Java tutorial
package org.bouncycastle.jcajce; import java.security.cert.CertPathParameters; import java.security.cert.CertSelector; import java.security.cert.CertStore; import java.security.cert.PKIXParameters; import java.security.cert.TrustAnchor; import java.util.ArrayList; import java.util.Collections; import java.util.Date; import java.util.HashMap; import java.util.List; import java.util.Map; import java.util.Set; import org.bouncycastle.asn1.x509.GeneralName; /** * This class extends the PKIXParameters with a validity model parameter. */ public class PKIXExtendedParameters implements CertPathParameters { /** * This is the default PKIX validity model. Actually there are two variants * of this: The PKIX model and the modified PKIX model. The PKIX model * verifies that all involved certificates must have been valid at the * current time. The modified PKIX model verifies that all involved * certificates were valid at the signing time. Both are indirectly choosen * with the {@link PKIXParameters#setDate(Date)} method, so this * methods sets the Date when <em>all</em> certificates must have been * valid. */ public static final int PKIX_VALIDITY_MODEL = 0; /** * This model uses the following validity model. Each certificate must have * been valid at the moment where is was used. That means the end * certificate must have been valid at the time the signature was done. The * CA certificate which signed the end certificate must have been valid, * when the end certificate was signed. The CA (or Root CA) certificate must * have been valid, when the CA certificate was signed and so on. So the * {@link PKIXParameters#setDate(Date)} method sets the time, when * the <em>end certificate</em> must have been valid. It is used e.g. * in the German signature law. */ public static final int CHAIN_VALIDITY_MODEL = 1; /** * Builder for a PKIXExtendedParameters object. */ public static class Builder { private final PKIXParameters baseParameters; private final Date date; private PKIXCertStoreSelector targetConstraints; private List<PKIXCertStore> extraCertStores = new ArrayList<PKIXCertStore>(); private Map<GeneralName, PKIXCertStore> namedCertificateStoreMap = new HashMap<GeneralName, PKIXCertStore>(); private List<PKIXCRLStore> extraCRLStores = new ArrayList<PKIXCRLStore>(); private Map<GeneralName, PKIXCRLStore> namedCRLStoreMap = new HashMap<GeneralName, PKIXCRLStore>(); private boolean revocationEnabled; private int validityModel = PKIX_VALIDITY_MODEL; private boolean useDeltas = false; private Set<TrustAnchor> trustAnchors; public Builder(PKIXParameters baseParameters) { this.baseParameters = (PKIXParameters) baseParameters.clone(); CertSelector constraints = baseParameters.getTargetCertConstraints(); if (constraints != null) { this.targetConstraints = new PKIXCertStoreSelector.Builder(constraints).build(); } Date checkDate = baseParameters.getDate(); this.date = (checkDate == null) ? new Date() : checkDate; this.revocationEnabled = baseParameters.isRevocationEnabled(); this.trustAnchors = baseParameters.getTrustAnchors(); } public Builder(PKIXExtendedParameters baseParameters) { this.baseParameters = baseParameters.baseParameters; this.date = baseParameters.date; this.targetConstraints = baseParameters.targetConstraints; this.extraCertStores = new ArrayList<PKIXCertStore>(baseParameters.extraCertStores); this.namedCertificateStoreMap = new HashMap<GeneralName, PKIXCertStore>( baseParameters.namedCertificateStoreMap); this.extraCRLStores = new ArrayList<PKIXCRLStore>(baseParameters.extraCRLStores); this.namedCRLStoreMap = new HashMap<GeneralName, PKIXCRLStore>(baseParameters.namedCRLStoreMap); this.useDeltas = baseParameters.useDeltas; this.validityModel = baseParameters.validityModel; this.revocationEnabled = baseParameters.isRevocationEnabled(); this.trustAnchors = baseParameters.getTrustAnchors(); } public Builder addCertificateStore(PKIXCertStore store) { extraCertStores.add(store); return this; } public Builder addNamedCertificateStore(GeneralName issuerAltName, PKIXCertStore store) { namedCertificateStoreMap.put(issuerAltName, store); return this; } public Builder addCRLStore(PKIXCRLStore store) { extraCRLStores.add(store); return this; } public Builder addNamedCRLStore(GeneralName issuerAltName, PKIXCRLStore store) { namedCRLStoreMap.put(issuerAltName, store); return this; } public Builder setTargetConstraints(PKIXCertStoreSelector selector) { targetConstraints = selector; return this; } /** * Sets if delta CRLs should be used for checking the revocation status. * * @param useDeltas <code>true</code> if delta CRLs should be used. */ public