| package org.bouncycastle.jcajce; |
| |
| import java.security.cert.CertPathParameters; |
| import java.security.cert.CertSelector; |
| import java.security.cert.CertStore; |
| import java.security.cert.PKIXParameters; |
| import java.security.cert.TrustAnchor; |
| import java.util.ArrayList; |
| import java.util.Collections; |
| import java.util.Date; |
| import java.util.HashMap; |
| import java.util.List; |
| import java.util.Map; |
| import java.util.Set; |
| |
| import org.bouncycastle.asn1.x509.GeneralName; |
| |
| /** |
| * This class extends the PKIXParameters with a validity model parameter. |
| */ |
| public class PKIXExtendedParameters |
| implements CertPathParameters |
| { |
| /** |
| * This is the default PKIX validity model. Actually there are two variants |
| * of this: The PKIX model and the modified PKIX model. The PKIX model |
| * verifies that all involved certificates must have been valid at the |
| * current time. The modified PKIX model verifies that all involved |
| * certificates were valid at the signing time. Both are indirectly choosen |
| * with the {@link PKIXParameters#setDate(Date)} method, so this |
| * methods sets the Date when <em>all</em> certificates must have been |
| * valid. |
| */ |
| public static final int PKIX_VALIDITY_MODEL = 0; |
| |
| /** |
| * This model uses the following validity model. Each certificate must have |
| * been valid at the moment where is was used. That means the end |
| * certificate must have been valid at the time the signature was done. The |
| * CA certificate which signed the end certificate must have been valid, |
| * when the end certificate was signed. The CA (or Root CA) certificate must |
| * have been valid, when the CA certificate was signed and so on. So the |
| * {@link PKIXParameters#setDate(Date)} method sets the time, when |
| * the <em>end certificate</em> must have been valid. <p/> It is used e.g. |
| * in the German signature law. |
| */ |
| public static final int CHAIN_VALIDITY_MODEL = 1; |
| |
| /** |
| * Builder for a PKIXExtendedParameters object. |
| */ |
| public static class Builder |
| { |
| private final PKIXParameters baseParameters; |
| private final Date date; |
| |
| private PKIXCertStoreSelector targetConstraints; |
| private List<PKIXCertStore> extraCertStores = new ArrayList<PKIXCertStore>(); |
| private Map<GeneralName, PKIXCertStore> namedCertificateStoreMap = new HashMap<GeneralName, PKIXCertStore>(); |
| private List<PKIXCRLStore> extraCRLStores = new ArrayList<PKIXCRLStore>(); |
| private Map<GeneralName, PKIXCRLStore> namedCRLStoreMap = new HashMap<GeneralName, PKIXCRLStore>(); |
| private boolean revocationEnabled; |
| private int validityModel = PKIX_VALIDITY_MODEL; |
| private boolean useDeltas = false; |
| private Set<TrustAnchor> trustAnchors; |
| |
| public Builder(PKIXParameters baseParameters) |
| { |
| this.baseParameters = (PKIXParameters)baseParameters.clone(); |
| CertSelector constraints = baseParameters.getTargetCertConstraints(); |
| if (constraints != null) |
| { |
| this.targetConstraints = new PKIXCertStoreSelector.Builder(constraints).build(); |
| } |
| Date checkDate = baseParameters.getDate(); |
| this.date = (checkDate == null) ? new Date() : checkDate; |
| this.revocationEnabled = baseParameters.isRevocationEnabled(); |
| this.trustAnchors = baseParameters.getTrustAnchors(); |
| } |
| |
| public Builder(PKIXExtendedParameters baseParameters) |
| { |
| this.baseParameters = baseParameters.baseParameters; |
