1/*
2 * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation.  Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26package java.security.cert;
27
28import java.security.InvalidAlgorithmParameterException;
29import java.security.KeyStore;
30import java.security.KeyStoreException;
31import java.util.ArrayList;
32import java.util.Collections;
33import java.util.Date;
34import java.util.Enumeration;
35import java.util.HashSet;
36import java.util.Iterator;
37import java.util.List;
38import java.util.Set;
39
40/**
41 * Parameters used as input for the PKIX {@code CertPathValidator}
42 * algorithm.
43 * <p>
44 * A PKIX {@code CertPathValidator} uses these parameters to
45 * validate a {@code CertPath} according to the PKIX certification path
46 * validation algorithm.
47 *
48 * <p>To instantiate a {@code PKIXParameters} object, an
49 * application must specify one or more <i>most-trusted CAs</i> as defined by
50 * the PKIX certification path validation algorithm. The most-trusted CAs
51 * can be specified using one of two constructors. An application
52 * can call {@link #PKIXParameters(Set) PKIXParameters(Set)},
53 * specifying a {@code Set} of {@code TrustAnchor} objects, each
54 * of which identify a most-trusted CA. Alternatively, an application can call
55 * {@link #PKIXParameters(KeyStore) PKIXParameters(KeyStore)}, specifying a
56 * {@code KeyStore} instance containing trusted certificate entries, each
57 * of which will be considered as a most-trusted CA.
58 * <p>
59 * Once a {@code PKIXParameters} object has been created, other parameters
60 * can be specified (by calling {@link #setInitialPolicies setInitialPolicies}
61 * or {@link #setDate setDate}, for instance) and then the
62 * {@code PKIXParameters} is passed along with the {@code CertPath}
63 * to be validated to {@link CertPathValidator#validate
64 * CertPathValidator.validate}.
65 * <p>
66 * Any parameter that is not set (or is set to {@code null}) will
67 * be set to the default value for that parameter. The default value for the
68 * {@code date} parameter is {@code null}, which indicates
69 * the current time when the path is validated. The default for the
70 * remaining parameters is the least constrained.
71 * <p>
72 * <b>Concurrent Access</b>
73 * <p>
74 * Unless otherwise specified, the methods defined in this class are not
75 * thread-safe. Multiple threads that need to access a single
76 * object concurrently should synchronize amongst themselves and
77 * provide the necessary locking. Multiple threads each manipulating
78 * separate objects need not synchronize.
79 *
80 * @see CertPathValidator
81 *
82 * @since       1.4
83 * @author      Sean Mullan
84 * @author      Yassir Elley
85 */
86public class PKIXParameters implements CertPathParameters {
87
88    private Set<TrustAnchor> unmodTrustAnchors;
89    private Date date;
90    private List<PKIXCertPathChecker> certPathCheckers;
91    private String sigProvider;
92    private boolean revocationEnabled = true;
93    private Set<String> unmodInitialPolicies;
94    private boolean explicitPolicyRequired = false;
95    private boolean policyMappingInhibited = false;
96    private boolean anyPolicyInhibited = false;
97    private boolean policyQualifiersRejected = true;
98    private List<CertStore> certStores;
99    private CertSelector certSelector;
100
101    /**
102     * Creates an instance of {@code PKIXParameters} with the specified
103     * {@code Set} of most-trusted CAs. Each element of the
104     * set is a {@link TrustAnchor TrustAnchor}.
105     * <p>
106     * Note that the {@code Set} is copied to protect against
107     * subsequent modifications.
