org.bouncycastle.jcajce.PKIXExtendedParameters Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of bcprov-ext-debug-jdk18on Show documentation
Show all versions of bcprov-ext-debug-jdk18on Show documentation
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for Java 1.8 and later with debug enabled.
The newest version!
package org.bouncycastle.jcajce;
import java.security.cert.CertPathParameters;
import java.security.cert.CertSelector;
import java.security.cert.CertStore;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.bouncycastle.asn1.x509.GeneralName;
/**
* This class extends the PKIXParameters with a validity model parameter.
*/
public class PKIXExtendedParameters
implements CertPathParameters
{
/**
* This is the default PKIX validity model. Actually there are two variants of this: The PKIX
* model and the modified PKIX model. The PKIX model verifies that all involved certificates
* must have been valid at the current time. The modified PKIX model verifies that all involved
* certificates were valid at the signing time. Both are indirectly chosen with the
* {@link PKIXParameters#setDate(Date)} method, so this methods sets the Date when all
* certificates must have been valid.
*/
public static final int PKIX_VALIDITY_MODEL = 0;
/**
* This model uses the following validity model. Each certificate must have been valid at the
* moment when it was used. That means the end certificate must have been valid at the time the
* signature was done. The CA certificate which signed the end certificate must have been valid,
* when the end certificate was signed. The CA (or Root CA) certificate must have been valid
* when the CA certificate was signed, and so on. So the {@link PKIXParameters#setDate(Date)}
* method sets the time, when the end certificate must have been valid. It is used e.g.
* in the German signature law.
*/
public static final int CHAIN_VALIDITY_MODEL = 1;
/**
* Builder for a PKIXExtendedParameters object.
*/
public static class Builder
{
private final PKIXParameters baseParameters;
private final Date validityDate;
private final Date date;
private PKIXCertStoreSelector targetConstraints;
private List extraCertStores = new ArrayList();
private Map namedCertificateStoreMap = new HashMap();
private List extraCRLStores = new ArrayList();
private Map namedCRLStoreMap = new HashMap();
private boolean revocationEnabled;
private int validityModel = PKIX_VALIDITY_MODEL;
private boolean useDeltas = false;
private Set trustAnchors;
public Builder(PKIXParameters baseParameters)
{
this.baseParameters = (PKIXParameters)baseParameters.clone();
CertSelector constraints = baseParameters.getTargetCertConstraints();
if (constraints != null)
{
this.targetConstraints = new PKIXCertStoreSelector.Builder(constraints).build();
}
this.validityDate = baseParameters.getDate();
this.date = (validityDate == null) ? new Date() : validityDate;
this.revocationEnabled = baseParameters.isRevocationEnabled();
this.trustAnchors = baseParameters.getTrustAnchors();
}
public Builder(PKIXExtendedParameters baseParameters)
{
this.baseParameters = baseParameters.baseParameters;
this.validityDate = baseParameters.validityDate;
this.date = baseParameters.date;
this.targetConstraints = baseParameters.targetConstraints;
this.extraCertStores = new ArrayList(baseParameters.extraCertStores);
this.namedCertificateStoreMap = new HashMap(baseParameters.namedCertificateStoreMap);
this.extraCRLStores = new ArrayList(baseParameters.extraCRLStores);
this.namedCRLStoreMap = new HashMap(baseParameters.namedCRLStoreMap);
this.useDeltas = baseParameters.useDeltas;
this.validityModel = baseParameters.validityModel;
this.revocationEnabled = baseParameters.isRevocationEnabled();
this.trustAnchors = baseParameters.getTrustAnchors();
}
public Builder addCertificateStore(PKIXCertStore store)
{
extraCertStores.add(store);
return this;
}
public Builder addNamedCertificateStore(GeneralName issuerAltName, PKIXCertStore store)
{
namedCertificateStoreMap.put(issuerAltName, store);
return this;
}
public Builder addCRLStore(PKIXCRLStore store)
{
extraCRLStores.add(store);
return this;
}
public Builder addNamedCRLStore(GeneralName issuerAltName, PKIXCRLStore store)
{
namedCRLStoreMap.put(issuerAltName, store);
return this;
}
public Builder setTargetConstraints(PKIXCertStoreSelector selector)
{
targetConstraints = selector;
return this;
}
/**
* Sets if delta CRLs should be used for checking the revocation status.
*
* @param useDeltas true
if delta CRLs should be used.
*/
public Builder setUseDeltasEnabled(boolean useDeltas)
{
this.useDeltas = useDeltas;
return this;
}
/**
* @param validityModel The validity model to set.
* @see #CHAIN_VALIDITY_MODEL
* @see #PKIX_VALIDITY_MODEL
*/
public Builder setValidityModel(int validityModel)
{
this.validityModel = validityModel;
return this;
}
/**
* Set the trustAnchor to be used with these parameters.