| this.date = baseParameters.date; |
| this.targetConstraints = baseParameters.targetConstraints; |
| this.extraCertStores = new ArrayList<PKIXCertStore>(baseParameters.extraCertStores); |
| this.namedCertificateStoreMap = new HashMap<GeneralName, PKIXCertStore>(baseParameters.namedCertificateStoreMap); |
| this.extraCRLStores = new ArrayList<PKIXCRLStore>(baseParameters.extraCRLStores); |
| this.namedCRLStoreMap = new HashMap<GeneralName, PKIXCRLStore>(baseParameters.namedCRLStoreMap); |
| this.useDeltas = baseParameters.useDeltas; |
| this.validityModel = baseParameters.validityModel; |
| this.revocationEnabled = baseParameters.isRevocationEnabled(); |
| this.trustAnchors = baseParameters.getTrustAnchors(); |
| } |
| |
| public Builder addCertificateStore(PKIXCertStore store) |
| { |
| extraCertStores.add(store); |
| |
| return this; |
| } |
| |
| public Builder addNamedCertificateStore(GeneralName issuerAltName, PKIXCertStore store) |
| { |
| namedCertificateStoreMap.put(issuerAltName, store); |
| |
| return this; |
| } |
| |
| public Builder addCRLStore(PKIXCRLStore store) |
| { |
| extraCRLStores.add(store); |
| |
| return this; |
| } |
| |
| public Builder addNamedCRLStore(GeneralName issuerAltName, PKIXCRLStore store) |
| { |
| namedCRLStoreMap.put(issuerAltName, store); |
| |
| return this; |
| } |
| |
| public Builder setTargetConstraints(PKIXCertStoreSelector selector) |
| { |
| targetConstraints = selector; |
| |
| return this; |
| } |
| |
| /** |
| * Sets if delta CRLs should be used for checking the revocation status. |
| * |
| * @param useDeltas <code>true</code> if delta CRLs should be used. |
| */ |
| public Builder setUseDeltasEnabled(boolean useDeltas) |
| { |
| this.useDeltas = useDeltas; |
| |
| return this; |
| } |
| |
| /** |
| * @param validityModel The validity model to set. |
| * @see #CHAIN_VALIDITY_MODEL |
| * @see #PKIX_VALIDITY_MODEL |
| */ |
| public Builder setValidityModel(int validityModel) |
| { |
| this.validityModel = validityModel; |
| |
| return this; |
| } |
| |
| /** |
| * Set the trustAnchor to be used with these parameters. |
| * |
| * @param trustAnchor the trust anchor end-entity and CRLs must be based on. |
| * @return the current builder. |
| */ |
| public Builder setTrustAnchor(TrustAnchor trustAnchor) |
| { |
| this.trustAnchors = Collections.singleton(trustAnchor); |
| |
| return this; |
| } |
| |
| /** |
| * Set the set of trustAnchors to be used with these parameters. |
| * |
| * @param trustAnchors a set of trustAnchors, one of which a particular end-entity and it's associated CRLs must be based on. |
| * @return the current builder. |
| */ |
| public Builder setTrustAnchors(Set<TrustAnchor> trustAnchors) |
| { |
| this.trustAnchors = trustAnchors; |
| |
| return this; |
| } |
| |
| /** |
| * Flag whether or not revocation checking is to be enabled. |
| * |
| * @param revocationEnabled true if revocation checking to be enabled, false otherwise. |
| */ |
| public void setRevocationEnabled(boolean revocationEnabled) |
| { |
| this.revocationEnabled = revocationEnabled; |
| } |
| |
| public PKIXExtendedParameters build() |
| { |
| return new PKIXExtendedParameters(this); |
| } |
| } |
| |
| private final PKIXParameters baseParameters; |
| private final PKIXCertStoreSelector targetConstraints; |
| private final Date date; |
| private final List<PKIXCertStore> extraCertStores; |
| private final Map<GeneralName, PKIXCertStore> namedCertificateStoreMap; |
