1 /*
   2  * Copyright (c) 2000, 2003, Oracle and/or its affiliates. All rights reserved.
   3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   4  *
   5  * This code is free software; you can redistribute it and/or modify it
   6  * under the terms of the GNU General Public License version 2 only, as
   7  * published by the Free Software Foundation.  Oracle designates this
   8  * particular file as subject to the "Classpath" exception as provided
   9  * by Oracle in the LICENSE file that accompanied this code.
  10  *
  11  * This code is distributed in the hope that it will be useful, but WITHOUT
  12  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  13  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  14  * version 2 for more details (a copy is included in the LICENSE file that
  15  * accompanied this code).
  16  *
  17  * You should have received a copy of the GNU General Public License version
  18  * 2 along with this work; if not, write to the Free Software Foundation,
  19  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  20  *
  21  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  22  * or visit www.oracle.com if you need additional information or have any
  23  * questions.
  24  */
  25 
  26 package java.security.cert;
  27 
  28 import java.security.KeyStore;
  29 import java.security.KeyStoreException;
  30 import java.security.InvalidAlgorithmParameterException;
  31 import java.security.InvalidParameterException;
  32 import java.util.Set;
  33 
  34 /**
  35  * Parameters used as input for the PKIX <code>CertPathBuilder</code>
  36  * algorithm.
  37  * <p>
  38  * A PKIX <code>CertPathBuilder</code> uses these parameters to {@link
  39  * CertPathBuilder#build build} a <code>CertPath</code> which has been
  40  * validated according to the PKIX certification path validation algorithm.
  41  *
  42  * <p>To instantiate a <code>PKIXBuilderParameters</code> object, an
  43  * application must specify one or more <i>most-trusted CAs</i> as defined by
  44  * the PKIX certification path validation algorithm. The most-trusted CA
  45  * can be specified using one of two constructors. An application
  46  * can call {@link #PKIXBuilderParameters(Set, CertSelector)
  47  * PKIXBuilderParameters(Set, CertSelector)}, specifying a
  48  * <code>Set</code> of <code>TrustAnchor</code> objects, each of which
  49  * identifies a most-trusted CA. Alternatively, an application can call
  50  * {@link #PKIXBuilderParameters(KeyStore, CertSelector)
  51  * PKIXBuilderParameters(KeyStore, CertSelector)}, specifying a
  52  * <code>KeyStore</code> instance containing trusted certificate entries, each
  53  * of which will be considered as a most-trusted CA.
  54  *
  55  * <p>In addition, an application must specify constraints on the target
  56  * certificate that the <code>CertPathBuilder</code> will attempt
  57  * to build a path to. The constraints are specified as a
  58  * <code>CertSelector</code> object. These constraints should provide the
  59  * <code>CertPathBuilder</code> with enough search criteria to find the target
  60  * certificate. Minimal criteria for an <code>X509Certificate</code> usually
  61  * include the subject name and/or one or more subject alternative names.
  62  * If enough criteria is not specified, the <code>CertPathBuilder</code>
  63  * may throw a <code>CertPathBuilderException</code>.
  64  * <p>
  65  * <b>Concurrent Access</b>
  66  * <p>
  67  * Unless otherwise specified, the methods defined in this class are not
  68  * thread-safe. Multiple threads that need to access a single
  69  * object concurrently should synchronize amongst themselves and
  70  * provide the necessary locking. Multiple threads each manipulating
  71  * separate objects need not synchronize.
  72  *
  73  * @see CertPathBuilder
  74  *
  75  * @since       1.4
  76  * @author      Sean Mullan
  77  */
  78 public class PKIXBuilderParameters extends PKIXParameters {
  79 
  80     private int maxPathLength = 5;
  81 
  82     /**
  83      * Creates an instance of <code>PKIXBuilderParameters</code> with
  84      * the specified <code>Set</code> of most-trusted CAs.
  85      * Each element of the set is a {@link TrustAnchor TrustAnchor}.
  86      *
  87      * <p>Note that the <code>Set</code> is copied to protect against
  88      * subsequent modifications.
