3261N/A * Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved. 0N/A * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 0N/A * This code is free software; you can redistribute it and/or modify it 0N/A * under the terms of the GNU General Public License version 2 only, as 2362N/A * published by the Free Software Foundation. Oracle designates this 0N/A * particular file as subject to the "Classpath" exception as provided 2362N/A * by Oracle in the LICENSE file that accompanied this code. 0N/A * This code is distributed in the hope that it will be useful, but WITHOUT 0N/A * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 0N/A * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 0N/A * version 2 for more details (a copy is included in the LICENSE file that 0N/A * accompanied this code). 0N/A * You should have received a copy of the GNU General Public License version 0N/A * 2 along with this work; if not, write to the Free Software Foundation, 0N/A * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 2362N/A * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 2362N/A * or visit www.oracle.com if you need additional information or have any 0N/A * Parameters used as input for the PKIX <code>CertPathValidator</code> 0N/A * A PKIX <code>CertPathValidator</code> uses these parameters to 0N/A * validate a <code>CertPath</code> according to the PKIX certification path 0N/A * validation algorithm. 0N/A * <p>To instantiate a <code>PKIXParameters</code> object, an 0N/A * application must specify one or more <i>most-trusted CAs</i> as defined by 0N/A * the PKIX certification path validation algorithm. The most-trusted CAs 0N/A * can be specified using one of two constructors. An application 0N/A * can call {@link #PKIXParameters(Set) PKIXParameters(Set)}, 0N/A * specifying a <code>Set</code> of <code>TrustAnchor</code> objects, each 0N/A * of which identify a most-trusted CA. Alternatively, an application can call 0N/A * {@link #PKIXParameters(KeyStore) PKIXParameters(KeyStore)}, specifying a 0N/A * <code>KeyStore</code> instance containing trusted certificate entries, each 0N/A * of which will be considered as a most-trusted CA. 0N/A * Once a <code>PKIXParameters</code> object has been created, other parameters 0N/A * can be specified (by calling {@link #setInitialPolicies setInitialPolicies} 0N/A * or {@link #setDate setDate}, for instance) and then the 0N/A * <code>PKIXParameters</code> is passed along with the <code>CertPath</code> 0N/A * to be validated to {@link CertPathValidator#validate 0N/A * CertPathValidator.validate}. 0N/A * Any parameter that is not set (or is set to <code>null</code>) will 0N/A * be set to the default value for that parameter. The default value for the 0N/A * <code>date</code> parameter is <code>null</code>, which indicates 0N/A * the current time when the path is validated. The default for the 0N/A * remaining parameters is the least constrained. 0N/A * <b>Concurrent Access</b> 0N/A * Unless otherwise specified, the methods defined in this class are not 0N/A * thread-safe. Multiple threads that need to access a single 0N/A * object concurrently should synchronize amongst themselves and 0N/A * provide the necessary locking. Multiple threads each manipulating 0N/A * separate objects need not synchronize. 0N/A * @see CertPathValidator 0N/A * @author Sean Mullan 0N/A * @author Yassir Elley 0N/A * Creates an instance of <code>PKIXParameters</code> with the specified 0N/A * <code>Set</code> of most-trusted CAs. Each element of the 0N/A * set is a {@link TrustAnchor TrustAnchor}. 0N/A * Note that the <code>Set</code> is copied to protect against 0N/A * subsequent modifications. 0N/A * @param trustAnchors a <code>Set</code> of <code>TrustAnchor</code>s 0N/A * @throws InvalidAlgorithmParameterException if the specified 0N/A * <code>Set</code> is empty <code>(trustAnchors.isEmpty() == true)</code> 0N/A * @throws NullPointerException if the specified <code>Set</code> is 0N/A * @throws ClassCastException if any of the elements in the <code>Set</code> 0N/A * are not of type <code>java.security.cert.TrustAnchor</code> 0N/A * Creates an instance of <code>PKIXParameters</code> that 0N/A * populates the set of most-trusted CAs from the trusted 0N/A * certificate entries contained in the specified <code>KeyStore</code>. 0N/A * Only keystore entries that contain trusted <code>X509Certificates</code> 0N/A * are considered; all other certificate types are ignored. 