1 package org.bouncycastle.x509; 2 3 import org.bouncycastle.util.Selector; 4 5 import java.security.InvalidAlgorithmParameterException; 6 import java.security.InvalidParameterException; 7 import java.security.cert.PKIXBuilderParameters; 8 import java.security.cert.PKIXParameters; 9 import java.security.cert.TrustAnchor; 10 import java.security.cert.X509CertSelector; 11 import java.util.Collections; 12 import java.util.HashSet; 13 import java.util.Set; 14 15 /** 16 * This class contains extended parameters for PKIX certification path builders. 17 * 18 * @see java.security.cert.PKIXBuilderParameters 19 * @see org.bouncycastle.jce.provider.PKIXCertPathBuilderSpi 20 */ 21 public class ExtendedPKIXBuilderParameters extends ExtendedPKIXParameters 22 { 23 24 private int maxPathLength = 5; 25 26 private Set excludedCerts = Collections.EMPTY_SET; 27 28 /** 29 * Excluded certificates are not used for building a certification path. 30 * <p> 31 * The returned set is immutable. 32 * 33 * @return Returns the excluded certificates. 34 */ getExcludedCerts()35 public Set getExcludedCerts() 36 { 37 return Collections.unmodifiableSet(excludedCerts); 38 } 39 40 /** 41 * Sets the excluded certificates which are not used for building a 42 * certification path. If the <code>Set</code> is <code>null</code> an 43 * empty set is assumed. 44 * <p> 45 * The given set is cloned to protect it against subsequent modifications. 46 * 47 * @param excludedCerts The excluded certificates to set. 48 */ setExcludedCerts(Set excludedCerts)49 public void setExcludedCerts(Set excludedCerts) 50 { 51 if (excludedCerts == null) 52 { 53 excludedCerts = Collections.EMPTY_SET; 54 } 55 else 56 { 57 this.excludedCerts = new HashSet(excludedCerts); 58 } 59 } 60 61 /** 62 * Creates an instance of <code>PKIXBuilderParameters</code> with the 63 * specified <code>Set</code> of most-trusted CAs. Each element of the set 64 * is a {@link TrustAnchor TrustAnchor}. 65 * 66 * <p> 67 * Note that the <code>Set</code> is copied to protect against subsequent 68 * modifications. 69 * 70 * @param trustAnchors a <code>Set</code> of <code>TrustAnchor</code>s 71 * @param targetConstraints a <code>Selector</code> specifying the 72 * constraints on the target certificate or attribute 73 * certificate. 74 * @throws InvalidAlgorithmParameterException if <code>trustAnchors</code> 75 * is empty. 76 * @throws NullPointerException if <code>trustAnchors</code> is 77 * <code>null</code> 78 * @throws ClassCastException if any of the elements of 79 * <code>trustAnchors</code> is not of type 80 * <code>java.security.cert.TrustAnchor</code> 81 */ ExtendedPKIXBuilderParameters(Set trustAnchors, Selector targetConstraints)82 public ExtendedPKIXBuilderParameters(Set trustAnchors, 83 Selector targetConstraints) 84 throws InvalidAlgorithmParameterException 85 { 86 super(trustAnchors); 87 setTargetConstraints(targetConstraints); 88 } 89 90 /** 91 * Sets the maximum number of intermediate non-self-issued certificates in a 92 * certification path. The PKIX <code>CertPathBuilder</code> must not 93 * build paths longer then this length. 94 * <p> 95 * A value of 0 implies that the path can only contain a single certificate. 96 * A value of -1 does not limit the length. The default length is 5. 97 * 98 * <p> 99 * 100 * The basic constraints extension of a CA certificate overrides this value 101 * if smaller. 102 * 103 * @param maxPathLength the maximum number of non-self-issued intermediate 104 * certificates in the certification path 105 * @throws InvalidParameterException if <code>maxPathLength</code> is set 106 * to a value less than -1 107 * 108 * @see org.bouncycastle.jce.provider.PKIXCertPathBuilderSpi 109 * @see #getMaxPathLength 110 */ setMaxPathLength(int maxPathLength)111 public void setMaxPathLength(int maxPathLength) 112 { 113 if (maxPathLength < -1) 114 { 115 throw new InvalidParameterException("The maximum path " 116 + "length parameter can not be less than -1."); 117 } 118 this.maxPathLength = maxPathLength; 119 } 120 121 /** 122 * Returns the value of the maximum number of intermediate non-self-issued 123 * certificates in the certification path. 124 * 125 * @return the maximum number of non-self-issued intermediate certificates 126 * in the certification path, or -1 if no limit exists. 127 * 128 * @see #setMaxPathLength(int) 129 */ getMaxPathLength()130 public int getMaxPathLength() 131 { 132 return maxPathLength; 133 } 134 135 /** 136 * Can alse handle <code>ExtendedPKIXBuilderParameters</code> and 137 * <code>PKIXBuilderParameters</code>. 138 * 139 * @param params Parameters to set. 140 * @see org.bouncycastle.x509.ExtendedPKIXParameters#setParams(java.security.cert.PKIXParameters) 141 */ setParams(PKIXParameters params)142 protected void setParams(PKIXParameters params) 143 { 144 super.setParams(params); 145 if (params instanceof ExtendedPKIXBuilderParameters) 146 { 147 ExtendedPKIXBuilderParameters _params = (ExtendedPKIXBuilderParameters) params; 148 maxPathLength = _params.maxPathLength; 149 excludedCerts = new HashSet(_params.excludedCerts); 150 } 151 if (params instanceof PKIXBuilderParameters) 152 { 153 PKIXBuilderParameters _params = (PKIXBuilderParameters) params; 154 maxPathLength = _params.getMaxPathLength(); 155 } 156 } 157 158 /** 159 * Makes a copy of this <code>PKIXParameters</code> object. Changes to the 160 * copy will not affect the original and vice versa. 161 * 162 * @return a copy of this <code>PKIXParameters</code> object 163 */ clone()164 public Object clone() 165 { 166 ExtendedPKIXBuilderParameters params = null; 167 try 168 { 169 params = new ExtendedPKIXBuilderParameters(getTrustAnchors(), 170 getTargetConstraints()); 171 } 172 catch (Exception e) 173 { 174 // cannot happen 175 throw new RuntimeException(e.getMessage()); 176 } 177 params.setParams(this); 178 return params; 179 } 180 181 /** 182 * Returns an instance of <code>ExtendedPKIXParameters</code> which can be 183 * safely casted to <code>ExtendedPKIXBuilderParameters</code>. 184 * <p> 185 * This method can be used to get a copy from other 186 * <code>PKIXBuilderParameters</code>, <code>PKIXParameters</code>, 187 * and <code>ExtendedPKIXParameters</code> instances. 188 * 189 * @param pkixParams The PKIX parameters to create a copy of. 190 * @return An <code>ExtendedPKIXBuilderParameters</code> instance. 191 */ getInstance(PKIXParameters pkixParams)192 public static ExtendedPKIXParameters getInstance(PKIXParameters pkixParams) 193 { 194 ExtendedPKIXBuilderParameters params; 195 try 196 { 197 params = new ExtendedPKIXBuilderParameters(pkixParams 198 .getTrustAnchors(), X509CertStoreSelector 199 .getInstance((X509CertSelector) pkixParams 200 .getTargetCertConstraints())); 201 } 202 catch (Exception e) 203 { 204 // cannot happen 205 throw new RuntimeException(e.getMessage()); 206 } 207 params.setParams(pkixParams); 208 return params; 209 } 210 } 211