View Javadoc
1   /*
2    * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
3    * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4    *
5    * This code is free software; you can redistribute it and/or modify it
6    * under the terms of the GNU General Public License version 2 only, as
7    * published by the Free Software Foundation.  Oracle designates this
8    * particular file as subject to the "Classpath" exception as provided
9    * by Oracle in the LICENSE file that accompanied this code.
10   *
11   * This code is distributed in the hope that it will be useful, but WITHOUT
12   * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13   * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
14   * version 2 for more details (a copy is included in the LICENSE file that
15   * accompanied this code).
16   *
17   * You should have received a copy of the GNU General Public License version
18   * 2 along with this work; if not, write to the Free Software Foundation,
19   * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20   *
21   * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22   * or visit www.oracle.com if you need additional information or have any
23   * questions.
24   */
25  
26  package java.security.cert;
27  
28  import java.security.InvalidAlgorithmParameterException;
29  import java.security.KeyStore;
30  import java.security.KeyStoreException;
31  import java.util.ArrayList;
32  import java.util.Collections;
33  import java.util.Date;
34  import java.util.Enumeration;
35  import java.util.HashSet;
36  import java.util.Iterator;
37  import java.util.List;
38  import java.util.Set;
39  
40  /**
41   * Parameters used as input for the PKIX {@code CertPathValidator}
42   * algorithm.
43   * <p>
44   * A PKIX {@code CertPathValidator} uses these parameters to
45   * validate a {@code CertPath} according to the PKIX certification path
46   * validation algorithm.
47   *
48   * <p>To instantiate a {@code PKIXParameters} object, an
49   * application must specify one or more <i>most-trusted CAs</i> as defined by
50   * the PKIX certification path validation algorithm. The most-trusted CAs
51   * can be specified using one of two constructors. An application
52   * can call {@link #PKIXParameters(Set) PKIXParameters(Set)},
53   * specifying a {@code Set} of {@code TrustAnchor} objects, each
54   * of which identify a most-trusted CA. Alternatively, an application can call
55   * {@link #PKIXParameters(KeyStore) PKIXParameters(KeyStore)}, specifying a
56   * {@code KeyStore} instance containing trusted certificate entries, each
57   * of which will be considered as a most-trusted CA.
58   * <p>
59   * Once a {@code PKIXParameters} object has been created, other parameters
60   * can be specified (by calling {@link #setInitialPolicies setInitialPolicies}
61   * or {@link #setDate setDate}, for instance) and then the
62   * {@code PKIXParameters} is passed along with the {@code CertPath}
63   * to be validated to {@link CertPathValidator#validate
64   * CertPathValidator.validate}.
65   * <p>
66   * Any parameter that is not set (or is set to {@code null}) will
67   * be set to the default value for that parameter. The default value for the
68   * {@code date} parameter is {@code null}, which indicates
69   * the current time when the path is validated. The default for the
70   * remaining parameters is the least constrained.
71   * <p>
72   * <b>Concurrent Access</b>
73   * <p>
74   * Unless otherwise specified, the methods defined in this class are not
75   * thread-safe. Multiple threads that need to access a single
76   * object concurrently should synchronize amongst themselves and
77   * provide the necessary locking. Multiple threads each manipulating
78   * separate objects need not synchronize.
79   *
80   * @see CertPathValidator
81   *
82   * @since       1.4
83   * @author      Sean Mullan
84   * @author      Yassir Elley
85   */
86  public class PKIXParameters implements CertPathParameters {
87  
88      private Set<TrustAnchor> unmodTrustAnchors;
89      private Date date;
90      private List<PKIXCertPathChecker> certPathCheckers;
91      private String sigProvider;
92      private boolean revocationEnabled = true;
93      private Set<String> unmodInitialPolicies;
94      private boolean explicitPolicyRequired = false;
95      private boolean policyMappingInhibited = false;
96      private boolean anyPolicyInhibited = false;
97      private boolean policyQualifiersRejected = true;
98      private List<CertStore> certStores;
99      private CertSelector certSelector;
100 
101     /**
102      * Creates an instance of {@code PKIXParameters} with the specified
103      * {@code Set} of most-trusted CAs. Each element of the
104      * set is a {@link TrustAnchor TrustAnchor}.