108     *
109     * @param trustAnchors a {@code Set} of {@code TrustAnchor}s
110     * @throws InvalidAlgorithmParameterException if the specified
111     * {@code Set} is empty {@code (trustAnchors.isEmpty() == true)}
112     * @throws NullPointerException if the specified {@code Set} is
113     * {@code null}
114     * @throws ClassCastException if any of the elements in the {@code Set}
115     * are not of type {@code java.security.cert.TrustAnchor}
116     */
117    public PKIXParameters(Set<TrustAnchor> trustAnchors)
118        throws InvalidAlgorithmParameterException
119    {
120        setTrustAnchors(trustAnchors);
121
122        this.unmodInitialPolicies = Collections.<String>emptySet();
123        this.certPathCheckers = new ArrayList<PKIXCertPathChecker>();
124        this.certStores = new ArrayList<CertStore>();
125    }
126
127    /**
128     * Creates an instance of {@code PKIXParameters} that
129     * populates the set of most-trusted CAs from the trusted
130     * certificate entries contained in the specified {@code KeyStore}.
131     * Only keystore entries that contain trusted {@code X509Certificates}
132     * are considered; all other certificate types are ignored.
133     *
134     * @param keystore a {@code KeyStore} from which the set of
135     * most-trusted CAs will be populated
136     * @throws KeyStoreException if the keystore has not been initialized
137     * @throws InvalidAlgorithmParameterException if the keystore does
138     * not contain at least one trusted certificate entry
139     * @throws NullPointerException if the keystore is {@code null}
140     */
141    public PKIXParameters(KeyStore keystore)
142        throws KeyStoreException, InvalidAlgorithmParameterException
143    {
144        if (keystore == null)
145            throw new NullPointerException("the keystore parameter must be " +
146                "non-null");
147        Set<TrustAnchor> hashSet = new HashSet<TrustAnchor>();
148        Enumeration<String> aliases = keystore.aliases();
149        while (aliases.hasMoreElements()) {
150            String alias = aliases.nextElement();
151            if (keystore.isCertificateEntry(alias)) {
152                Certificate cert = keystore.getCertificate(alias);
153                if (cert instanceof X509Certificate)
154                    hashSet.add(new TrustAnchor((X509Certificate)cert, null));
155            }
156        }
157        setTrustAnchors(hashSet);
158        this.unmodInitialPolicies = Collections.<String>emptySet();
159        this.certPathCheckers = new ArrayList<PKIXCertPathChecker>();
160        this.certStores = new ArrayList<CertStore>();
161    }
162
163    /**
164     * Returns an immutable {@code Set} of the most-trusted
165     * CAs.
166     *
167     * @return an immutable {@code Set} of {@code TrustAnchor}s
168     * (never {@code null})
169     *
170     * @see #setTrustAnchors
171     */
172    public Set<TrustAnchor> getTrustAnchors() {
173        return this.unmodTrustAnchors;
174    }
175
176    /**
177     * Sets the {@code Set} of most-trusted CAs.
178     * <p>
179     * Note that the {@code Set} is copied to protect against
180     * subsequent modifications.
181     *
182     * @param trustAnchors a {@code Set} of {@code TrustAnchor}s
183     * @throws InvalidAlgorithmParameterException if the specified
184     * {@code Set} is empty {@code (trustAnchors.isEmpty() == true)}
185     * @throws NullPointerException if the specified {@code Set} is
186     * {@code null}
187     * @throws ClassCastException if any of the elements in the set
188     * are not of type {@code java.security.cert.TrustAnchor}
189     *
190     * @see #getTrustAnchors
191     */
192    public void setTrustAnchors(Set<TrustAnchor> trustAnchors)
193        throws InvalidAlgorithmParameterException
194    {
195        if (trustAnchors == null) {
196            throw new NullPointerException("the trustAnchors parameters must" +
197                " be non-null");
198        }
199        if (trustAnchors.isEmpty()) {
200            throw new InvalidAlgorithmParameterException("the trustAnchors " +
201                "parameter must be non-empty");
202        }
203        for (Iterator<TrustAnchor> i = trustAnchors.iterator(); i.hasNext(); ) {
204            if (!(i.next() instanceof TrustAnchor)) {
205                throw new ClassCastException("all elements of set must be "
206                    + "of type java.security.cert.TrustAnchor");
207            }
208        }
209        this.unmodTrustAnchors = Collections.unmodifiableSet
210                (new HashSet<TrustAnchor>(trustAnchors));
211    }
212
213    /**
214     * Returns an immutable {@code Set} of initial
215     * policy identifiers (OID strings), indicating that any one of these
216     * policies would be acceptable to the certificate user for the purposes of
217     * certification path processing. The default return value is an empty
218     * {@code Set}, which is interpreted as meaning that any policy would
219     * be acceptable.
