1 /*
   2  * Copyright (c) 2000, 2009, Oracle and/or its affiliates. All rights reserved.
   3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   4  *
   5  * This code is free software; you can redistribute it and/or modify it
   6  * under the terms of the GNU General Public License version 2 only, as
   7  * published by the Free Software Foundation.  Oracle designates this
   8  * particular file as subject to the "Classpath" exception as provided
   9  * by Oracle in the LICENSE file that accompanied this code.
  10  *
  11  * This code is distributed in the hope that it will be useful, but WITHOUT
  12  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  13  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  14  * version 2 for more details (a copy is included in the LICENSE file that
  15  * accompanied this code).
  16  *
  17  * You should have received a copy of the GNU General Public License version
  18  * 2 along with this work; if not, write to the Free Software Foundation,
  19  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  20  *
  21  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  22  * or visit www.oracle.com if you need additional information or have any
  23  * questions.
  24  */
  25 
  26 package java.security.cert;
  27 
  28 import java.security.InvalidAlgorithmParameterException;
  29 import java.security.KeyStore;
  30 import java.security.KeyStoreException;
  31 import java.util.ArrayList;
  32 import java.util.Collections;
  33 import java.util.Date;
  34 import java.util.Enumeration;
  35 import java.util.HashSet;
  36 import java.util.Iterator;
  37 import java.util.List;
  38 import java.util.Set;
  39 
  40 /**
  41  * Parameters used as input for the PKIX <code>CertPathValidator</code>
  42  * algorithm.
  43  * <p>
  44  * A PKIX <code>CertPathValidator</code> uses these parameters to
  45  * validate a <code>CertPath</code> according to the PKIX certification path
  46  * validation algorithm.
  47  *
  48  * <p>To instantiate a <code>PKIXParameters</code> object, an
  49  * application must specify one or more <i>most-trusted CAs</i> as defined by
  50  * the PKIX certification path validation algorithm. The most-trusted CAs
  51  * can be specified using one of two constructors. An application
  52  * can call {@link #PKIXParameters(Set) PKIXParameters(Set)},
  53  * specifying a <code>Set</code> of <code>TrustAnchor</code> objects, each
  54  * of which identify a most-trusted CA. Alternatively, an application can call
  55  * {@link #PKIXParameters(KeyStore) PKIXParameters(KeyStore)}, specifying a
  56  * <code>KeyStore</code> instance containing trusted certificate entries, each
  57  * of which will be considered as a most-trusted CA.
  58  * <p>
  59  * Once a <code>PKIXParameters</code> object has been created, other parameters
  60  * can be specified (by calling {@link #setInitialPolicies setInitialPolicies}
  61  * or {@link #setDate setDate}, for instance) and then the
  62  * <code>PKIXParameters</code> is passed along with the <code>CertPath</code>
  63  * to be validated to {@link CertPathValidator#validate
  64  * CertPathValidator.validate}.
  65  * <p>
  66  * Any parameter that is not set (or is set to <code>null</code>) will
  67  * be set to the default value for that parameter. The default value for the
  68  * <code>date</code> parameter is <code>null</code>, which indicates
  69  * the current time when the path is validated. The default for the
  70  * remaining parameters is the least constrained.
  71  * <p>
  72  * <b>Concurrent Access</b>
  73  * <p>
  74  * Unless otherwise specified, the methods defined in this class are not
  75  * thread-safe. Multiple threads that need to access a single
  76  * object concurrently should synchronize amongst themselves and
  77  * provide the necessary locking. Multiple threads each manipulating
  78  * separate objects need not synchronize.