105      * <p>
106      * Note that the {@code Set} is copied to protect against
107      * subsequent modifications.
108      *
109      * @param trustAnchors a {@code Set} of {@code TrustAnchor}s
110      * @throws InvalidAlgorithmParameterException if the specified
111      * {@code Set} is empty {@code (trustAnchors.isEmpty() == true)}
112      * @throws NullPointerException if the specified {@code Set} is
113      * {@code null}
114      * @throws ClassCastException if any of the elements in the {@code Set}
115      * are not of type {@code java.security.cert.TrustAnchor}
116      */
117     public PKIXParameters(Set<TrustAnchor> trustAnchors)
118         throws InvalidAlgorithmParameterException
119     {
120         setTrustAnchors(trustAnchors);
121 
122         this.unmodInitialPolicies = Collections.<String>emptySet();
123         this.certPathCheckers = new ArrayList<PKIXCertPathChecker>();
124         this.certStores = new ArrayList<CertStore>();
125     }
126 
127     /**
128      * Creates an instance of {@code PKIXParameters} that
129      * populates the set of most-trusted CAs from the trusted
130      * certificate entries contained in the specified {@code KeyStore}.
131      * Only keystore entries that contain trusted {@code X509Certificates}
132      * are considered; all other certificate types are ignored.
133      *
134      * @param keystore a {@code KeyStore} from which the set of
135      * most-trusted CAs will be populated
136      * @throws KeyStoreException if the keystore has not been initialized
137      * @throws InvalidAlgorithmParameterException if the keystore does
138      * not contain at least one trusted certificate entry
139      * @throws NullPointerException if the keystore is {@code null}
140      */
141     public PKIXParameters(KeyStore keystore)
142         throws KeyStoreException, InvalidAlgorithmParameterException
143     {
144         if (keystore == null)
145             throw new NullPointerException("the keystore parameter must be " +
146                 "non-null");
147         Set<TrustAnchor> hashSet = new HashSet<TrustAnchor>();
148         Enumeration<String> aliases = keystore.aliases();
149         while (aliases.hasMoreElements()) {
150             String alias = aliases.nextElement();
151             if (keystore.isCertificateEntry(alias)) {
152                 Certificate cert = keystore.getCertificate(alias);
153                 if (cert instanceof X509Certificate)
154                     hashSet.add(new TrustAnchor((X509Certificate)cert, null));
155             }
156         }
157         setTrustAnchors(hashSet);
158         this.unmodInitialPolicies = Collections.<String>emptySet();
159         this.certPathCheckers = new ArrayList<PKIXCertPathChecker>();
160         this.certStores = new ArrayList<CertStore>();
161     }
162 
163     /**
164      * Returns an immutable {@code Set} of the most-trusted
165      * CAs.
166      *
167      * @return an immutable {@code Set} of {@code TrustAnchor}s
168      * (never {@code null})
169      *
170      * @see #setTrustAnchors
171      */
172     public Set<TrustAnchor> getTrustAnchors() {
173         return this.unmodTrustAnchors;
174     }
175 
176     /**
177      * Sets the {@code Set} of most-trusted CAs.
178      * <p>
179      * Note that the {@code Set} is copied to protect against
180      * subsequent modifications.