0N/A * @param keystore a <code>KeyStore</code> from which the set of 0N/A * most-trusted CAs will be populated 0N/A * @throws KeyStoreException if the keystore has not been initialized 0N/A * @throws InvalidAlgorithmParameterException if the keystore does 0N/A * not contain at least one trusted certificate entry 0N/A * @throws NullPointerException if the keystore is <code>null</code> 0N/A * Returns an immutable <code>Set</code> of the most-trusted 0N/A * @return an immutable <code>Set</code> of <code>TrustAnchor</code>s 0N/A * (never <code>null</code>) 0N/A * @see #setTrustAnchors 0N/A * Sets the <code>Set</code> of most-trusted CAs. 0N/A * Note that the <code>Set</code> is copied to protect against 0N/A * subsequent modifications. 0N/A * @param trustAnchors a <code>Set</code> of <code>TrustAnchor</code>s 0N/A * @throws InvalidAlgorithmParameterException if the specified 0N/A * <code>Set</code> is empty <code>(trustAnchors.isEmpty() == true)</code> 0N/A * @throws NullPointerException if the specified <code>Set</code> is 0N/A * @throws ClassCastException if any of the elements in the set 0N/A * are not of type <code>java.security.cert.TrustAnchor</code> 0N/A * @see #getTrustAnchors 0N/A "parameter must be non-empty");
0N/A +
"of type java.security.cert.TrustAnchor");
0N/A * Returns an immutable <code>Set</code> of initial 0N/A * policy identifiers (OID strings), indicating that any one of these 0N/A * policies would be acceptable to the certificate user for the purposes of 0N/A * certification path processing. The default return value is an empty 0N/A * <code>Set</code>, which is interpreted as meaning that any policy would 0N/A * @return an immutable <code>Set</code> of initial policy OIDs in 0N/A * <code>String</code> format, or an empty <code>Set</code> (implying any 0N/A * policy is acceptable). Never returns <code>null</code>. 0N/A * @see #setInitialPolicies 0N/A * Sets the <code>Set</code> of initial policy identifiers 0N/A * (OID strings), indicating that any one of these 0N/A * policies would be acceptable to the certificate user for the purposes of 0N/A * certification path processing. By default, any policy is acceptable 0N/A * (i.e. all policies), so a user that wants to allow any policy as 0N/A * acceptable does not need to call this method, or can call it 0N/A * with an empty <code>Set</code> (or <code>null</code>). 0N/A * Note that the <code>Set</code> is copied to protect against 0N/A * subsequent modifications. 0N/A * @param initialPolicies a <code>Set</code> of initial policy 0N/A * OIDs in <code>String</code> format (or <code>null</code>) 0N/A * @throws ClassCastException if any of the elements in the set are 0N/A * not of type <code>String</code> 0N/A * @see #getInitialPolicies 0N/A +
"of type java.lang.String");
0N/A * Sets the list of <code>CertStore</code>s to be used in finding 0N/A * certificates and CRLs. May be <code>null</code>, in which case 0N/A * no <code>CertStore</code>s will be used. The first 0N/A * <code>CertStore</code>s in the list may be preferred to those that 0N/A * Note that the <code>List</code> is copied to protect against 0N/A * subsequent modifications. 0N/A * @param stores a <code>List</code> of <code>CertStore</code>s (or 0N/A * <code>null</code>) 0N/A * @throws ClassCastException if any of the elements in the list are 0N/A * not of type <code>java.security.cert.CertStore</code> 0N/A * @see #getCertStores 0N/A +
"of type java.security.cert.CertStore");
0N/A * Adds a <code>CertStore</code> to the end of the list of 0N/A * <code>CertStore</code>s used in finding certificates and CRLs. 0N/A * @param store the <code>CertStore</code> to add. If <code>null</code>, 0N/A * the store is ignored (not added to list). 0N/A * Returns an immutable <code>List</code> of <code>CertStore</code>s that 0N/A * are used to find certificates and CRLs. 0N/A * @return an immutable <code>List</code> of <code>CertStore</code>s 0N/A * (may be empty, but never <code>null</code>) 0N/A * @see #setCertStores 0N/A * Sets the RevocationEnabled flag. If this flag is true, the default 0N/A * revocation checking mechanism of the underlying PKIX service provider 0N/A * will be used. If this flag is false, the default revocation checking 0N/A * mechanism will be disabled (not used). 0N/A * When a <code>PKIXParameters</code> object is created, this flag is set 0N/A * to true. This setting reflects the most common strategy for checking 0N/A * revocation, since each service provider must support revocation 0N/A * checking to be PKIX compliant. Sophisticated applications should set 0N/A * this flag to false when it is not practical to use a PKIX service 0N/A * provider's default revocation checking mechanism or when an alternative 0N/A * revocation checking mechanism is to be substituted (by also calling the 0N/A * {@link #addCertPathChecker addCertPathChecker} or {@link 0N/A * #setCertPathCheckers setCertPathCheckers} methods). 