1 package org.bouncycastle.jcajce; 2 3 import java.security.cert.CertPathParameters; 4 import java.security.cert.CertSelector; 5 import java.security.cert.CertStore; 6 import java.security.cert.PKIXParameters; 7 import java.security.cert.TrustAnchor; 8 import java.util.ArrayList; 9 import java.util.Collections; 10 import java.util.Date; 11 import java.util.HashMap; 12 import java.util.List; 13 import java.util.Map; 14 import java.util.Set; 15 16 import org.bouncycastle.asn1.x509.GeneralName; 17 18 /** 19 * This class extends the PKIXParameters with a validity model parameter. 20 */ 21 public class PKIXExtendedParameters 22 implements CertPathParameters 23 { 24 /** 25 * This is the default PKIX validity model. Actually there are two variants of this: The PKIX 26 * model and the modified PKIX model. The PKIX model verifies that all involved certificates 27 * must have been valid at the current time. The modified PKIX model verifies that all involved 28 * certificates were valid at the signing time. Both are indirectly chosen with the 29 * {@link PKIXParameters#setDate(Date)} method, so this methods sets the Date when <em>all</em> 30 * certificates must have been valid. 31 */ 32 public static final int PKIX_VALIDITY_MODEL = 0; 33 34 /** 35 * This model uses the following validity model. Each certificate must have been valid at the 36 * moment when it was used. That means the end certificate must have been valid at the time the 37 * signature was done. The CA certificate which signed the end certificate must have been valid, 38 * when the end certificate was signed. The CA (or Root CA) certificate must have been valid 39 * when the CA certificate was signed, and so on. So the {@link PKIXParameters#setDate(Date)} 40 * method sets the time, when the <em>end certificate</em> must have been valid. It is used e.g. 41 * in the German signature law. 42 */ 43 public static final int CHAIN_VALIDITY_MODEL = 1; 44 45 /** 46 * Builder for a PKIXExtendedParameters object. 47 */ 48 public static class Builder 49 { 50 private final PKIXParameters baseParameters; 51 private final Date validityDate; 52 private final Date date; 53 54 private PKIXCertStoreSelector targetConstraints; 55 private List<PKIXCertStore> extraCertStores = new ArrayList<PKIXCertStore>(); 56 private Map<GeneralName, PKIXCertStore> namedCertificateStoreMap = new HashMap<GeneralName, PKIXCertStore>(); 57 private List<PKIXCRLStore> extraCRLStores = new ArrayList<PKIXCRLStore>(); 58 private Map<GeneralName, PKIXCRLStore> namedCRLStoreMap = new HashMap<GeneralName, PKIXCRLStore>(); 59 private boolean revocationEnabled; 60 private int validityModel = PKIX_VALIDITY_MODEL; 61 private boolean useDeltas = false; 62 private Set<TrustAnchor> trustAnchors; 63 Builder(PKIXParameters baseParameters)64 public Builder(PKIXParameters baseParameters) 65 { 66 this.baseParameters = (PKIXParameters)baseParameters.clone(); 67 CertSelector constraints = baseParameters.getTargetCertConstraints(); 68 if (constraints != null) 69 { 70 this.targetConstraints = new PKIXCertStoreSelector.Builder(constraints).build(); 71 } 72 this.validityDate = baseParameters.getDate(); 73 this.date = (validityDate == null) ? new Date() : validityDate; 74 this.revocationEnabled = baseParameters.isRevocationEnabled(); 75 this.trustAnchors = baseParameters.getTrustAnchors(); 76 } 77 Builder(PKIXExtendedParameters baseParameters)78 public Builder(PKIXExtendedParameters baseParameters) 79 { 80 this.baseParameters = baseParameters.baseParameters; 81 this.validityDate = baseParameters.validityDate; 82 this.date = baseParameters.date; 83 this.targetConstraints = baseParameters.targetConstraints; 84 this.extraCertStores = new ArrayList<PKIXCertStore>(baseParameters.extraCertStores); 85 this.namedCertificateStoreMap = new HashMap<GeneralName, PKIXCertStore>(baseParameters.namedCertificateStoreMap); 86 this.extraCRLStores = new ArrayList<PKIXCRLStore>(baseParameters.extraCRLStores); 87 this.namedCRLStoreMap = new