  79  *
  80  * @see CertPathValidator
  81  *
  82  * @since       1.4
  83  * @author      Sean Mullan
  84  * @author      Yassir Elley
  85  */
  86 public class PKIXParameters implements CertPathParameters {
  87 
  88     private Set<TrustAnchor> unmodTrustAnchors;
  89     private Date date;
  90     private List<PKIXCertPathChecker> certPathCheckers;
  91     private String sigProvider;
  92     private boolean revocationEnabled = true;
  93     private Set<String> unmodInitialPolicies;
  94     private boolean explicitPolicyRequired = false;
  95     private boolean policyMappingInhibited = false;
  96     private boolean anyPolicyInhibited = false;
  97     private boolean policyQualifiersRejected = true;
  98     private List<CertStore> certStores;
  99     private CertSelector certSelector;
 100 
 101     /**
 102      * Creates an instance of <code>PKIXParameters</code> with the specified
 103      * <code>Set</code> of most-trusted CAs. Each element of the
 104      * set is a {@link TrustAnchor TrustAnchor}.
 105      * <p>
 106      * Note that the <code>Set</code> is copied to protect against
 107      * subsequent modifications.
 108      *
 109      * @param trustAnchors a <code>Set</code> of <code>TrustAnchor</code>s
 110      * @throws InvalidAlgorithmParameterException if the specified
 111      * <code>Set</code> is empty <code>(trustAnchors.isEmpty() == true)</code>
 112      * @throws NullPointerException if the specified <code>Set</code> is
 113      * <code>null</code>
 114      * @throws ClassCastException if any of the elements in the <code>Set</code>
 115      * are not of type <code>java.security.cert.TrustAnchor</code>
 116      */
 117     public PKIXParameters(Set<TrustAnchor> trustAnchors)
 118         throws InvalidAlgorithmParameterException
 119     {
 120         setTrustAnchors(trustAnchors);
 121 
 122         this.unmodInitialPolicies = Collections.<String>emptySet();
 123         this.certPathCheckers = new ArrayList<PKIXCertPathChecker>();
 124         this.certStores = new ArrayList<CertStore>();
 125     }
 126 
 127     /**
 128      * Creates an instance of <code>PKIXParameters</code> that
 129      * populates the set of most-trusted CAs from the trusted
 130      * certificate entries contained in the specified <code>KeyStore</code>.
 131      * Only keystore entries that contain trusted <code>X509Certificates</code>
 132      * are considered; all other certificate types are ignored.
 133      *
 134      * @param keystore a <code>KeyStore</code> from which the set of
 135      * most-trusted CAs will be populated
 136      * @throws KeyStoreException if the keystore has not been initialized
 137      * @throws InvalidAlgorithmParameterException if the keystore does
 138      * not contain at least one trusted certificate entry
 139      * @throws NullPointerException if the keystore is <code>null</code>
 140      */
 141     public PKIXParameters(KeyStore keystore)
 142         throws KeyStoreException, InvalidAlgorithmParameterException
 143     {
 144         if (keystore == null)
 145             throw new NullPointerException("the keystore parameter must be " +
 146                 "non-null");
 147         Set<TrustAnchor> hashSet = new HashSet<TrustAnchor>();
 148         Enumeration<String> aliases = keystore.aliases();
 149         while (aliases.hasMoreElements()) {
 150             String alias = aliases.nextElement();
 151             if (keystore.isCertificateEntry(alias)) {
 152                 Certificate cert = keystore.getCertificate(alias);
 153                 if (cert instanceof X509Certificate)
 154                     hashSet.add(new TrustAnchor((X509Certificate)cert, null));
 155             }
 156         }
 157         setTrustAnchors(hashSet);
 158         this.unmodInitialPolicies = Collections.<String>emptySet();
 159         this.certPathCheckers = new ArrayList<PKIXCertPathChecker>();
 160         this.certStores = new ArrayList<CertStore>();
 161     }
 162 
 163     /**
 164      * Returns an immutable <code>Set</code> of the most-trusted
 165      * CAs.
 166      *
 167      * @return an immutable <code>Set</code> of <code>TrustAnchor</code>s
 168      * (never <code>null</code>)
 169      *
 170      * @see #setTrustAnchors
 171      */
 172     public Set<TrustAnchor> getTrustAnchors() {
 173         return this.unmodTrustAnchors;
 174     }
 175 
 176     /**
 177      * Sets the <code>Set</code> of most-trusted CAs.