181      *
182      * @param trustAnchors a {@code Set} of {@code TrustAnchor}s
183      * @throws InvalidAlgorithmParameterException if the specified
184      * {@code Set} is empty {@code (trustAnchors.isEmpty() == true)}
185      * @throws NullPointerException if the specified {@code Set} is
186      * {@code null}
187      * @throws ClassCastException if any of the elements in the set
188      * are not of type {@code java.security.cert.TrustAnchor}
189      *
190      * @see #getTrustAnchors
191      */
192     public void setTrustAnchors(Set<TrustAnchor> trustAnchors)
193         throws InvalidAlgorithmParameterException
194     {
195         if (trustAnchors == null) {
196             throw new NullPointerException("the trustAnchors parameters must" +
197                 " be non-null");
198         }
199         if (trustAnchors.isEmpty()) {
200             throw new InvalidAlgorithmParameterException("the trustAnchors " +
201                 "parameter must be non-empty");
202         }
203         for (Iterator<TrustAnchor> i = trustAnchors.iterator(); i.hasNext(); ) {
204             if (!(i.next() instanceof TrustAnchor)) {
205                 throw new ClassCastException("all elements of set must be "
206                     + "of type java.security.cert.TrustAnchor");
207             }
208         }
209         this.unmodTrustAnchors = Collections.unmodifiableSet
210                 (new HashSet<TrustAnchor>(trustAnchors));
211     }
212 
213     /**
214      * Returns an immutable {@code Set} of initial
215      * policy identifiers (OID strings), indicating that any one of these
216      * policies would be acceptable to the certificate user for the purposes of
217      * certification path processing. The default return value is an empty
218      * {@code Set}, which is interpreted as meaning that any policy would
219      * be acceptable.
220      *
221      * @return an immutable {@code Set} of initial policy OIDs in
222      * {@code String} format, or an empty {@code Set} (implying any
223      * policy is acceptable). Never returns {@code null}.
224      *
225      * @see #setInitialPolicies
226      */
227     public Set<String> getInitialPolicies() {
228         return this.unmodInitialPolicies;
229     }
230 
231     /**
232      * Sets the {@code Set} of initial policy identifiers
233      * (OID strings), indicating that any one of these
234      * policies would be acceptable to the certificate user for the purposes of
235      * certification path processing. By default, any policy is acceptable
236      * (i.e. all policies), so a user that wants to allow any policy as
237      * acceptable does not need to call this method, or can call it
238      * with an empty {@code Set} (or {@code null}).
239      * <p>
240      * Note that the {@code Set} is copied to protect against
241      * subsequent modifications.
242      *
243      * @param initialPolicies a {@code Set} of initial policy
244      * OIDs in {@code String} format (or {@code null})
245      * @throws ClassCastException if any of the elements in the set are
246      * not of type {@code String}
247      *
248      * @see #getInitialPolicies
249      */
250     public void setInitialPolicies(Set<String> initialPolicies) {
251         if (initialPolicies != null) {
252             for (Iterator<String> i = initialPolicies.iterator();
253                         i.hasNext();) {
254                 if (!(i.next() instanceof String))
255                     throw new ClassCastException("all elements of set must be "
256                         + "of type java.lang.String");
257             }
258             this.unmodInitialPolicies =
259                 Collections.unmodifiableSet(new HashSet<String>(initialPolicies));
260         } else
261             this.unmodInitialPolicies = Collections.<String>emptySet();
262     }
263 
264     /**
265      * Sets the list of {@code CertStore}s to be used in finding
266      * certificates and CRLs. May be {@code null}, in which case
267      * no {@code CertStore}s will be used. The first
268      * {@code CertStore}s in the list may be preferred to those that
269      * appear later.
270      * <p>
271      * Note that the {@code List} is copied to protect against
272      * subsequent modifications.
273      *
274      * @param stores a {@code List} of {@code CertStore}s (or
275      * {@code null})
276      * @throws ClassCastException if any of the elements in the list are
277      * not of type {@code java.security.cert.CertStore}
278      *
279      * @see #getCertStores
280      */
281     public void setCertStores(List<CertStore> stores) {
282         if (stores == null) {
283             this.certStores = new ArrayList<CertStore>();
284         } else {
285             for (Iterator<CertStore> i = stores.iterator(); i.hasNext();) {
286                 if (!(i.next() instanceof CertStore)) {
287                     throw new ClassCastException("all elements of list must be "
288                         + "of type java.security.cert.CertStore");
289                 }
290             }
291             this.certStores = new ArrayList<CertStore>(stores);
292         }
293     }
294 
295     /**
296      * Adds a {@code CertStore} to the end of the list of
297      * {@code CertStore}s used in finding certificates and CRLs.