HashMap<GeneralName, PKIXCRLStore>(baseParameters.namedCRLStoreMap); 88 this.useDeltas = baseParameters.useDeltas; 89 this.validityModel = baseParameters.validityModel; 90 this.revocationEnabled = baseParameters.isRevocationEnabled(); 91 this.trustAnchors = baseParameters.getTrustAnchors(); 92 } 93 addCertificateStore(PKIXCertStore store)94 public Builder addCertificateStore(PKIXCertStore store) 95 { 96 extraCertStores.add(store); 97 98 return this; 99 } 100 addNamedCertificateStore(GeneralName issuerAltName, PKIXCertStore store)101 public Builder addNamedCertificateStore(GeneralName issuerAltName, PKIXCertStore store) 102 { 103 namedCertificateStoreMap.put(issuerAltName, store); 104 105 return this; 106 } 107 addCRLStore(PKIXCRLStore store)108 public Builder addCRLStore(PKIXCRLStore store) 109 { 110 extraCRLStores.add(store); 111 112 return this; 113 } 114 addNamedCRLStore(GeneralName issuerAltName, PKIXCRLStore store)115 public Builder addNamedCRLStore(GeneralName issuerAltName, PKIXCRLStore store) 116 { 117 namedCRLStoreMap.put(issuerAltName, store); 118 119 return this; 120 } 121 setTargetConstraints(PKIXCertStoreSelector selector)122 public Builder setTargetConstraints(PKIXCertStoreSelector selector) 123 { 124 targetConstraints = selector; 125 126 return this; 127 } 128 129 /** 130 * Sets if delta CRLs should be used for checking the revocation status. 131 * 132 * @param useDeltas <code>true</code> if delta CRLs should be used. 133 */ setUseDeltasEnabled(boolean useDeltas)134 public Builder setUseDeltasEnabled(boolean useDeltas) 135 { 136 this.useDeltas = useDeltas; 137 138 return this; 139 } 140 141 /** 142 * @param validityModel The validity model to set. 143 * @see #CHAIN_VALIDITY_MODEL 144 * @see #PKIX_VALIDITY_MODEL 145 */ setValidityModel(int validityModel)146 public Builder setValidityModel(int validityModel) 147 { 148 this.validityModel = validityModel; 149 150 return this; 151 } 152 153 /** 154 * Set the trustAnchor to be used with these parameters. 155 * 156 * @param trustAnchor the trust anchor end-entity and CRLs must be based on. 157 * @return the current builder. 158 */ setTrustAnchor(TrustAnchor trustAnchor)159 public Builder setTrustAnchor(TrustAnchor trustAnchor) 160 { 161 this.trustAnchors = Collections.singleton(trustAnchor); 162 163 return this; 164 } 165 166 /** 167 * Set the set of trustAnchors to be used with these parameters. 168 * 169 * @param trustAnchors a set of trustAnchors, one of which a particular end-entity and it's associated CRLs must be based on. 170 * @return the current builder. 171 */ setTrustAnchors(Set<TrustAnchor> trustAnchors)172 public Builder setTrustAnchors(Set<TrustAnchor> trustAnchors) 173 { 174 this.trustAnchors = trustAnchors; 175 176 return this; 177 } 178 179 /** 180 * Flag whether or not revocation checking is to be enabled. 181 * 182 * @param revocationEnabled true if revocation checking to be enabled, false otherwise. 183 */ setRevocationEnabled(boolean revocationEnabled)184 public void setRevocationEnabled(boolean revocationEnabled) 185 { 186 this.revocationEnabled = revocationEnabled; 187 } 188 build()189 public PKIXExtendedParameters build() 190 { 191 return new PKIXExtendedParameters(this); 192 } 193 } 194 195 private final PKIXParameters baseParameters; 196 private final PKIXCertStoreSelector targetConstraints; 197 private final Date validityDate; 198 private final Date date; 199 private final List<PKIXCertStore> extraCertStores; 200 private final Map<GeneralName, PKIXCertStore> namedCertificateStoreMap; 201 private final List<PKIXCRLStore> extraCRLStores; 202 private final Map<GeneralName, PKIXCRLStore> namedCRLStoreMap; 203 private final boolean revocationEnabled; 204 private final boolean useDeltas; 205 private final int validityModel; 206 private final Set<TrustAnchor> trustAnchors; 207 PKIXExtendedParameters(Builder builder)208 private PKIXExtendedParameters(Builder builder) 209 { 210 this.baseParameters = builder.baseParameters; 211 this.validityDate = builder.validityDate; 212 this.date = builder.date; 