 178      * <p>
 179      * Note that the <code>Set</code> is copied to protect against
 180      * subsequent modifications.
 181      *
 182      * @param trustAnchors a <code>Set</code> of <code>TrustAnchor</code>s
 183      * @throws InvalidAlgorithmParameterException if the specified
 184      * <code>Set</code> is empty <code>(trustAnchors.isEmpty() == true)</code>
 185      * @throws NullPointerException if the specified <code>Set</code> is
 186      * <code>null</code>
 187      * @throws ClassCastException if any of the elements in the set
 188      * are not of type <code>java.security.cert.TrustAnchor</code>
 189      *
 190      * @see #getTrustAnchors
 191      */
 192     public void setTrustAnchors(Set<TrustAnchor> trustAnchors)
 193         throws InvalidAlgorithmParameterException
 194     {
 195         if (trustAnchors == null) {
 196             throw new NullPointerException("the trustAnchors parameters must" +
 197                 " be non-null");
 198         }
 199         if (trustAnchors.isEmpty()) {
 200             throw new InvalidAlgorithmParameterException("the trustAnchors " +
 201                 "parameter must be non-empty");
 202         }
 203         for (Iterator<TrustAnchor> i = trustAnchors.iterator(); i.hasNext(); ) {
 204             if (!(i.next() instanceof TrustAnchor)) {
 205                 throw new ClassCastException("all elements of set must be "
 206                     + "of type java.security.cert.TrustAnchor");
 207             }
 208         }
 209         this.unmodTrustAnchors = Collections.unmodifiableSet
 210                 (new HashSet<TrustAnchor>(trustAnchors));
 211     }
 212 
 213     /**
 214      * Returns an immutable <code>Set</code> of initial
 215      * policy identifiers (OID strings), indicating that any one of these
 216      * policies would be acceptable to the certificate user for the purposes of
 217      * certification path processing. The default return value is an empty
 218      * <code>Set</code>, which is interpreted as meaning that any policy would
 219      * be acceptable.
 220      *
 221      * @return an immutable <code>Set</code> of initial policy OIDs in
 222      * <code>String</code> format, or an empty <code>Set</code> (implying any
 223      * policy is acceptable). Never returns <code>null</code>.
 224      *
 225      * @see #setInitialPolicies
 226      */
 227     public Set<String> getInitialPolicies() {
 228         return this.unmodInitialPolicies;
 229     }
 230 
 231     /**
 232      * Sets the <code>Set</code> of initial policy identifiers
 233      * (OID strings), indicating that any one of these
 234      * policies would be acceptable to the certificate user for the purposes of
 235      * certification path processing. By default, any policy is acceptable
 236      * (i.e. all policies), so a user that wants to allow any policy as
 237      * acceptable does not need to call this method, or can call it
 238      * with an empty <code>Set</code> (or <code>null</code>).
 239      * <p>
 240      * Note that the <code>Set</code> is copied to protect against
 241      * subsequent modifications.
 242      *
 243      * @param initialPolicies a <code>Set</code> of initial policy
 244      * OIDs in <code>String</code> format (or <code>null</code>)
 245      * @throws ClassCastException if any of the elements in the set are
 246      * not of type <code>String</code>
 247      *
 248      * @see #getInitialPolicies
 249      */
 250     public void setInitialPolicies(Set<String> initialPolicies) {
 251         if (initialPolicies != null) {
 252             for (Iterator<String> i = initialPolicies.iterator();
 253                         i.hasNext();) {
 254                 if (!(i.next() instanceof String))
 255                     throw new ClassCastException("all elements of set must be "
 256                         + "of type java.lang.String");
 257             }
 258             this.unmodInitialPolicies =
 259                 Collections.unmodifiableSet(new HashSet<String>(initialPolicies));
 260         } else
 261             this.unmodInitialPolicies = Collections.<String>emptySet();
 262     }
 263 
 264     /**
 265      * Sets the list of <code>CertStore</code>s to be used in finding
 266      * certificates and CRLs. May be <code>null</code>, in which case
 267      * no <code>CertStore</code>s will be used. The first
 268      * <code>CertStore</code>s in the list may be preferred to those that
 269      * appear later.