220     *
221     * @return an immutable {@code Set} of initial policy OIDs in
222     * {@code String} format, or an empty {@code Set} (implying any
223     * policy is acceptable). Never returns {@code null}.
224     *
225     * @see #setInitialPolicies
226     */
227    public Set<String> getInitialPolicies() {
228        return this.unmodInitialPolicies;
229    }
230
231    /**
232     * Sets the {@code Set} of initial policy identifiers
233     * (OID strings), indicating that any one of these
234     * policies would be acceptable to the certificate user for the purposes of
235     * certification path processing. By default, any policy is acceptable
236     * (i.e. all policies), so a user that wants to allow any policy as
237     * acceptable does not need to call this method, or can call it
238     * with an empty {@code Set} (or {@code null}).
239     * <p>
240     * Note that the {@code Set} is copied to protect against
241     * subsequent modifications.
242     *
243     * @param initialPolicies a {@code Set} of initial policy
244     * OIDs in {@code String} format (or {@code null})
245     * @throws ClassCastException if any of the elements in the set are
246     * not of type {@code String}
247     *
248     * @see #getInitialPolicies
249     */
250    public void setInitialPolicies(Set<String> initialPolicies) {
251        if (initialPolicies != null) {
252            for (Iterator<String> i = initialPolicies.iterator();
253                        i.hasNext();) {
254                if (!(i.next() instanceof String))
255                    throw new ClassCastException("all elements of set must be "
256                        + "of type java.lang.String");
257            }
258            this.unmodInitialPolicies =
259                Collections.unmodifiableSet(new HashSet<String>(initialPolicies));
260        } else
261            this.unmodInitialPolicies = Collections.<String>emptySet();
262    }
263
264    /**
265     * Sets the list of {@code CertStore}s to be used in finding
266     * certificates and CRLs. May be {@code null}, in which case
267     * no {@code CertStore}s will be used. The first
268     * {@code CertStore}s in the list may be preferred to those that
269     * appear later.
270     * <p>
271     * Note that the {@code List} is copied to protect against
272     * subsequent modifications.
273     *
274     * @param stores a {@code List} of {@code CertStore}s (or
275     * {@code null})
276     * @throws ClassCastException if any of the elements in the list are
277     * not of type {@code java.security.cert.CertStore}
278     *
279     * @see #getCertStores
280     */
281    public void setCertStores(List<CertStore> stores) {
282        if (stores == null) {
283            this.certStores = new ArrayList<CertStore>();
284        } else {
285            for (Iterator<CertStore> i = stores.iterator(); i.hasNext();) {
286                if (!(i.next() instanceof CertStore)) {
287                    throw new ClassCastException("all elements of list must be "
288                        + "of type java.security.cert.CertStore");
289                }
290            }
291            this.certStores = new ArrayList<CertStore>(stores);
292        }
293    }
294
295    /**
296     * Adds a {@code CertStore} to the end of the list of
297     * {@code CertStore}s used in finding certificates and CRLs.
298     *
299     * @param store the {@code CertStore} to add. If {@code null},
300     * the store is ignored (not added to list).
301     */
302    public void addCertStore(CertStore store) {
303        if (store != null) {
304            this.certStores.add(store);
305        }
306    }
307
308    /**
309     * Returns an immutable {@code List} of {@code CertStore}s that
310     * are used to find certificates and CRLs.