298      *
299      * @param store the {@code CertStore} to add. If {@code null},
300      * the store is ignored (not added to list).
301      */
302     public void addCertStore(CertStore store) {
303         if (store != null) {
304             this.certStores.add(store);
305         }
306     }
307 
308     /**
309      * Returns an immutable {@code List} of {@code CertStore}s that
310      * are used to find certificates and CRLs.
311      *
312      * @return an immutable {@code List} of {@code CertStore}s
313      * (may be empty, but never {@code null})
314      *
315      * @see #setCertStores
316      */
317     public List<CertStore> getCertStores() {
318         return Collections.unmodifiableList
319                 (new ArrayList<CertStore>(this.certStores));
320     }
321 
322     /**
323      * Sets the RevocationEnabled flag. If this flag is true, the default
324      * revocation checking mechanism of the underlying PKIX service provider
325      * will be used. If this flag is false, the default revocation checking
326      * mechanism will be disabled (not used).
327      * <p>
328      * When a {@code PKIXParameters} object is created, this flag is set
329      * to true. This setting reflects the most common strategy for checking
330      * revocation, since each service provider must support revocation
331      * checking to be PKIX compliant. Sophisticated applications should set
332      * this flag to false when it is not practical to use a PKIX service
333      * provider's default revocation checking mechanism or when an alternative
334      * revocation checking mechanism is to be substituted (by also calling the
335      * {@link #addCertPathChecker addCertPathChecker} or {@link
336      * #setCertPathCheckers setCertPathCheckers} methods).
337      *
338      * @param val the new value of the RevocationEnabled flag
339      */
340     public void setRevocationEnabled(boolean val) {
341         revocationEnabled = val;
342     }
343 
344     /**
345      * Checks the RevocationEnabled flag. If this flag is true, the default
346      * revocation checking mechanism of the underlying PKIX service provider
347      * will be used. If this flag is false, the default revocation checking
348      * mechanism will be disabled (not used). See the {@link
349      * #setRevocationEnabled setRevocationEnabled} method for more details on
350      * setting the value of this flag.
351      *
352      * @return the current value of the RevocationEnabled flag
353      */
354     public boolean isRevocationEnabled() {
355         return revocationEnabled;
356     }
357 
358     /**
359      * Sets the ExplicitPolicyRequired flag. If this flag is true, an
360      * acceptable policy needs to be explicitly identified in every certificate.
361      * By default, the ExplicitPolicyRequired flag is false.
362      *
363      * @param val {@code true} if explicit policy is to be required,
364      * {@code false} otherwise
365      */
366     public void setExplicitPolicyRequired(boolean val) {
367         explicitPolicyRequired = val;
368     }
369 
370     /**
371      * Checks if explicit policy is required. If this flag is true, an
372      * acceptable policy needs to be explicitly identified in every certificate.
373      * By default, the ExplicitPolicyRequired flag is false.
374      *
375      * @return {@code true} if explicit policy is required,
376      * {@code false} otherwise
377      */
378     public boolean isExplicitPolicyRequired() {
379         return explicitPolicyRequired;
380     }
381 
382     /**
383      * Sets the PolicyMappingInhibited flag. If this flag is true, policy
384      * mapping is inhibited. By default, policy mapping is not inhibited (the
385      * flag is false).
386      *
387      * @param val {@code true} if policy mapping is to be inhibited,
388      * {@code false} otherwise
389      */
390     public void setPolicyMappingInhibited(boolean val) {
391         policyMappingInhibited = val;
392     }
393 
394     /**
395      * Checks if policy mapping is inhibited. If this flag is true, policy
396      * mapping is inhibited. By default, policy mapping is not inhibited (the
397      * flag is false).
