ExtendedPKIXBuilderParameters.java revision e6bf3e8dfa2804891a82075cb469b736321b4827 
1package org.bouncycastle.x509;
2
3import org.bouncycastle.util.Selector;
4
5import java.security.InvalidAlgorithmParameterException;
6import java.security.InvalidParameterException;
7import java.security.cert.PKIXBuilderParameters;
8import java.security.cert.PKIXParameters;
9import java.security.cert.TrustAnchor;
10import java.security.cert.X509CertSelector;
11import java.util.Collections;
12import java.util.HashSet;
13import java.util.Set;
14
15/**
16 * This class contains extended parameters for PKIX certification path builders.
17 *
18 * @see java.security.cert.PKIXBuilderParameters
19 * @see org.bouncycastle.jce.provider.PKIXCertPathBuilderSpi
20 */
21public class ExtendedPKIXBuilderParameters extends ExtendedPKIXParameters
22{
23
24    private int maxPathLength = 5;
25
26    private Set excludedCerts = Collections.EMPTY_SET;
27
28    /**
29     * Excluded certificates are not used for building a certification path.
30     * <p>
31     * The returned set is immutable.
32     *
33     * @return Returns the excluded certificates.
34     */
35    public Set getExcludedCerts()
36    {
37        return Collections.unmodifiableSet(excludedCerts);
38    }
39
40    /**
41     * Sets the excluded certificates which are not used for building a
42     * certification path. If the <code>Set</code> is <code>null</code> an
43     * empty set is assumed.
44     * <p>
45     * The given set is cloned to protect it against subsequent modifications.
46     *
47     * @param excludedCerts The excluded certificates to set.
48     */
49    public void setExcludedCerts(Set excludedCerts)
50    {
51        if (excludedCerts == null)
52        {
53            excludedCerts = Collections.EMPTY_SET;
54        }
55        else
56        {
57            this.excludedCerts = new HashSet(excludedCerts);
58        }
59    }
60
61    /**
62     * Creates an instance of <code>PKIXBuilderParameters</code> with the
63     * specified <code>Set</code> of most-trusted CAs. Each element of the set
64     * is a {@link TrustAnchor TrustAnchor}.
65     *
66     * <p>
67     * Note that the <code>Set</code> is copied to protect against subsequent
68     * modifications.
69     *
70     * @param trustAnchors a <code>Set</code> of <code>TrustAnchor</code>s
71     * @param targetConstraints a <code>Selector</code> specifying the
72     *            constraints on the target certificate or attribute
73     *            certificate.
74     * @throws InvalidAlgorithmParameterException if <code>trustAnchors</code>
75     *             is empty.
76     * @throws NullPointerException if <code>trustAnchors</code> is
77     *             <code>null</code>
78     * @throws ClassCastException if any of the elements of
79     *             <code>trustAnchors</code> is not of type
80     *             <code>java.security.cert.TrustAnchor</code>
81     */
82    public ExtendedPKIXBuilderParameters(Set trustAnchors,
83            Selector targetConstraints)
84            throws InvalidAlgorithmParameterException
85    {
86        super(trustAnchors);
87        setTargetConstraints(targetConstraints);
88    }
89
90    /**
91     * Sets the maximum number of intermediate non-self-issued certificates in a
92     * certification path. The PKIX <code>CertPathBuilder</code> must not
93     * build paths longer then this length.
94     * <p>
95     * A value of 0 implies that the path can only contain a single certificate.
96     * A value of -1 does not limit the length. The default length is 5.
97     *
98     * <p>
99     *
100     * The basic constraints extension of a CA certificate overrides this value
101     * if smaller.
102     *
103     * @param maxPathLength the maximum number of non-self-issued intermediate
104     *            certificates in the certification path
105     * @throws InvalidParameterException if <code>maxPathLength</code> is set
106     *             to a value less than -1
107     *
108     * @see org.bouncycastle.jce.provider.PKIXCertPathBuilderSpi
109     * @see #getMaxPathLength
110     */
111    public void setMaxPathLength(int maxPathLength)
112    {
113        if (maxPathLength < -1)
114        {
115            throw new InvalidParameterException("The maximum path "
116                    + "length parameter can not be less than -1.");
117        }
118        this.maxPathLength = maxPathLength;
119    }
120
121    /**
122     * Returns the value of the maximum number of intermediate non-self-issued
123     * certificates in the certification path.
124     *
125     * @return the maximum number of non-self-issued intermediate certificates
126     *         in the certification path, or -1 if no limit exists.
127     *
128     * @see #setMaxPathLength(int)
129     */
130    public int getMaxPathLength()
131    {
132        return maxPathLength;
133    }
134
135    /**
136     * Can alse handle <code>ExtendedPKIXBuilderParameters</code> and
137     * <code>PKIXBuilderParameters</code>.
138     *
139     * @param params Parameters to set.
140     * @see org.bouncycastle.x509.ExtendedPKIXParameters#setParams(java.security.cert.PKIXParameters)
141     */
142    protected void setParams(PKIXParameters params)
143    {
144        super.setParams(params);
145        if (params instanceof ExtendedPKIXBuilderParameters)
146        {
147            ExtendedPKIXBuilderParameters _params = (ExtendedPKIXBuilderParameters) params;
148            maxPathLength = _params.maxPathLength;
149            excludedCerts = new HashSet(_params.excludedCerts);
150        }
151        if (params instanceof PKIXBuilderParameters)
152        {
153            PKIXBuilderParameters _params = (PKIXBuilderParameters) params;
154            maxPathLength = _params.getMaxPathLength();
155        }
156    }
157
158    /**
159     * Makes a copy of this <code>PKIXParameters</code> object. Changes to the
160     * copy will not affect the original and vice versa.
161     *
162     * @return a copy of this <code>PKIXParameters</code> object
163     */
164    public Object clone()
165    {
166        ExtendedPKIXBuilderParameters params = null;
167        try
168        {
169            params = new ExtendedPKIXBuilderParameters(getTrustAnchors(),
170                    getTargetConstraints());
171        }
172        catch (Exception e)
173        {
174            // cannot happen
175            throw new RuntimeException(e.getMessage());
176        }
177        params.setParams(this);
178        return params;
179    }
180
181    /**
182     * Returns an instance of <code>ExtendedPKIXParameters</code> which can be
183     * safely casted to <code>ExtendedPKIXBuilderParameters</code>.
184     * <p>
185     * This method can be used to get a copy from other
186     * <code>PKIXBuilderParameters</code>, <code>PKIXParameters</code>,
187     * and <code>ExtendedPKIXParameters</code> instances.
188     *
189     * @param pkixParams The PKIX parameters to create a copy of.
190     * @return An <code>ExtendedPKIXBuilderParameters</code> instance.
191     */
192    public static ExtendedPKIXParameters getInstance(PKIXParameters pkixParams)
193    {
194        ExtendedPKIXBuilderParameters params;
195        try
196        {
197            params = new ExtendedPKIXBuilderParameters(pkixParams
198                    .getTrustAnchors(), X509CertStoreSelector
199                    .getInstance((X509CertSelector) pkixParams
200                            .getTargetCertConstraints()));
201        }
202        catch (Exception e)
203        {
204            // cannot happen
205            throw new RuntimeException(e.getMessage());
206        }
207        params.setParams(pkixParams);
208        return params;
209    }
210}
211