311     *
312     * @return an immutable {@code List} of {@code CertStore}s
313     * (may be empty, but never {@code null})
314     *
315     * @see #setCertStores
316     */
317    public List<CertStore> getCertStores() {
318        return Collections.unmodifiableList
319                (new ArrayList<CertStore>(this.certStores));
320    }
321
322    /**
323     * Sets the RevocationEnabled flag. If this flag is true, the default
324     * revocation checking mechanism of the underlying PKIX service provider
325     * will be used. If this flag is false, the default revocation checking
326     * mechanism will be disabled (not used).
327     * <p>
328     * When a {@code PKIXParameters} object is created, this flag is set
329     * to true. This setting reflects the most common strategy for checking
330     * revocation, since each service provider must support revocation
331     * checking to be PKIX compliant. Sophisticated applications should set
332     * this flag to false when it is not practical to use a PKIX service
333     * provider's default revocation checking mechanism or when an alternative
334     * revocation checking mechanism is to be substituted (by also calling the
335     * {@link #addCertPathChecker addCertPathChecker} or {@link
336     * #setCertPathCheckers setCertPathCheckers} methods).
337     *
338     * @param val the new value of the RevocationEnabled flag
339     */
340    public void setRevocationEnabled(boolean val) {
341        revocationEnabled = val;
342    }
343
344    /**
345     * Checks the RevocationEnabled flag. If this flag is true, the default
346     * revocation checking mechanism of the underlying PKIX service provider
347     * will be used. If this flag is false, the default revocation checking
348     * mechanism will be disabled (not used). See the {@link
349     * #setRevocationEnabled setRevocationEnabled} method for more details on
350     * setting the value of this flag.
351     *
352     * @return the current value of the RevocationEnabled flag
353     */
354    public boolean isRevocationEnabled() {
355        return revocationEnabled;
356    }
357
358    /**
359     * Sets the ExplicitPolicyRequired flag. If this flag is true, an
360     * acceptable policy needs to be explicitly identified in every certificate.
361     * By default, the ExplicitPolicyRequired flag is false.
362     *
363     * @param val {@code true} if explicit policy is to be required,
364     * {@code false} otherwise
365     */
366    public void setExplicitPolicyRequired(boolean val) {
367        explicitPolicyRequired = val;
368    }
369
370    /**
371     * Checks if explicit policy is required. If this flag is true, an
372     * acceptable policy needs to be explicitly identified in every certificate.
373     * By default, the ExplicitPolicyRequired flag is false.
374     *
375     * @return {@code true} if explicit policy is required,
376     * {@code false} otherwise
377     */
378    public boolean isExplicitPolicyRequired() {
379        return explicitPolicyRequired;
380    }
381
382    /**
383     * Sets the PolicyMappingInhibited flag. If this flag is true, policy
384     * mapping is inhibited. By default, policy mapping is not inhibited (the
385     * flag is false).
386     *
387     * @param val {@code true} if policy mapping is to be inhibited,
388     * {@code false} otherwise
389     */
390    public void setPolicyMappingInhibited(boolean val) {
391        policyMappingInhibited = val;
392    }
393
394    /**
395     * Checks if policy mapping is inhibited. If this flag is true, policy
396     * mapping is inhibited. By default, policy mapping is not inhibited (the
397     * flag is false).
398     *
399     * @return true if policy mapping is inhibited, false otherwise
400     */
401    public boolean isPolicyMappingInhibited() {
402        return policyMappingInhibited;
403    }
404
405    /**
406     * Sets state to determine if the any policy OID should be processed
407     * if it is included in a certificate. By default, the any policy OID
408     * is not inhibited ({@link #isAnyPolicyInhibited isAnyPolicyInhibited()}
409     * returns {@code false}).
410     *
411     * @param val {@code true} if the any policy OID is to be
412     * inhibited, {@code false} otherwise
413     */
414    public void setAnyPolicyInhibited(boolean val) {
415        anyPolicyInhibited = val;
416    }
417
418    /**
419     * Checks whether the any policy OID should be processed if it
420     * is included in a certificate.