0N/A * @param val the new value of the RevocationEnabled flag 0N/A * Checks the RevocationEnabled flag. If this flag is true, the default 0N/A * revocation checking mechanism of the underlying PKIX service provider 0N/A * will be used. If this flag is false, the default revocation checking 0N/A * mechanism will be disabled (not used). See the {@link 0N/A * #setRevocationEnabled setRevocationEnabled} method for more details on 0N/A * setting the value of this flag. 0N/A * @return the current value of the RevocationEnabled flag 0N/A * Sets the ExplicitPolicyRequired flag. If this flag is true, an 0N/A * acceptable policy needs to be explicitly identified in every certificate. 0N/A * By default, the ExplicitPolicyRequired flag is false. 0N/A * @param val <code>true</code> if explicit policy is to be required, 0N/A * <code>false</code> otherwise 0N/A * Checks if explicit policy is required. If this flag is true, an 0N/A * acceptable policy needs to be explicitly identified in every certificate. 0N/A * By default, the ExplicitPolicyRequired flag is false. 0N/A * @return <code>true</code> if explicit policy is required, 0N/A * <code>false</code> otherwise 0N/A * Sets the PolicyMappingInhibited flag. If this flag is true, policy 0N/A * mapping is inhibited. By default, policy mapping is not inhibited (the 0N/A * @param val <code>true</code> if policy mapping is to be inhibited, 0N/A * <code>false</code> otherwise 0N/A * Checks if policy mapping is inhibited. If this flag is true, policy 0N/A * mapping is inhibited. By default, policy mapping is not inhibited (the 0N/A * @return true if policy mapping is inhibited, false otherwise 0N/A * Sets state to determine if the any policy OID should be processed 0N/A * if it is included in a certificate. By default, the any policy OID 0N/A * is not inhibited ({@link #isAnyPolicyInhibited isAnyPolicyInhibited()} 0N/A * returns <code>false</code>). 0N/A * @param val <code>true</code> if the any policy OID is to be 0N/A * inhibited, <code>false</code> otherwise 0N/A * Checks whether the any policy OID should be processed if it 0N/A * is included in a certificate. 0N/A * @return <code>true</code> if the any policy OID is inhibited, 0N/A * <code>false</code> otherwise 0N/A * Sets the PolicyQualifiersRejected flag. If this flag is true, 0N/A * certificates that include policy qualifiers in a certificate 0N/A * policies extension that is marked critical are rejected. 0N/A * If the flag is false, certificates are not rejected on this basis. 0N/A * <p> When a <code>PKIXParameters</code> object is created, this flag is 0N/A * set to true. This setting reflects the most common (and simplest) 0N/A * strategy for processing policy qualifiers. Applications that want to use 0N/A * a more sophisticated policy must set this flag to false. 0N/A * Note that the PKIX certification path validation algorithm specifies 0N/A * that any policy qualifier in a certificate policies extension that is 0N/A * marked critical must be processed and validated. Otherwise the 0N/A * certification path must be rejected. If the policyQualifiersRejected flag 0N/A * is set to false, it is up to the application to validate all policy 0N/A * qualifiers in this manner in order to be PKIX compliant. 0N/A * @param qualifiersRejected the new value of the PolicyQualifiersRejected 0N/A * @see #getPolicyQualifiersRejected 0N/A * @see PolicyQualifierInfo 0N/A * Gets the PolicyQualifiersRejected flag. If this flag is true, 0N/A * certificates that include policy qualifiers in a certificate policies 0N/A * extension that is marked critical are rejected. 0N/A * If the flag is false, certificates are not rejected on this basis. 0N/A * <p> When a <code>PKIXParameters</code> object is created, this flag is 0N/A * set to true. This setting reflects the most common (and simplest) 0N/A * strategy for processing policy qualifiers. Applications that want to use 0N/A * a more sophisticated policy must set this flag to false. 0N/A * @return the current value of the PolicyQualifiersRejected flag 0N/A * @see #setPolicyQualifiersRejected 0N/A * Returns the time for which the validity of the certification path 0N/A * should be determined. If <code>null</code>, the current time is used. 0N/A * Note that the <code>Date</code> returned is copied to protect against 0N/A * subsequent modifications. 0N/A * @return the <code>Date</code>, or <code>null</code> if not set 0N/A * Sets the time for which the validity of the certification path 0N/A * should be determined. If <code>null</code>, the current time is used. 0N/A * Note that the <code>Date</code> supplied here is copied to protect 0N/A * against subsequent modifications. 0N/A * @param date the <code>Date</code>, or <code>null</code> for the 0N/A * Sets a <code>List</code> of additional certification path checkers. If 0N/A * the specified <code>List</code> contains an object that is not a 0N/A * <code>PKIXCertPathChecker</code>, it is ignored. 