398      *
399      * @return true if policy mapping is inhibited, false otherwise
400      */
401     public boolean isPolicyMappingInhibited() {
402         return policyMappingInhibited;
403     }
404 
405     /**
406      * Sets state to determine if the any policy OID should be processed
407      * if it is included in a certificate. By default, the any policy OID
408      * is not inhibited ({@link #isAnyPolicyInhibited isAnyPolicyInhibited()}
409      * returns {@code false}).
410      *
411      * @param val {@code true} if the any policy OID is to be
412      * inhibited, {@code false} otherwise
413      */
414     public void setAnyPolicyInhibited(boolean val) {
415         anyPolicyInhibited = val;
416     }
417 
418     /**
419      * Checks whether the any policy OID should be processed if it
420      * is included in a certificate.
421      *
422      * @return {@code true} if the any policy OID is inhibited,
423      * {@code false} otherwise
424      */
425     public boolean isAnyPolicyInhibited() {
426         return anyPolicyInhibited;
427     }
428 
429     /**
430      * Sets the PolicyQualifiersRejected flag. If this flag is true,
431      * certificates that include policy qualifiers in a certificate
432      * policies extension that is marked critical are rejected.
433      * If the flag is false, certificates are not rejected on this basis.
434      *
435      * <p> When a {@code PKIXParameters} object is created, this flag is
436      * set to true. This setting reflects the most common (and simplest)
437      * strategy for processing policy qualifiers. Applications that want to use
438      * a more sophisticated policy must set this flag to false.
439      * <p>
440      * Note that the PKIX certification path validation algorithm specifies
441      * that any policy qualifier in a certificate policies extension that is
442      * marked critical must be processed and validated. Otherwise the
443      * certification path must be rejected. If the policyQualifiersRejected flag
444      * is set to false, it is up to the application to validate all policy
445      * qualifiers in this manner in order to be PKIX compliant.
446      *
447      * @param qualifiersRejected the new value of the PolicyQualifiersRejected
448      * flag
449      * @see #getPolicyQualifiersRejected
450      * @see PolicyQualifierInfo
451      */
452     public void setPolicyQualifiersRejected(boolean qualifiersRejected) {
453         policyQualifiersRejected = qualifiersRejected;
454     }
455 
456     /**
457      * Gets the PolicyQualifiersRejected flag. If this flag is true,
458      * certificates that include policy qualifiers in a certificate policies
459      * extension that is marked critical are rejected.
460      * If the flag is false, certificates are not rejected on this basis.
461      *
462      * <p> When a {@code PKIXParameters} object is created, this flag is
463      * set to true. This setting reflects the most common (and simplest)
464      * strategy for processing policy qualifiers. Applications that want to use
465      * a more sophisticated policy must set this flag to false.
466      *
467      * @return the current value of the PolicyQualifiersRejected flag
468      * @see #setPolicyQualifiersRejected
469      */
470     public boolean getPolicyQualifiersRejected() {
471         return policyQualifiersRejected;
472     }
473 
474     /**
475      * Returns the time for which the validity of the certification path
476      * should be determined. If {@code null}, the current time is used.
477      * <p>
478      * Note that the {@code Date} returned is copied to protect against
479      * subsequent modifications.
480      *
481      * @return the {@code Date}, or {@code null} if not set
482      * @see #setDate
483      */
484     public Date getDate() {
485         if (date == null)
486             return null;
487         else
488             return (Date) this.date.clone();
489     }
490 
491     /**
492      * Sets the time for which the validity of the certification path
493      * should be determined. If {@code null}, the current time is used.
494      * <p>
495      * Note that the {@code Date} supplied here is copied to protect
496      * against subsequent modifications.