421     *
422     * @return {@code true} if the any policy OID is inhibited,
423     * {@code false} otherwise
424     */
425    public boolean isAnyPolicyInhibited() {
426        return anyPolicyInhibited;
427    }
428
429    /**
430     * Sets the PolicyQualifiersRejected flag. If this flag is true,
431     * certificates that include policy qualifiers in a certificate
432     * policies extension that is marked critical are rejected.
433     * If the flag is false, certificates are not rejected on this basis.
434     *
435     * <p> When a {@code PKIXParameters} object is created, this flag is
436     * set to true. This setting reflects the most common (and simplest)
437     * strategy for processing policy qualifiers. Applications that want to use
438     * a more sophisticated policy must set this flag to false.
439     * <p>
440     * Note that the PKIX certification path validation algorithm specifies
441     * that any policy qualifier in a certificate policies extension that is
442     * marked critical must be processed and validated. Otherwise the
443     * certification path must be rejected. If the policyQualifiersRejected flag
444     * is set to false, it is up to the application to validate all policy
445     * qualifiers in this manner in order to be PKIX compliant.
446     *
447     * @param qualifiersRejected the new value of the PolicyQualifiersRejected
448     * flag
449     * @see #getPolicyQualifiersRejected
450     * @see PolicyQualifierInfo
451     */
452    public void setPolicyQualifiersRejected(boolean qualifiersRejected) {
453        policyQualifiersRejected = qualifiersRejected;
454    }
455
456    /**
457     * Gets the PolicyQualifiersRejected flag. If this flag is true,
458     * certificates that include policy qualifiers in a certificate policies
459     * extension that is marked critical are rejected.
460     * If the flag is false, certificates are not rejected on this basis.
461     *
462     * <p> When a {@code PKIXParameters} object is created, this flag is
463     * set to true. This setting reflects the most common (and simplest)
464     * strategy for processing policy qualifiers. Applications that want to use
465     * a more sophisticated policy must set this flag to false.
466     *
467     * @return the current value of the PolicyQualifiersRejected flag
468     * @see #setPolicyQualifiersRejected
469     */
470    public boolean getPolicyQualifiersRejected() {
471        return policyQualifiersRejected;
472    }
473
474    /**
475     * Returns the time for which the validity of the certification path
476     * should be determined. If {@code null}, the current time is used.
477     * <p>
478     * Note that the {@code Date} returned is copied to protect against
479     * subsequent modifications.
480     *
481     * @return the {@code Date}, or {@code null} if not set
482     * @see #setDate
483     */
484    public Date getDate() {
485        if (date == null)
486            return null;
487        else
488            return (Date) this.date.clone();
489    }
490
491    /**
492     * Sets the time for which the validity of the certification path
493     * should be determined. If {@code null}, the current time is used.
494     * <p>
495     * Note that the {@code Date} supplied here is copied to protect
496     * against subsequent modifications.
497     *
498     * @param date the {@code Date}, or {@code null} for the
499     * current time
500     * @see #getDate
501     */
502    public void setDate(Date date) {
503        if (date != null)
504            this.date = (Date) date.clone();
505        else
506            date = null;
507    }
508
509    /**
510     * Sets a {@code List} of additional certification path checkers. If
511     * the specified {@code List} contains an object that is not a
512     * {@code PKIXCertPathChecker}, it is ignored.
513     * <p>
514     * Each {@code PKIXCertPathChecker} specified implements
515     * additional checks on a certificate. Typically, these are checks to
516     * process and verify private extensions contained in certificates.
517     * Each {@code PKIXCertPathChecker} should be instantiated with any
518     * initialization parameters needed to execute the check.
519     * <p>
520     * This method allows sophisticated applications to extend a PKIX
521     * {@code CertPathValidator} or {@code CertPathBuilder}.
522     * Each of the specified {@code PKIXCertPathChecker}s will be called,
523     * in turn, by a PKIX {@code CertPathValidator} or
524     * {@code CertPathBuilder} for each certificate processed or
525     * validated.