| private final List<PKIXCRLStore> extraCRLStores; |
| private final Map<GeneralName, PKIXCRLStore> namedCRLStoreMap; |
| private final boolean revocationEnabled; |
| private final boolean useDeltas; |
| private final int validityModel; |
| private final Set<TrustAnchor> trustAnchors; |
| |
| private PKIXExtendedParameters(Builder builder) |
| { |
| this.baseParameters = builder.baseParameters; |
| this.date = builder.date; |
| this.extraCertStores = Collections.unmodifiableList(builder.extraCertStores); |
| this.namedCertificateStoreMap = Collections.unmodifiableMap(new HashMap<GeneralName, PKIXCertStore>(builder.namedCertificateStoreMap)); |
| this.extraCRLStores = Collections.unmodifiableList(builder.extraCRLStores); |
| this.namedCRLStoreMap = Collections.unmodifiableMap(new HashMap<GeneralName, PKIXCRLStore>(builder.namedCRLStoreMap)); |
| this.targetConstraints = builder.targetConstraints; |
| this.revocationEnabled = builder.revocationEnabled; |
| this.useDeltas = builder.useDeltas; |
| this.validityModel = builder.validityModel; |
| this.trustAnchors = Collections.unmodifiableSet(builder.trustAnchors); |
| } |
| |
| public List<PKIXCertStore> getCertificateStores() |
| { |
| return extraCertStores; |
| } |
| |
| |
| public Map<GeneralName, PKIXCertStore> getNamedCertificateStoreMap() |
| { |
| return namedCertificateStoreMap; |
| } |
| |
| public List<PKIXCRLStore> getCRLStores() |
| { |
| return extraCRLStores; |
| } |
| |
| public Map<GeneralName, PKIXCRLStore> getNamedCRLStoreMap() |
| { |
| return namedCRLStoreMap; |
| } |
| |
| public Date getDate() |
| { |
| return new Date(date.getTime()); |
| } |
| |
| |
| |
| |
| /** |
| * Defaults to <code>false</code>. |
| * |
| * @return Returns if delta CRLs should be used. |
| */ |
| public boolean isUseDeltasEnabled() |
| { |
| return useDeltas; |
| } |
| |
| |
| |
| /** |
| * @return Returns the validity model. |
| * @see #CHAIN_VALIDITY_MODEL |
| * @see #PKIX_VALIDITY_MODEL |
| */ |
| public int getValidityModel() |
| { |
| return validityModel; |
| } |
| |
| public Object clone() |
| { |
| return this; |
| } |
| |
| /** |
| * Returns the required constraints on the target certificate. |
| * The constraints are returned as an instance of |
| * <code>Selector</code>. If <code>null</code>, no constraints are |
| * defined. |
| * |
| * @return a <code>Selector</code> specifying the constraints on the |
| * target certificate or attribute certificate (or <code>null</code>) |
| * @see PKIXCertStoreSelector |
| */ |
| public PKIXCertStoreSelector getTargetConstraints() |
| { |
| return targetConstraints; |
| } |
| |
| public Set getTrustAnchors() |
| { |
| return trustAnchors; |
| } |
| |
| public Set getInitialPolicies() |
| { |
| return baseParameters.getInitialPolicies(); |
| } |
| |
| public String getSigProvider() |
| { |
| return baseParameters.getSigProvider(); |
| } |
| |
| public boolean isExplicitPolicyRequired() |
| { |
| return baseParameters.isExplicitPolicyRequired(); |
| } |
| |
| public boolean isAnyPolicyInhibited() |
| { |
| return baseParameters.isAnyPolicyInhibited(); |
| } |
| |
| public boolean isPolicyMappingInhibited() |
| { |
| return baseParameters.isPolicyMappingInhibited(); |
| } |
| |
| public List getCertPathCheckers() |
| { |
| return baseParameters.getCertPathCheckers(); |
| } |
| |
| public List<CertStore> getCertStores() |
| { |
| return baseParameters.getCertStores(); |
| } |
| |
| public boolean isRevocationEnabled() |
| { |
| return revocationEnabled; |
| } |
| |
| } |