0N/A * Each <code>PKIXCertPathChecker</code> specified implements 0N/A * additional checks on a certificate. Typically, these are checks to 0N/A * process and verify private extensions contained in certificates. 0N/A * Each <code>PKIXCertPathChecker</code> should be instantiated with any 0N/A * initialization parameters needed to execute the check. 0N/A * This method allows sophisticated applications to extend a PKIX 0N/A * <code>CertPathValidator</code> or <code>CertPathBuilder</code>. 0N/A * Each of the specified <code>PKIXCertPathChecker</code>s will be called, 0N/A * in turn, by a PKIX <code>CertPathValidator</code> or 0N/A * <code>CertPathBuilder</code> for each certificate processed or 0N/A * Regardless of whether these additional <code>PKIXCertPathChecker</code>s 0N/A * are set, a PKIX <code>CertPathValidator</code> or 0N/A * <code>CertPathBuilder</code> must perform all of the required PKIX 0N/A * checks on each certificate. The one exception to this rule is if the 0N/A * RevocationEnabled flag is set to false (see the {@link 0N/A * #setRevocationEnabled setRevocationEnabled} method). 0N/A * Note that the <code>List</code> supplied here is copied and each 0N/A * <code>PKIXCertPathChecker</code> in the list is cloned to protect 0N/A * against subsequent modifications. 0N/A * @param checkers a <code>List</code> of <code>PKIXCertPathChecker</code>s. 0N/A * May be <code>null</code>, in which case no additional checkers will be 0N/A * @throws ClassCastException if any of the elements in the list 0N/A * are not of type <code>java.security.cert.PKIXCertPathChecker</code> 0N/A * @see #getCertPathCheckers 0N/A * Returns the <code>List</code> of certification path checkers. 0N/A * The returned <code>List</code> is immutable, and each 0N/A * <code>PKIXCertPathChecker</code> in the <code>List</code> is cloned 0N/A * to protect against subsequent modifications. 0N/A * @return an immutable <code>List</code> of 0N/A * <code>PKIXCertPathChecker</code>s (may be empty, but not 0N/A * <code>null</code>) 0N/A * @see #setCertPathCheckers 0N/A * Adds a <code>PKIXCertPathChecker</code> to the list of certification 0N/A * path checkers. See the {@link #setCertPathCheckers setCertPathCheckers} 0N/A * method for more details. 0N/A * Note that the <code>PKIXCertPathChecker</code> is cloned to protect 0N/A * against subsequent modifications. 0N/A * @param checker a <code>PKIXCertPathChecker</code> to add to the list of 0N/A * checks. If <code>null</code>, the checker is ignored (not added to list). 0N/A * Returns the signature provider's name, or <code>null</code> 0N/A * @return the signature provider's name (or <code>null</code>) 0N/A * @see #setSigProvider 0N/A * Sets the signature provider's name. The specified provider will be 0N/A * preferred when creating {@link java.security.Signature Signature} 0N/A * objects. If <code>null</code> or not set, the first provider found 0N/A * supporting the algorithm will be used. 0N/A * @param sigProvider the signature provider's name (or <code>null</code>) 0N/A * @see #getSigProvider 0N/A * Returns the required constraints on the target certificate. 0N/A * The constraints are returned as an instance of <code>CertSelector</code>. 0N/A * If <code>null</code>, no constraints are defined. 0N/A * <p>Note that the <code>CertSelector</code> returned is cloned 0N/A * to protect against subsequent modifications. 0N/A * @return a <code>CertSelector</code> specifying the constraints 0N/A * on the target certificate (or <code>null</code>) 0N/A * @see #setTargetCertConstraints 0N/A * Sets the required constraints on the target certificate. 0N/A * The constraints are specified as an instance of 0N/A * <code>CertSelector</code>. If <code>null</code>, no constraints are 0N/A * <p>Note that the <code>CertSelector</code> specified is cloned 0N/A * to protect against subsequent modifications. 0N/A * @param selector a <code>CertSelector</code> specifying the constraints 0N/A * on the target certificate (or <code>null</code>) 0N/A * @see #getTargetCertConstraints 0N/A * Makes a copy of this <code>PKIXParameters</code> object. Changes 0N/A * to the copy will not affect the original and vice versa. 0N/A * @return a copy of this <code>PKIXParameters</code> object 2105N/A // must clone these because addCertStore, et al. modify them 2105N/A // other class fields are immutable to public, don't bother 2105N/A // to clone the read-only fields. 0N/A * Returns a formatted string describing the parameters. 0N/A * @return a formatted string describing the parameters. 0N/A /* start with trusted anchor info */ 0N/A /* now, append initial state information */ 0N/A /* now, append constraints on all certificates in the path */ 0N/A /* now, append target cert requirements */ 0N/A /* finally, append miscellaneous parameters */