 270      * <p>
 271      * Note that the <code>List</code> is copied to protect against
 272      * subsequent modifications.
 273      *
 274      * @param stores a <code>List</code> of <code>CertStore</code>s (or
 275      * <code>null</code>)
 276      * @throws ClassCastException if any of the elements in the list are
 277      * not of type <code>java.security.cert.CertStore</code>
 278      *
 279      * @see #getCertStores
 280      */
 281     public void setCertStores(List<CertStore> stores) {
 282         if (stores == null) {
 283             this.certStores = new ArrayList<CertStore>();
 284         } else {
 285             for (Iterator<CertStore> i = stores.iterator(); i.hasNext();) {
 286                 if (!(i.next() instanceof CertStore)) {
 287                     throw new ClassCastException("all elements of list must be "
 288                         + "of type java.security.cert.CertStore");
 289                 }
 290             }
 291             this.certStores = new ArrayList<CertStore>(stores);
 292         }
 293     }
 294 
 295     /**
 296      * Adds a <code>CertStore</code> to the end of the list of
 297      * <code>CertStore</code>s used in finding certificates and CRLs.
 298      *
 299      * @param store the <code>CertStore</code> to add. If <code>null</code>,
 300      * the store is ignored (not added to list).
 301      */
 302     public void addCertStore(CertStore store) {
 303         if (store != null) {
 304             this.certStores.add(store);
 305         }
 306     }
 307 
 308     /**
 309      * Returns an immutable <code>List</code> of <code>CertStore</code>s that
 310      * are used to find certificates and CRLs.
 311      *
 312      * @return an immutable <code>List</code> of <code>CertStore</code>s
 313      * (may be empty, but never <code>null</code>)
 314      *
 315      * @see #setCertStores
 316      */
 317     public List<CertStore> getCertStores() {
 318         return Collections.unmodifiableList
 319                 (new ArrayList<CertStore>(this.certStores));
 320     }
 321 
 322     /**
 323      * Sets the RevocationEnabled flag. If this flag is true, the default
 324      * revocation checking mechanism of the underlying PKIX service provider
 325      * will be used. If this flag is false, the default revocation checking
 326      * mechanism will be disabled (not used).
 327      * <p>
 328      * When a <code>PKIXParameters</code> object is created, this flag is set
 329      * to true. This setting reflects the most common strategy for checking
 330      * revocation, since each service provider must support revocation
 331      * checking to be PKIX compliant. Sophisticated applications should set
 332      * this flag to false when it is not practical to use a PKIX service
 333      * provider's default revocation checking mechanism or when an alternative
 334      * revocation checking mechanism is to be substituted (by also calling the
 335      * {@link #addCertPathChecker addCertPathChecker} or {@link
 336      * #setCertPathCheckers setCertPathCheckers} methods).
 337      *
 338      * @param val the new value of the RevocationEnabled flag
 339      */
 340     public void setRevocationEnabled(boolean val) {
 341         revocationEnabled = val;
 342     }
 343 
 344     /**
 345      * Checks the RevocationEnabled flag. If this flag is true, the default
 346      * revocation checking mechanism of the underlying PKIX service provider
 347      * will be used. If this flag is false, the default revocation checking
 348      * mechanism will be disabled (not used). See the {@link
 349      * #setRevocationEnabled setRevocationEnabled} method for more details on
 350      * setting the value of this flag.
