diff options
Diffstat (limited to 'bcprov/src/main/java/org/bouncycastle/jcajce/PKIXExtendedParameters.java')
-rw-r--r-- | bcprov/src/main/java/org/bouncycastle/jcajce/PKIXExtendedParameters.java | 340 |
1 files changed, 340 insertions, 0 deletions
diff --git a/bcprov/src/main/java/org/bouncycastle/jcajce/PKIXExtendedParameters.java b/bcprov/src/main/java/org/bouncycastle/jcajce/PKIXExtendedParameters.java new file mode 100644 index 0000000..3a86f2a --- /dev/null +++ b/bcprov/src/main/java/org/bouncycastle/jcajce/PKIXExtendedParameters.java @@ -0,0 +1,340 @@ +package org.bouncycastle.jcajce; + +import java.security.cert.CertPathParameters; +import java.security.cert.CertSelector; +import java.security.cert.CertStore; +import java.security.cert.PKIXParameters; +import java.security.cert.TrustAnchor; +import java.util.ArrayList; +import java.util.Collections; +import java.util.Date; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.Set; + +import org.bouncycastle.asn1.x509.GeneralName; + +/** + * This class extends the PKIXParameters with a validity model parameter. + */ +public class PKIXExtendedParameters + implements CertPathParameters +{ + /** + * This is the default PKIX validity model. Actually there are two variants + * of this: The PKIX model and the modified PKIX model. The PKIX model + * verifies that all involved certificates must have been valid at the + * current time. The modified PKIX model verifies that all involved + * certificates were valid at the signing time. Both are indirectly choosen + * with the {@link java.security.cert.PKIXParameters#setDate(java.util.Date)} method, so this + * methods sets the Date when <em>all</em> certificates must have been + * valid. + */ + public static final int PKIX_VALIDITY_MODEL = 0; + + /** + * This model uses the following validity model. Each certificate must have + * been valid at the moment where is was used. That means the end + * certificate must have been valid at the time the signature was done. The + * CA certificate which signed the end certificate must have been valid, + * when the end certificate was signed. The CA (or Root CA) certificate must + * have been valid, when the CA certificate was signed and so on. So the + * {@link java.security.cert.PKIXParameters#setDate(java.util.Date)} method sets the time, when + * the <em>end certificate</em> must have been valid. + * <p> + * It is used e.g. + * in the German signature law. + * </p> + */ + public static final int CHAIN_VALIDITY_MODEL = 1; + + public static class Builder + { + private final PKIXParameters baseParameters; + private final Date date; + + private PKIXCertStoreSelector targetConstraints; + private List<PKIXCertStore> extraCertStores = new ArrayList<PKIXCertStore>(); + private Map<GeneralName, PKIXCertStore> namedCertificateStoreMap = new HashMap<GeneralName, PKIXCertStore>(); + private List<PKIXCRLStore> extraCRLStores = new ArrayList<PKIXCRLStore>(); + private Map<GeneralName, PKIXCRLStore> namedCRLStoreMap = new HashMap<GeneralName, PKIXCRLStore>(); + private boolean revocationEnabled; + private int validityModel = PKIX_VALIDITY_MODEL; + private boolean useDeltas = false; + private Set<TrustAnchor> trustAnchors; + + public Builder(PKIXParameters baseParameters) + { + this.baseParameters = (PKIXParameters)baseParameters.clone(); + CertSelector constraints = baseParameters.getTargetCertConstraints(); + if (constraints != null) + { + this.targetConstraints = new PKIXCertStoreSelector.Builder(constraints).build(); + } + Date checkDate = baseParameters.getDate(); + this.date = (checkDate == null) ? new Date() : checkDate; + this.revocationEnabled = baseParameters.isRevocationEnabled(); + this.trustAnchors = baseParameters.getTrustAnchors(); + } + + public Builder(PKIXExtendedParameters baseParameters) + { + this.baseParameters = baseParameters.baseParameters; + this.date = baseParameters.date; + this.targetConstraints = baseParameters.targetConstraints; + this.extraCertStores = new ArrayList<PKIXCertStore>(baseParameters.extraCertStores); + this.namedCertificateStoreMap = new HashMap<GeneralName, PKIXCertStore>(baseParameters.namedCertificateStoreMap); + this.extraCRLStores = new ArrayList<PKIXCRLStore>(baseParameters.extraCRLStores); + this.namedCRLStoreMap = new HashMap<GeneralName, PKIXCRLStore>(baseParameters.namedCRLStoreMap); + this.useDeltas = baseParameters.useDeltas; + this.validityModel = baseParameters.validityModel; + this.revocationEnabled = baseParameters.isRevocationEnabled(); + this.trustAnchors = baseParameters.getTrustAnchors(); + } + + public Builder addCertificateStore(PKIXCertStore store) + { + extraCertStores.add(store); + + return this; + } + + public Builder addNamedCertificateStore(GeneralName issuerAltName, PKIXCertStore store) + { + namedCertificateStoreMap.put(issuerAltName, store); + + return this; + } + + public Builder addCRLStore(PKIXCRLStore store) + { + extraCRLStores.add(store); + + return this; + } + + public Builder addNamedCRLStore(GeneralName issuerAltName, PKIXCRLStore store) + { + namedCRLStoreMap.put(issuerAltName, store); + + return this; + } + + public Builder setTargetConstraints(PKIXCertStoreSelector