526     * <p>
527     * Regardless of whether these additional {@code PKIXCertPathChecker}s
528     * are set, a PKIX {@code CertPathValidator} or
529     * {@code CertPathBuilder} must perform all of the required PKIX
530     * checks on each certificate. The one exception to this rule is if the
531     * RevocationEnabled flag is set to false (see the {@link
532     * #setRevocationEnabled setRevocationEnabled} method).
533     * <p>
534     * Note that the {@code List} supplied here is copied and each
535     * {@code PKIXCertPathChecker} in the list is cloned to protect
536     * against subsequent modifications.
537     *
538     * @param checkers a {@code List} of {@code PKIXCertPathChecker}s.
539     * May be {@code null}, in which case no additional checkers will be
540     * used.
541     * @throws ClassCastException if any of the elements in the list
542     * are not of type {@code java.security.cert.PKIXCertPathChecker}
543     * @see #getCertPathCheckers
544     */
545    public void setCertPathCheckers(List<PKIXCertPathChecker> checkers) {
546        if (checkers != null) {
547            List<PKIXCertPathChecker> tmpList =
548                        new ArrayList<PKIXCertPathChecker>();
549            for (PKIXCertPathChecker checker : checkers) {
550                tmpList.add((PKIXCertPathChecker)checker.clone());
551            }
552            this.certPathCheckers = tmpList;
553        } else {
554            this.certPathCheckers = new ArrayList<PKIXCertPathChecker>();
555        }
556    }
557
558    /**
559     * Returns the {@code List} of certification path checkers.
560     * The returned {@code List} is immutable, and each
561     * {@code PKIXCertPathChecker} in the {@code List} is cloned
562     * to protect against subsequent modifications.
563     *
564     * @return an immutable {@code List} of
565     * {@code PKIXCertPathChecker}s (may be empty, but not
566     * {@code null})
567     * @see #setCertPathCheckers
568     */
569    public List<PKIXCertPathChecker> getCertPathCheckers() {
570        List<PKIXCertPathChecker> tmpList = new ArrayList<PKIXCertPathChecker>();
571        for (PKIXCertPathChecker ck : certPathCheckers) {
572            tmpList.add((PKIXCertPathChecker)ck.clone());
573        }
574        return Collections.unmodifiableList(tmpList);
575    }
576
577    /**
578     * Adds a {@code PKIXCertPathChecker} to the list of certification
579     * path checkers. See the {@link #setCertPathCheckers setCertPathCheckers}
580     * method for more details.
581     * <p>
582     * Note that the {@code PKIXCertPathChecker} is cloned to protect
583     * against subsequent modifications.
584     *
585     * @param checker a {@code PKIXCertPathChecker} to add to the list of
586     * checks. If {@code null}, the checker is ignored (not added to list).
587     */
588    public void addCertPathChecker(PKIXCertPathChecker checker) {
589        if (checker != null) {
590            certPathCheckers.add((PKIXCertPathChecker)checker.clone());
591        }
592    }
593
594    /**
595     * Returns the signature provider's name, or {@code null}
596     * if not set.
597     *
598     * @return the signature provider's name (or {@code null})
599     * @see #setSigProvider
600     */
601    public String getSigProvider() {
602        return this.sigProvider;
603    }
604
605    /**
606     * Sets the signature provider's name. The specified provider will be
607     * preferred when creating {@link java.security.Signature Signature}
608     * objects. If {@code null} or not set, the first provider found
609     * supporting the algorithm will be used.
610     *
611     * @param sigProvider the signature provider's name (or {@code null})
612     * @see #getSigProvider
613    */
614    public void setSigProvider(String sigProvider) {
615        this.sigProvider = sigProvider;
616    }
617
618    /**
619     * Returns the required constraints on the target certificate.
620     * The constraints are returned as an instance of {@code CertSelector}.
621     * If {@code null}, no constraints are defined.
622     *
623     * <p>Note that the {@code CertSelector} returned is cloned
624     * to protect against subsequent modifications.