 351      *
 352      * @return the current value of the RevocationEnabled flag
 353      */
 354     public boolean isRevocationEnabled() {
 355         return revocationEnabled;
 356     }
 357 
 358     /**
 359      * Sets the ExplicitPolicyRequired flag. If this flag is true, an
 360      * acceptable policy needs to be explicitly identified in every certificate.
 361      * By default, the ExplicitPolicyRequired flag is false.
 362      *
 363      * @param val <code>true</code> if explicit policy is to be required,
 364      * <code>false</code> otherwise
 365      */
 366     public void setExplicitPolicyRequired(boolean val) {
 367         explicitPolicyRequired = val;
 368     }
 369 
 370     /**
 371      * Checks if explicit policy is required. If this flag is true, an
 372      * acceptable policy needs to be explicitly identified in every certificate.
 373      * By default, the ExplicitPolicyRequired flag is false.
 374      *
 375      * @return <code>true</code> if explicit policy is required,
 376      * <code>false</code> otherwise
 377      */
 378     public boolean isExplicitPolicyRequired() {
 379         return explicitPolicyRequired;
 380     }
 381 
 382     /**
 383      * Sets the PolicyMappingInhibited flag. If this flag is true, policy
 384      * mapping is inhibited. By default, policy mapping is not inhibited (the
 385      * flag is false).
 386      *
 387      * @param val <code>true</code> if policy mapping is to be inhibited,
 388      * <code>false</code> otherwise
 389      */
 390     public void setPolicyMappingInhibited(boolean val) {
 391         policyMappingInhibited = val;
 392     }
 393 
 394     /**
 395      * Checks if policy mapping is inhibited. If this flag is true, policy
 396      * mapping is inhibited. By default, policy mapping is not inhibited (the
 397      * flag is false).
 398      *
 399      * @return true if policy mapping is inhibited, false otherwise
 400      */
 401     public boolean isPolicyMappingInhibited() {
 402         return policyMappingInhibited;
 403     }
 404 
 405     /**
 406      * Sets state to determine if the any policy OID should be processed
 407      * if it is included in a certificate. By default, the any policy OID
 408      * is not inhibited ({@link #isAnyPolicyInhibited isAnyPolicyInhibited()}
 409      * returns <code>false</code>).
 410      *
 411      * @param val <code>true</code> if the any policy OID is to be
 412      * inhibited, <code>false</code> otherwise
 413      */
 414     public void setAnyPolicyInhibited(boolean val) {
 415         anyPolicyInhibited = val;
 416     }
 417 
 418     /**
 419      * Checks whether the any policy OID should be processed if it
 420      * is included in a certificate.
 421      *
 422      * @return <code>true</code> if the any policy OID is inhibited,
 423      * <code>false</code> otherwise
 424      */
 425     public boolean isAnyPolicyInhibited() {
 426         return anyPolicyInhibited;
 427     }
 428 
 429     /**
 430      * Sets the PolicyQualifiersRejected flag. If this flag is true,
 431      * certificates that include policy qualifiers in a certificate
 432      * policies extension that is marked critical are rejected.
 433      * If the flag is false, certificates are not rejected on this basis.
 434      *
 435      * <p> When a <code>PKIXParameters</code> object is created, this flag is
 436      * set to true. This setting reflects the most common (and simplest)
 437      * strategy for processing policy qualifiers. Applications that want to use
 438      * a more sophisticated policy must set this flag to false.
 439      * <p>
 440      * Note that the PKIX certification path validation algorithm specifies
 441      * that any policy qualifier in a certificate policies extension that is
 442      * marked critical must be processed and validated. Otherwise the
 443      * certification path must be rejected. If the policyQualifiersRejected flag
 444      * is set to false, it is up to the application to validate all policy
 445      * qualifiers in this manner in order to be PKIX compliant.