Builder setUseDeltasEnabled(boolean useDeltas) { this.useDeltas = useDeltas; return this; } /** * @param validityModel The validity model to set. * @see #CHAIN_VALIDITY_MODEL * @see #PKIX_VALIDITY_MODEL */ public Builder setValidityModel(int validityModel) { this.validityModel = validityModel; return this; } /** * Set the trustAnchor to be used with these parameters. * * @param trustAnchor the trust anchor end-entity and CRLs must be based on. * @return the current builder. */ public Builder setTrustAnchor(TrustAnchor trustAnchor) { this.trustAnchors = Collections.singleton(trustAnchor); return this; } /** * Set the set of trustAnchors to be used with these parameters. * * @param trustAnchors a set of trustAnchors, one of which a particular end-entity and it's associated CRLs must be based on. * @return the current builder. */ public Builder setTrustAnchors(Set<TrustAnchor> trustAnchors) { this.trustAnchors = trustAnchors; return this; } /** * Flag whether or not revocation checking is to be enabled. * * @param revocationEnabled true if revocation checking to be enabled, false otherwise. */ public void setRevocationEnabled(boolean revocationEnabled) { this.revocationEnabled = revocationEnabled; } public PKIXExtendedParameters build() { return new PKIXExtendedParameters(this); } } private final PKIXParameters baseParameters; private final PKIXCertStoreSelector targetConstraints; private final Date date; private final List<PKIXCertStore> extraCertStores; private final Map<GeneralName, PKIXCertStore> namedCertificateStoreMap; private final List<PKIXCRLStore> extraCRLStores; private final Map<GeneralName, PKIXCRLStore> namedCRLStoreMap; private final boolean revocationEnabled; private final boolean useDeltas; private final int validityModel; private final Set<TrustAnchor> trustAnchors; private PKIXExtendedParameters(Builder builder) { this.baseParameters = builder.baseParameters; this.date = builder.date; this.extraCertStores = Collections.unmodifiableList(builder.extraCertStores); this.namedCertificateStoreMap = Collections .unmodifiableMap(new HashMap<GeneralName, PKIXCertStore>(builder.namedCertificateStoreMap)); this.extraCRLStores = Collections.unmodifiableList(builder.extraCRLStores); this.namedCRLStoreMap = Collections .unmodifiableMap(new HashMap<GeneralName, PKIXCRLStore>(builder.namedCRLStoreMap)); this.targetConstraints = builder.targetConstraints; this.revocationEnabled = builder.revocationEnabled; this.useDeltas = builder.useDeltas; this.validityModel = builder.validityModel; this.trustAnchors = Collections.unmodifiableSet(builder.trustAnchors); } public List<PKIXCertStore> getCertificateStores() { return extraCertStores; } public Map<GeneralName, PKIXCertStore> getNamedCertificateStoreMap() { return namedCertificateStoreMap; } public List<PKIXCRLStore> getCRLStores() { return extraCRLStores; } public Map<GeneralName, PKIXCRLStore> getNamedCRLStoreMap() { return namedCRLStoreMap; } public Date getDate() { return new Date(date.getTime()); } /** * Defaults to <code>false</code>. * * @return Returns if delta CRLs should be used. */ public boolean isUseDeltasEnabled() { return useDeltas; } /** * @return Returns the validity model. * @see #CHAIN_VALIDITY_MODEL * @see #PKIX_VALIDITY_MODEL */ public int getValidityModel() { return validityModel; } public Object clone() { return this; } /** * Returns the required constraints on the target certificate. * The constraints are returned as an instance of * <code>Selector</code>. If <code>null</code>, no constraints are * defined. * * @return a <code>Selector</code> specifying the constraints on the * target certificate or attribute certificate (or <code>null</code>) * @see PKIXCertStoreSelector */ public PKIXCertStoreSelector getTargetConstraints() { return targetConstraints; } public Set getTrustAnchors() { return trustAnchors; } public Set getInitialPolicies() { return baseParameters.getInitialPolicies(); } public String getSigProvider() { return baseParameters.getSigProvider(); } public boolean isExplicitPolicyRequired() { return baseParameters.isExplicitPolicyRequired(); } public boolean isAnyPolicyInhibited() { return baseParameters.isAnyPolicyInhibited(); } public boolean isPolicyMappingInhibited() { return baseParameters.isPolicyMappingInhibited(); } public List getCertPathCheckers() { return baseParameters.getCertPathCheckers(); } public List<CertStore> getCertStores() { return baseParameters.getCertStores(); } public boolean isRevocationEnabled() { return revocationEnabled; } public boolean getPolicyQualifiersRejected() { return baseParameters.getPolicyQualifiersRejected(); } }