213 this.extraCertStores = Collections.unmodifiableList(builder.extraCertStores); 214 this.namedCertificateStoreMap = Collections.unmodifiableMap(new HashMap<GeneralName, PKIXCertStore>(builder.namedCertificateStoreMap)); 215 this.extraCRLStores = Collections.unmodifiableList(builder.extraCRLStores); 216 this.namedCRLStoreMap = Collections.unmodifiableMap(new HashMap<GeneralName, PKIXCRLStore>(builder.namedCRLStoreMap)); 217 this.targetConstraints = builder.targetConstraints; 218 this.revocationEnabled = builder.revocationEnabled; 219 this.useDeltas = builder.useDeltas; 220 this.validityModel = builder.validityModel; 221 this.trustAnchors = Collections.unmodifiableSet(builder.trustAnchors); 222 } 223 getCertificateStores()224 public List<PKIXCertStore> getCertificateStores() 225 { 226 return extraCertStores; 227 } 228 229 getNamedCertificateStoreMap()230 public Map<GeneralName, PKIXCertStore> getNamedCertificateStoreMap() 231 { 232 return namedCertificateStoreMap; 233 } 234 getCRLStores()235 public List<PKIXCRLStore> getCRLStores() 236 { 237 return extraCRLStores; 238 } 239 getNamedCRLStoreMap()240 public Map<GeneralName, PKIXCRLStore> getNamedCRLStoreMap() 241 { 242 return namedCRLStoreMap; 243 } 244 245 /** 246 * Returns the time at which to check the validity of the certification path. If {@code null}, 247 * the current time is used. 248 * 249 * @return the {@code Date}, or {@code null} if not set 250 */ getValidityDate()251 public Date getValidityDate() 252 { 253 return null == validityDate ? null : new Date(validityDate.getTime()); 254 } 255 256 /** 257 * @deprecated Use 'getValidityDate' instead (which can return null). 258 */ getDate()259 public Date getDate() 260 { 261 return new Date(date.getTime()); 262 } 263 264 /** 265 * Defaults to <code>false</code>. 266 * 267 * @return Returns if delta CRLs should be used. 268 */ isUseDeltasEnabled()269 public boolean isUseDeltasEnabled() 270 { 271 return useDeltas; 272 } 273 274 /** 275 * @return Returns the validity model. 276 * @see #CHAIN_VALIDITY_MODEL 277 * @see #PKIX_VALIDITY_MODEL 278 */ getValidityModel()279 public int getValidityModel() 280 { 281 return validityModel; 282 } 283 clone()284 public Object clone() 285 { 286 return this; 287 } 288 289 /** 290 * Returns the required constraints on the target certificate. 291 * The constraints are returned as an instance of 292 * <code>Selector</code>. If <code>null</code>, no constraints are 293 * defined. 294 * 295 * @return a <code>Selector</code> specifying the constraints on the 296 * target certificate or attribute certificate (or <code>null</code>) 297 * @see PKIXCertStoreSelector 298 */ getTargetConstraints()299 public PKIXCertStoreSelector getTargetConstraints() 300 { 301 return targetConstraints; 302 } 303 getTrustAnchors()304 public Set getTrustAnchors() 305 { 306 return trustAnchors; 307 } 308 getInitialPolicies()309 public Set getInitialPolicies() 310 { 311 return baseParameters.getInitialPolicies(); 312 } 313 getSigProvider()314 public String getSigProvider() 315 { 316 return baseParameters.getSigProvider(); 317 } 318 isExplicitPolicyRequired()319 public boolean isExplicitPolicyRequired() 320 { 321 return baseParameters.isExplicitPolicyRequired(); 322 } 323 isAnyPolicyInhibited()324 public boolean isAnyPolicyInhibited() 325 { 326 return baseParameters.isAnyPolicyInhibited(); 327 } 328 isPolicyMappingInhibited()329 public boolean isPolicyMappingInhibited() 330 { 331 return baseParameters.isPolicyMappingInhibited(); 332 } 333 getCertPathCheckers()334 public List getCertPathCheckers() 335 { 336 return baseParameters.getCertPathCheckers(); 337 } 338 getCertStores()339 public List<CertStore> getCertStores() 340 { 341 return baseParameters.getCertStores(); 342 } 343 isRevocationEnabled()344 public boolean isRevocationEnabled() 345 { 346 return revocationEnabled; 347 } 348 getPolicyQualifiersRejected()349 public boolean getPolicyQualifiersRejected() 350 { 351 return baseParameters.getPolicyQualifiersRejected(); 352 } 353 } 354