 446      *
 447      * @param qualifiersRejected the new value of the PolicyQualifiersRejected
 448      * flag
 449      * @see #getPolicyQualifiersRejected
 450      * @see PolicyQualifierInfo
 451      */
 452     public void setPolicyQualifiersRejected(boolean qualifiersRejected) {
 453         policyQualifiersRejected = qualifiersRejected;
 454     }
 455 
 456     /**
 457      * Gets the PolicyQualifiersRejected flag. If this flag is true,
 458      * certificates that include policy qualifiers in a certificate policies
 459      * extension that is marked critical are rejected.
 460      * If the flag is false, certificates are not rejected on this basis.
 461      *
 462      * <p> When a <code>PKIXParameters</code> object is created, this flag is
 463      * set to true. This setting reflects the most common (and simplest)
 464      * strategy for processing policy qualifiers. Applications that want to use
 465      * a more sophisticated policy must set this flag to false.
 466      *
 467      * @return the current value of the PolicyQualifiersRejected flag
 468      * @see #setPolicyQualifiersRejected
 469      */
 470     public boolean getPolicyQualifiersRejected() {
 471         return policyQualifiersRejected;
 472     }
 473 
 474     /**
 475      * Returns the time for which the validity of the certification path
 476      * should be determined. If <code>null</code>, the current time is used.
 477      * <p>
 478      * Note that the <code>Date</code> returned is copied to protect against
 479      * subsequent modifications.
 480      *
 481      * @return the <code>Date</code>, or <code>null</code> if not set
 482      * @see #setDate
 483      */
 484     public Date getDate() {
 485         if (date == null)
 486             return null;
 487         else
 488             return (Date) this.date.clone();
 489     }
 490 
 491     /**
 492      * Sets the time for which the validity of the certification path
 493      * should be determined. If <code>null</code>, the current time is used.
 494      * <p>
 495      * Note that the <code>Date</code> supplied here is copied to protect
 496      * against subsequent modifications.
 497      *
 498      * @param date the <code>Date</code>, or <code>null</code> for the
 499      * current time
 500      * @see #getDate
 501      */
 502     public void setDate(Date date) {
 503         if (date != null)
 504             this.date = (Date) date.clone();
 505         else
 506             date = null;
 507     }
 508 
 509     /**
 510      * Sets a <code>List</code> of additional certification path checkers. If
 511      * the specified <code>List</code> contains an object that is not a
 512      * <code>PKIXCertPathChecker</code>, it is ignored.
 513      * <p>
 514      * Each <code>PKIXCertPathChecker</code> specified implements
 515      * additional checks on a certificate. Typically, these are checks to
 516      * process and verify private extensions contained in certificates.
 517      * Each <code>PKIXCertPathChecker</code> should be instantiated with any
 518      * initialization parameters needed to execute the check.
 519      * <p>
 520      * This method allows sophisticated applications to extend a PKIX
 521      * <code>CertPathValidator</code> or <code>CertPathBuilder</code>.
 522      * Each of the specified <code>PKIXCertPathChecker</code>s will be called,
 523      * in turn, by a PKIX <code>CertPathValidator</code> or
 524      * <code>CertPathBuilder</code> for each certificate processed or
 525      * validated.
 526      * <p>
 527      * Regardless of whether these additional <code>PKIXCertPathChecker</code>s
 528      * are set, a PKIX <code>CertPathValidator</code> or
 529      * <code>CertPathBuilder</code> must perform all of the required PKIX
 530      * checks on each certificate. The one exception to this rule is if the
 531      * RevocationEnabled flag is set to false (see the {@link
 532      * #setRevocationEnabled setRevocationEnabled} method).
 533      * <p>
 534      * Note that the <code>List</code> supplied here is copied and each
 535      * <code>PKIXCertPathChecker</code> in the list is cloned to protect
 536      * against subsequent modifications.
 537      *
 538      * @param checkers a <code>List</code> of <code>PKIXCertPathChecker</code>s.
 539      * May be <code>null</code>, in which case no additional checkers will be
 540      * used.