  89      *
  90      * @param trustAnchors a <code>Set</code> of <code>TrustAnchor</code>s
  91      * @param targetConstraints a <code>CertSelector</code> specifying the
  92      * constraints on the target certificate
  93      * @throws InvalidAlgorithmParameterException if <code>trustAnchors</code>
  94      * is empty <code>(trustAnchors.isEmpty() == true)</code>
  95      * @throws NullPointerException if <code>trustAnchors</code> is
  96      * <code>null</code>
  97      * @throws ClassCastException if any of the elements of
  98      * <code>trustAnchors</code> are not of type
  99      * <code>java.security.cert.TrustAnchor</code>
 100      */
 101     public PKIXBuilderParameters(Set<TrustAnchor> trustAnchors, CertSelector
 102         targetConstraints) throws InvalidAlgorithmParameterException
 103     {
 104         super(trustAnchors);
 105         setTargetCertConstraints(targetConstraints);
 106     }
 107 
 108     /**
 109      * Creates an instance of <code>PKIXBuilderParameters</code> that
 110      * populates the set of most-trusted CAs from the trusted
 111      * certificate entries contained in the specified <code>KeyStore</code>.
 112      * Only keystore entries that contain trusted <code>X509Certificate</code>s
 113      * are considered; all other certificate types are ignored.
 114      *
 115      * @param keystore a <code>KeyStore</code> from which the set of
 116      * most-trusted CAs will be populated
 117      * @param targetConstraints a <code>CertSelector</code> specifying the
 118      * constraints on the target certificate
 119      * @throws KeyStoreException if <code>keystore</code> has not been
 120      * initialized
 121      * @throws InvalidAlgorithmParameterException if <code>keystore</code> does
 122      * not contain at least one trusted certificate entry
 123      * @throws NullPointerException if <code>keystore</code> is
 124      * <code>null</code>
 125      */
 126     public PKIXBuilderParameters(KeyStore keystore,
 127         CertSelector targetConstraints)
 128         throws KeyStoreException, InvalidAlgorithmParameterException
 129     {
 130         super(keystore);
 131         setTargetCertConstraints(targetConstraints);
 132     }
 133 
 134     /**
 135      * Sets the value of the maximum number of non-self-issued intermediate
 136      * certificates that may exist in a certification path. A certificate
 137      * is self-issued if the DNs that appear in the subject and issuer
 138      * fields are identical and are not empty. Note that the last certificate
 139      * in a certification path is not an intermediate certificate, and is not
 140      * included in this limit. Usually the last certificate is an end entity
 141      * certificate, but it can be a CA certificate. A PKIX
 142      * <code>CertPathBuilder</code> instance must not build
 143      * paths longer than the length specified.
 144      *
 145      * <p> A value of 0 implies that the path can only contain
 146      * a single certificate. A value of -1 implies that the
 147      * path length is unconstrained (i.e. there is no maximum).
 148      * The default maximum path length, if not specified, is 5.
 149      * Setting a value less than -1 will cause an exception to be thrown.
 150      *
 151      * <p> If any of the CA certificates contain the
 152      * <code>BasicConstraintsExtension</code>, the value of the
 153      * <code>pathLenConstraint</code> field of the extension overrides
 154      * the maximum path length parameter whenever the result is a
 155      * certification path of smaller length.
 156      *
 157      * @param maxPathLength the maximum number of non-self-issued intermediate
 158      *  certificates that may exist in a certification path
 159      * @throws InvalidParameterException if <code>maxPathLength</code> is set
 160      *  to a value less than -1
 161      *
 162      * @see #getMaxPathLength
 163      */
 164     public void setMaxPathLength(int maxPathLength) {
 165         if (maxPathLength < -1) {
 166             throw new InvalidParameterException("the maximum path "
 167                 + "length parameter can not be less than -1");
 168         }
 169         this.maxPathLength = maxPathLength;
 170     }
 171 
 172     /**
 173      * Returns the value of the maximum number of intermediate non-self-issued
 174      * certificates that may exist in a certification path. See
 175      * the {@link #setMaxPathLength} method for more details.
 176      *
 177      * @return the maximum number of non-self-issued intermediate certificates
 178      *  that may exist in a certification path, or -1 if there is no limit
 179      *
 180      * @see #setMaxPathLength
 181      */
 182     public int getMaxPathLength() {
 183         return maxPathLength;
 184     }
 185 
 186     /**
 187      * Returns a formatted string describing the parameters.
 188      *
 189      * @return a formatted string describing the parameters
 190      */
 191     public String toString() {
 192         StringBuffer sb = new StringBuffer();
 193         sb.append("[\n");
 194         sb.append(super.toString());
 195         sb.append("  Maximum Path Length: " + maxPathLength + "\n");
 196         sb.append("]\n");
 197         return sb.toString();
 198     }
 199 }