*
* @param trustAnchor the trust anchor end-entity and CRLs must be based on.
* @return the current builder.
*/
public Builder setTrustAnchor(TrustAnchor trustAnchor)
{
this.trustAnchors = Collections.singleton(trustAnchor);
return this;
}
/**
* Set the set of trustAnchors to be used with these parameters.
*
* @param trustAnchors a set of trustAnchors, one of which a particular end-entity and it's associated CRLs must be based on.
* @return the current builder.
*/
public Builder setTrustAnchors(Set trustAnchors)
{
this.trustAnchors = trustAnchors;
return this;
}
/**
* Flag whether or not revocation checking is to be enabled.
*
* @param revocationEnabled true if revocation checking to be enabled, false otherwise.
*/
public void setRevocationEnabled(boolean revocationEnabled)
{
this.revocationEnabled = revocationEnabled;
}
public PKIXExtendedParameters build()
{
return new PKIXExtendedParameters(this);
}
}
private final PKIXParameters baseParameters;
private final PKIXCertStoreSelector targetConstraints;
private final Date validityDate;
private final Date date;
private final List extraCertStores;
private final Map namedCertificateStoreMap;
private final List extraCRLStores;
private final Map namedCRLStoreMap;
private final boolean revocationEnabled;
private final boolean useDeltas;
private final int validityModel;
private final Set trustAnchors;
private PKIXExtendedParameters(Builder builder)
{
this.baseParameters = builder.baseParameters;
this.validityDate = builder.validityDate;
this.date = builder.date;
this.extraCertStores = Collections.unmodifiableList(builder.extraCertStores);
this.namedCertificateStoreMap = Collections.unmodifiableMap(new HashMap(builder.namedCertificateStoreMap));
this.extraCRLStores = Collections.unmodifiableList(builder.extraCRLStores);
this.namedCRLStoreMap = Collections.unmodifiableMap(new HashMap(builder.namedCRLStoreMap));
this.targetConstraints = builder.targetConstraints;
this.revocationEnabled = builder.revocationEnabled;
this.useDeltas = builder.useDeltas;
this.validityModel = builder.validityModel;
this.trustAnchors = Collections.unmodifiableSet(builder.trustAnchors);
}
public List getCertificateStores()
{
return extraCertStores;
}
public Map getNamedCertificateStoreMap()
{
return namedCertificateStoreMap;
}
public List getCRLStores()
{
return extraCRLStores;
}
public Map getNamedCRLStoreMap()
{
return namedCRLStoreMap;
}
/**
* Returns the time at which to check the validity of the certification path. If {@code null},
* the current time is used.
*
* @return the {@code Date}, or {@code null} if not set
*/
public Date getValidityDate()
{
return null == validityDate ? null : new Date(validityDate.getTime());
}
/**
* @deprecated Use 'getValidityDate' instead (which can return null).
*/
public Date getDate()
{
return new Date(date.getTime());
}
/**
* Defaults to false
.
*
* @return Returns if delta CRLs should be used.
*/
public boolean isUseDeltasEnabled()
{
return useDeltas;
}
/**
* @return Returns the validity model.
* @see #CHAIN_VALIDITY_MODEL
* @see #PKIX_VALIDITY_MODEL
*/
public int getValidityModel()
{
return validityModel;
}
public Object clone()
{
return this;
}
/**
* Returns the required constraints on the target certificate.
* The constraints are returned as an instance of
* Selector
. If null
, no constraints are
* defined.
*
* @return a Selector
specifying the constraints on the
* target certificate or attribute certificate (or null
)
* @see PKIXCertStoreSelector
*/
public PKIXCertStoreSelector getTargetConstraints()
{
return targetConstraints;
}
public Set getTrustAnchors()
{
return trustAnchors;
}
public Set getInitialPolicies()
{
return baseParameters.getInitialPolicies();
}
public String getSigProvider()
{
return baseParameters.getSigProvider();
}
public boolean isExplicitPolicyRequired()
{
return baseParameters.isExplicitPolicyRequired();
}
public boolean isAnyPolicyInhibited()
{
return baseParameters.isAnyPolicyInhibited();
}
public boolean isPolicyMappingInhibited()
{
return baseParameters.isPolicyMappingInhibited();
}
public List getCertPathCheckers()
{
return baseParameters.getCertPathCheckers();
}
public List getCertStores()
{
return baseParameters.getCertStores();
}
public boolean isRevocationEnabled()
{
return revocationEnabled;
}
public boolean getPolicyQualifiersRejected()
{
return baseParameters.getPolicyQualifiersRejected();
}
}