 541      * @throws ClassCastException if any of the elements in the list
 542      * are not of type <code>java.security.cert.PKIXCertPathChecker</code>
 543      * @see #getCertPathCheckers
 544      */
 545     public void setCertPathCheckers(List<PKIXCertPathChecker> checkers) {
 546         if (checkers != null) {
 547             List<PKIXCertPathChecker> tmpList =
 548                         new ArrayList<PKIXCertPathChecker>();
 549             for (PKIXCertPathChecker checker : checkers) {
 550                 tmpList.add((PKIXCertPathChecker)checker.clone());
 551             }
 552             this.certPathCheckers = tmpList;
 553         } else {
 554             this.certPathCheckers = new ArrayList<PKIXCertPathChecker>();
 555         }
 556     }
 557 
 558     /**
 559      * Returns the <code>List</code> of certification path checkers.
 560      * The returned <code>List</code> is immutable, and each
 561      * <code>PKIXCertPathChecker</code> in the <code>List</code> is cloned
 562      * to protect against subsequent modifications.
 563      *
 564      * @return an immutable <code>List</code> of
 565      * <code>PKIXCertPathChecker</code>s (may be empty, but not
 566      * <code>null</code>)
 567      * @see #setCertPathCheckers
 568      */
 569     public List<PKIXCertPathChecker> getCertPathCheckers() {
 570         List<PKIXCertPathChecker> tmpList = new ArrayList<PKIXCertPathChecker>();
 571         for (PKIXCertPathChecker ck : certPathCheckers) {
 572             tmpList.add((PKIXCertPathChecker)ck.clone());
 573         }
 574         return Collections.unmodifiableList(tmpList);
 575     }
 576 
 577     /**
 578      * Adds a <code>PKIXCertPathChecker</code> to the list of certification
 579      * path checkers. See the {@link #setCertPathCheckers setCertPathCheckers}
 580      * method for more details.
 581      * <p>
 582      * Note that the <code>PKIXCertPathChecker</code> is cloned to protect
 583      * against subsequent modifications.
 584      *
 585      * @param checker a <code>PKIXCertPathChecker</code> to add to the list of
 586      * checks. If <code>null</code>, the checker is ignored (not added to list).
 587      */
 588     public void addCertPathChecker(PKIXCertPathChecker checker) {
 589         if (checker != null) {
 590             certPathCheckers.add((PKIXCertPathChecker)checker.clone());
 591         }
 592     }
 593 
 594     /**
 595      * Returns the signature provider's name, or <code>null</code>
 596      * if not set.
 597      *
 598      * @return the signature provider's name (or <code>null</code>)
 599      * @see #setSigProvider
 600      */
 601     public String getSigProvider() {
 602         return this.sigProvider;
 603     }
 604 
 605     /**
 606      * Sets the signature provider's name. The specified provider will be
 607      * preferred when creating {@link java.security.Signature Signature}
 608      * objects. If <code>null</code> or not set, the first provider found
 609      * supporting the algorithm will be used.
 610      *
 611      * @param sigProvider the signature provider's name (or <code>null</code>)
 612      * @see #getSigProvider
 613     */
 614     public void setSigProvider(String sigProvider) {
 615         this.sigProvider = sigProvider;
 616     }
 617 
 618     /**
 619      * Returns the required constraints on the target certificate.
 620      * The constraints are returned as an instance of <code>CertSelector</code>.
 621      * If <code>null</code>, no constraints are defined.
 622      *
 623      * <p>Note that the <code>CertSelector</code> returned is cloned
 624      * to protect against subsequent modifications.
 625      *
 626      * @return a <code>CertSelector</code> specifying the constraints
 627      * on the target certificate (or <code>null</code>)
 628      * @see #setTargetCertConstraints
 629      */
 630     public CertSelector getTargetCertConstraints() {
 631         if (certSelector != null) {
 632             return (CertSelector) certSelector.clone();
 633         } else {
 634             return null;
 635         }
 636     }
 637 
 638     /**
 639      * Sets the required constraints on the target certificate.
 640      * The constraints are specified as an instance of
 641      * <code>CertSelector</code>. If <code>null</code>, no constraints are
 642      * defined.