selector) + { + targetConstraints = selector; + + return this; + } + + /** + * Sets if delta CRLs should be used for checking the revocation status. + * + * @param useDeltas <code>true</code> if delta CRLs should be used. + */ + public Builder setUseDeltasEnabled(boolean useDeltas) + { + this.useDeltas = useDeltas; + + return this; + } + + /** + * @param validityModel The validity model to set. + * @see #CHAIN_VALIDITY_MODEL + * @see #PKIX_VALIDITY_MODEL + */ + public Builder setValidityModel(int validityModel) + { + this.validityModel = validityModel; + + return this; + } + + /** + * Set the trustAnchor to be used with these parameters. + * + * @param trustAnchor the trust anchor end-entity and CRLs must be based on. + * @return the current builder. + */ + public Builder setTrustAnchor(TrustAnchor trustAnchor) + { + this.trustAnchors = Collections.singleton(trustAnchor); + + return this; + } + + /** + * Set the set of trustAnchors to be used with these parameters. + * + * @param trustAnchors a set of trustAnchors, one of which a particular end-entity and it's associated CRLs must be based on. + * @return the current builder. + */ + public Builder setTrustAnchors(Set<TrustAnchor> trustAnchors) + { + this.trustAnchors = trustAnchors; + + return this; + } + + /** + * Flag whether or not revocation checking is to be enabled. + * + * @param revocationEnabled true if revocation checking to be enabled, false otherwise. + */ + public void setRevocationEnabled(boolean revocationEnabled) + { + this.revocationEnabled = revocationEnabled; + } + + public PKIXExtendedParameters build() + { + return new PKIXExtendedParameters(this); + } + } + + private final PKIXParameters baseParameters; + private final PKIXCertStoreSelector targetConstraints; + private final Date date; + private final List<PKIXCertStore> extraCertStores; + private final Map<GeneralName, PKIXCertStore> namedCertificateStoreMap; + private final List<PKIXCRLStore> extraCRLStores; + private final Map<GeneralName, PKIXCRLStore> namedCRLStoreMap; + private final boolean revocationEnabled; + private final boolean useDeltas; + private final int validityModel; + private final Set<TrustAnchor> trustAnchors; + + private PKIXExtendedParameters(Builder builder) + { + this.baseParameters = builder.baseParameters; + this.date = builder.date; + this.extraCertStores = Collections.unmodifiableList(builder.extraCertStores); + this.namedCertificateStoreMap = Collections.unmodifiableMap(new HashMap<GeneralName, PKIXCertStore>(builder.namedCertificateStoreMap)); + this.extraCRLStores = Collections.unmodifiableList(builder.extraCRLStores); + this.namedCRLStoreMap = Collections.unmodifiableMap(new HashMap<GeneralName, PKIXCRLStore>(builder.namedCRLStoreMap)); + this.targetConstraints = builder.targetConstraints; + this.revocationEnabled = builder.revocationEnabled; + this.useDeltas = builder.useDeltas; + this.validityModel = builder.validityModel; + this.trustAnchors = Collections.unmodifiableSet(builder.trustAnchors); + } + + public List<PKIXCertStore> getCertificateStores() + { + return extraCertStores; + } + + + public Map<GeneralName, PKIXCertStore> getNamedCertificateStoreMap() + { + return namedCertificateStoreMap; + } + + public List<PKIXCRLStore> getCRLStores() + { + return extraCRLStores; + } + + public Map<GeneralName, PKIXCRLStore> getNamedCRLStoreMap() + { + return namedCRLStoreMap; + } + + public Date getDate() + { + return new Date(date.getTime()); + } + + + + + /** + * Defaults to <code>false</code>. + * + * @return Returns if delta CRLs should be used. + */ + public boolean isUseDeltasEnabled() + { + return useDeltas; + } + + + + /** + * @return Returns the validity model. + * @see #CHAIN_VALIDITY_MODEL + * @see #PKIX_VALIDITY_MODEL + */ + public int getValidityModel() + { + return validityModel; + } + + public Object clone() + { + return this; + } + + /** + * Returns the required constraints on the target certificate. + * The constraints are returned as an instance of + * <code>Selector</code>. If <code>null</code>, no constraints are + * defined. + * + * @return a <code>Selector</code> specifying the constraints on the + * target certificate or attribute certificate (or <code>null</code>) + * @see PKIXCertStoreSelector + */ + public PKIXCertStoreSelector getTargetConstraints() + { + return targetConstraints; + } + + public Set getTrustAnchors() + { + return trustAnchors; + } + + public Set getInitialPolicies() + { + return baseParameters.getInitialPolicies(); + } + + public String getSigProvider() + { + return baseParameters.getSigProvider(); + } + + public boolean isExplicitPolicyRequired() + { + return baseParameters.isExplicitPolicyRequired(); + } + + public boolean isAnyPolicyInhibited() + { + return baseParameters.isAnyPolicyInhibited(); + } + + public boolean isPolicyMappingInhibited() + { + return baseParameters.isPolicyMappingInhibited(); + } + + public List getCertPathCheckers() + { + return baseParameters.getCertPathCheckers(); + } + + public List<CertStore> getCertStores() + { + return baseParameters.getCertStores(); + } + + public boolean isRevocationEnabled() + { + return revocationEnabled; + } + +} |