625     *
626     * @return a {@code CertSelector} specifying the constraints
627     * on the target certificate (or {@code null})
628     * @see #setTargetCertConstraints
629     */
630    public CertSelector getTargetCertConstraints() {
631        if (certSelector != null) {
632            return (CertSelector) certSelector.clone();
633        } else {
634            return null;
635        }
636    }
637
638    /**
639     * Sets the required constraints on the target certificate.
640     * The constraints are specified as an instance of
641     * {@code CertSelector}. If {@code null}, no constraints are
642     * defined.
643     *
644     * <p>Note that the {@code CertSelector} specified is cloned
645     * to protect against subsequent modifications.
646     *
647     * @param selector a {@code CertSelector} specifying the constraints
648     * on the target certificate (or {@code null})
649     * @see #getTargetCertConstraints
650     */
651    public void setTargetCertConstraints(CertSelector selector) {
652        if (selector != null)
653            certSelector = (CertSelector) selector.clone();
654        else
655            certSelector = null;
656    }
657
658    /**
659     * Makes a copy of this {@code PKIXParameters} object. Changes
660     * to the copy will not affect the original and vice versa.
661     *
662     * @return a copy of this {@code PKIXParameters} object
663     */
664    public Object clone() {
665        try {
666            PKIXParameters copy = (PKIXParameters)super.clone();
667
668            // must clone these because addCertStore, et al. modify them
669            if (certStores != null) {
670                copy.certStores = new ArrayList<CertStore>(certStores);
671            }
672            if (certPathCheckers != null) {
673                copy.certPathCheckers =
674                    new ArrayList<PKIXCertPathChecker>(certPathCheckers.size());
675                for (PKIXCertPathChecker checker : certPathCheckers) {
676                    copy.certPathCheckers.add(
677                                    (PKIXCertPathChecker)checker.clone());
678                }
679            }
680
681            // other class fields are immutable to public, don't bother
682            // to clone the read-only fields.
683            return copy;
684        } catch (CloneNotSupportedException e) {
685            /* Cannot happen */
686            throw new InternalError(e.toString(), e);
687        }
688    }
689
690    /**
691     * Returns a formatted string describing the parameters.
692     *
693     * @return a formatted string describing the parameters.
694     */
695    public String toString() {
696        StringBuffer sb = new StringBuffer();
697        sb.append("[\n");
698
699        /* start with trusted anchor info */
700        if (unmodTrustAnchors != null) {
701            sb.append("  Trust Anchors: " + unmodTrustAnchors.toString()
702                + "\n");
703        }
704
705        /* now, append initial state information */
706        if (unmodInitialPolicies != null) {
707            if (unmodInitialPolicies.isEmpty()) {
708                sb.append("  Initial Policy OIDs: any\n");
709            } else {
710                sb.append("  Initial Policy OIDs: ["
711                    + unmodInitialPolicies.toString() + "]\n");
712            }
713        }
714
715        /* now, append constraints on all certificates in the path */
716        sb.append("  Validity Date: " + String.valueOf(date) + "\n");
717        sb.append("  Signature Provider: " + String.valueOf(sigProvider) + "\n");
718        sb.append("  Default Revocation Enabled: " + revocationEnabled + "\n");
719        sb.append("  Explicit Policy Required: " + explicitPolicyRequired + "\n");
720        sb.append("  Policy Mapping Inhibited: " + policyMappingInhibited + "\n");
721        sb.append("  Any Policy Inhibited: " + anyPolicyInhibited + "\n");
722        sb.append("  Policy Qualifiers Rejected: " + policyQualifiersRejected + "\n");
723
724        /* now, append target cert requirements */
725        sb.append("  Target Cert Constraints: " + String.valueOf(certSelector) + "\n");
726
727        /* finally, append miscellaneous parameters */
728        if (certPathCheckers != null)
729            sb.append("  Certification Path Checkers: ["
730                + certPathCheckers.toString() + "]\n");
731        if (certStores != null)
732            sb.append("  CertStores: [" + certStores.toString() + "]\n");
733        sb.append("]");
734        return sb.toString();
735    }
736}
737