 643      *
 644      * <p>Note that the <code>CertSelector</code> specified is cloned
 645      * to protect against subsequent modifications.
 646      *
 647      * @param selector a <code>CertSelector</code> specifying the constraints
 648      * on the target certificate (or <code>null</code>)
 649      * @see #getTargetCertConstraints
 650      */
 651     public void setTargetCertConstraints(CertSelector selector) {
 652         if (selector != null)
 653             certSelector = (CertSelector) selector.clone();
 654         else
 655             certSelector = null;
 656     }
 657 
 658     /**
 659      * Makes a copy of this <code>PKIXParameters</code> object. Changes
 660      * to the copy will not affect the original and vice versa.
 661      *
 662      * @return a copy of this <code>PKIXParameters</code> object
 663      */
 664     public Object clone() {
 665         try {
 666             PKIXParameters copy = (PKIXParameters)super.clone();
 667 
 668             // must clone these because addCertStore, et al. modify them
 669             if (certStores != null) {
 670                 copy.certStores = new ArrayList<CertStore>(certStores);
 671             }
 672             if (certPathCheckers != null) {
 673                 copy.certPathCheckers =
 674                     new ArrayList<PKIXCertPathChecker>(certPathCheckers.size());
 675                 for (PKIXCertPathChecker checker : certPathCheckers) {
 676                     copy.certPathCheckers.add(
 677                                     (PKIXCertPathChecker)checker.clone());
 678                 }
 679             }
 680 
 681             // other class fields are immutable to public, don't bother
 682             // to clone the read-only fields.
 683             return copy;
 684         } catch (CloneNotSupportedException e) {
 685             /* Cannot happen */
 686             throw new InternalError(e.toString());
 687         }
 688     }
 689 
 690     /**
 691      * Returns a formatted string describing the parameters.
 692      *
 693      * @return a formatted string describing the parameters.
 694      */
 695     public String toString() {
 696         StringBuffer sb = new StringBuffer();
 697         sb.append("[\n");
 698 
 699         /* start with trusted anchor info */
 700         if (unmodTrustAnchors != null) {
 701             sb.append("  Trust Anchors: " + unmodTrustAnchors.toString()
 702                 + "\n");
 703         }
 704 
 705         /* now, append initial state information */
 706         if (unmodInitialPolicies != null) {
 707             if (unmodInitialPolicies.isEmpty()) {
 708                 sb.append("  Initial Policy OIDs: any\n");
 709             } else {
 710                 sb.append("  Initial Policy OIDs: ["
 711                     + unmodInitialPolicies.toString() + "]\n");
 712             }
 713         }
 714 
 715         /* now, append constraints on all certificates in the path */
 716         sb.append("  Validity Date: " + String.valueOf(date) + "\n");
 717         sb.append("  Signature Provider: " + String.valueOf(sigProvider) + "\n");
 718         sb.append("  Default Revocation Enabled: " + revocationEnabled + "\n");
 719         sb.append("  Explicit Policy Required: " + explicitPolicyRequired + "\n");
 720         sb.append("  Policy Mapping Inhibited: " + policyMappingInhibited + "\n");
 721         sb.append("  Any Policy Inhibited: " + anyPolicyInhibited + "\n");
 722         sb.append("  Policy Qualifiers Rejected: " + policyQualifiersRejected + "\n");
 723 
 724         /* now, append target cert requirements */
 725         sb.append("  Target Cert Constraints: " + String.valueOf(certSelector) + "\n");
 726 
 727         /* finally, append miscellaneous parameters */
 728         if (certPathCheckers != null)
 729             sb.append("  Certification Path Checkers: ["
 730                 + certPathCheckers.toString() + "]\n");
 731         if (certStores != null)
 732             sb.append("  CertStores: [" + certStores.toString() + "]\n");
 733         sb.append("]");
 734         return sb.toString();
 735     }
 736 }