;
this.revocationEnabled = baseParameters.isRevocationEnabled();
this.trustAnchors = baseParameters.getTrustAnchors();
}
public Builder(PKIXExtendedParameters baseParameters)
{
this.baseParameters = baseParameters.baseParameters;
this.date = baseParameters.date;
this.targetConstraints = baseParameters.targetConstraints;
this.extraCertStores = new ArrayList(baseParameters.extraCertStores);
this.namedCertificateStoreMap = new HashMap(baseParameters.namedCertificateStoreMap);
this.extraCRLStores = new ArrayList(baseParameters.extraCRLStores);
this.namedCRLStoreMap = new HashMap(baseParameters.namedCRLStoreMap);
this.useDeltas = baseParameters.useDeltas;
this.validityModel = baseParameters.validityModel;
this.revocationEnabled = baseParameters.isRevocationEnabled();
this.trustAnchors = baseParameters.getTrustAnchors();
}
public Builder addCertificateStore(PKIXCertStore store)
{
extraCertStores.add(store);
return this;
}
public Builder addNamedCertificateStore(GeneralName issuerAltName, PKIXCertStore store)
{
namedCertificateStoreMap.put(issuerAltName, store);
return this;
}
public Builder addCRLStore(PKIXCRLStore store)
{
extraCRLStores.add(store);
return this;
}
public Builder addNamedCRLStore(GeneralName issuerAltName, PKIXCRLStore store)
{
namedCRLStoreMap.put(issuerAltName, store);
return this;
}
public Builder setTargetConstraints(PKIXCertStoreSelector selector)
{
targetConstraints = selector;
return this;
}
/**
* Sets if delta CRLs should be used for checking the revocation status.
*
* @param useDeltas true if delta CRLs should be used.
*/
public Builder setUseDeltasEnabled(boolean useDeltas)
{
this.useDeltas = useDeltas;
return this;
}
/**
* @param validityModel The validity model to set.
* @see #CHAIN_VALIDITY_MODEL
* @see #PKIX_VALIDITY_MODEL
*/
public Builder setValidityModel(int validityModel)
{
this.validityModel = validityModel;
return this;
}
/**
* Set the trustAnchor to be used with these parameters.
*
* @param trustAnchor the trust anchor end-entity and CRLs must be based on.
* @return the current builder.
*/
public Builder setTrustAnchor(TrustAnchor trustAnchor)
{
this.trustAnchors = Collections.singleton(trustAnchor);
return this;
}
/**
* Set the set of trustAnchors to be used with these parameters.
*
* @param trustAnchors a set of trustAnchors, one of which a particular end-entity and it's associated CRLs must be based on.
* @return the current builder.
*/
public Builder setTrustAnchors(Set trustAnchors)
{
this.trustAnchors = trustAnchors;
return this;
}
/**
* Flag whether or not revocation checking is to be enabled.
*
* @param revocationEnabled true if revocation checking to be enabled, false otherwise.
*/
public void setRevocationEnabled(boolean revocationEnabled)
{
this.revocationEnabled = revocationEnabled;
}
public PKIXExtendedParameters build()
{
return new PKIXExtendedParameters(this);
}
}
private final PKIXParameters baseParameters;
private final PKIXCertStoreSelector targetConstraints;
private final Date date;
private final List extraCertStores;
private final Map namedCertificateStoreMap;
private final List extraCRLStores;
private final Map namedCRLStoreMap;
private final boolean revocationEnabled;
private final boolean useDeltas;
private final int validityModel;
private final Set trustAnchors;
private PKIXExtendedParameters(Builder builder)
{
this.baseParameters = builder.baseParameters;
this.date = builder.date;
this.extraCertStores = Collections.unmodifiableList(builder.extraCertStores);
this.namedCertificateStoreMap = Collections.unmodifiableMap(new HashMap(builder.namedCertificateStoreMap));
this.extraCRLStores = Collections.unmodifiableList(builder.extraCRLStores);
this.namedCRLStoreMap = Collections.unmodifiableMap(new HashMap(builder.namedCRLStoreMap));
this.targetConstraints = builder.targetConstraints;
this.revocationEnabled = builder.revocationEnabled;
this.useDeltas = builder.useDeltas;
this.validityModel = builder.validityModel;
this.trustAnchors = Collections.unmodifiableSet(builder.trustAnchors);
}
public List getCertificateStores()
{
return extraCertStores;
}
public Map getNamedCertificateStoreMap()
{
return namedCertificateStoreMap;
}
public List getCRLStores()
{
return extraCRLStores;
}
public Map getNamedCRLStoreMap()
{
return namedCRLStoreMap;
}
public Date getDate()
{
return new Date(date.getTime());
}
/**
* Defaults to false.
*
* @return Returns if delta CRLs should be used.
*/
public boolean isUseDeltasEnabled()
{
return useDeltas;
}
/**
* @return Returns the validity model.
* @see #CHAIN_VALIDITY_MODEL
* @see #PKIX_VALIDITY_MODEL
*/
public int getValidityModel()
{
return validityModel;
}
public Object clone()
{
return this;
}
/**
* Returns the required constraints on the target certificate.
* The constraints are returned as an instance of
* Selector. If null, no constraints are
* defined.
*
* @return a Selector specifying the constraints on the
* target certificate or attribute certificate (or null)
* @see PKIXCertStoreSelector
*/
public PKIXCertStoreSelector getTargetConstraints()
{
return targetConstraints;
}
public Set getTrustAnchors()
{
return trustAnchors;
}
public Set getInitialPolicies()
{
return baseParameters.getInitialPolicies();
}
public String getSigProvider()
{
return baseParameters.getSigProvider();
}
public boolean isExplicitPolicyRequired()
{
return baseParameters.isExplicitPolicyRequired();
}
public boolean isAnyPolicyInhibited()
{
return baseParameters.isAnyPolicyInhibited();
}
public boolean isPolicyMappingInhibited()
{
return baseParameters.isPolicyMappingInhibited();
}
public List getCertPathCheckers()
{
return baseParameters.getCertPathCheckers();
}
public List getCertStores()
{
return baseParameters.getCertStores();
}
public boolean isRevocationEnabled()
{
return revocationEnabled;
}
}