497      *
498      * @param date the {@code Date}, or {@code null} for the
499      * current time
500      * @see #getDate
501      */
502     public void setDate(Date date) {
503         if (date != null)
504             this.date = (Date) date.clone();
505         else
506             date = null;
507     }
508 
509     /**
510      * Sets a {@code List} of additional certification path checkers. If
511      * the specified {@code List} contains an object that is not a
512      * {@code PKIXCertPathChecker}, it is ignored.
513      * <p>
514      * Each {@code PKIXCertPathChecker} specified implements
515      * additional checks on a certificate. Typically, these are checks to
516      * process and verify private extensions contained in certificates.
517      * Each {@code PKIXCertPathChecker} should be instantiated with any
518      * initialization parameters needed to execute the check.
519      * <p>
520      * This method allows sophisticated applications to extend a PKIX
521      * {@code CertPathValidator} or {@code CertPathBuilder}.
522      * Each of the specified {@code PKIXCertPathChecker}s will be called,
523      * in turn, by a PKIX {@code CertPathValidator} or
524      * {@code CertPathBuilder} for each certificate processed or
525      * validated.
526      * <p>
527      * Regardless of whether these additional {@code PKIXCertPathChecker}s
528      * are set, a PKIX {@code CertPathValidator} or
529      * {@code CertPathBuilder} must perform all of the required PKIX
530      * checks on each certificate. The one exception to this rule is if the
531      * RevocationEnabled flag is set to false (see the {@link
532      * #setRevocationEnabled setRevocationEnabled} method).
533      * <p>
534      * Note that the {@code List} supplied here is copied and each
535      * {@code PKIXCertPathChecker} in the list is cloned to protect
536      * against subsequent modifications.
537      *
538      * @param checkers a {@code List} of {@code PKIXCertPathChecker}s.
539      * May be {@code null}, in which case no additional checkers will be
540      * used.
541      * @throws ClassCastException if any of the elements in the list
542      * are not of type {@code java.security.cert.PKIXCertPathChecker}
543      * @see #getCertPathCheckers
544      */
545     public void setCertPathCheckers(List<PKIXCertPathChecker> checkers) {
546         if (checkers != null) {
547             List<PKIXCertPathChecker> tmpList =
548                         new ArrayList<PKIXCertPathChecker>();
549             for (PKIXCertPathChecker checker : checkers) {
550                 tmpList.add((PKIXCertPathChecker)checker.clone());
551             }
552             this.certPathCheckers = tmpList;
553         } else {
554             this.certPathCheckers = new ArrayList<PKIXCertPathChecker>();
555         }
556     }
557 
558     /**
559      * Returns the {@code List} of certification path checkers.
560      * The returned {@code List} is immutable, and each
561      * {@code PKIXCertPathChecker} in the {@code List} is cloned
562      * to protect against subsequent modifications.
563      *
564      * @return an immutable {@code List} of
565      * {@code PKIXCertPathChecker}s (may be empty, but not
566      * {@code null})
567      * @see #setCertPathCheckers
568      */
569     public List<PKIXCertPathChecker> getCertPathCheckers() {
570         List<PKIXCertPathChecker> tmpList = new ArrayList<PKIXCertPathChecker>();
571         for (PKIXCertPathChecker ck : certPathCheckers) {
572             tmpList.add((PKIXCertPathChecker)ck.clone());
573         }
574         return Collections.unmodifiableList(tmpList);
575     }
576 
577     /**
578      * Adds a {@code PKIXCertPathChecker} to the list of certification
579      * path checkers. See the {@link #setCertPathCheckers setCertPathCheckers}
580      * method for more details.
581      * <p>
582      * Note that the {@code PKIXCertPathChecker} is cloned to protect
583      * against subsequent modifications.
584      *
585      * @param checker a {@code PKIXCertPathChecker} to add to the list of
586      * checks. If {@code null}, the checker is ignored (not added to list).
587      */
588     public void addCertPathChecker(PKIXCertPathChecker checker) {
589         if (checker != null) {
590             certPathCheckers.add((PKIXCertPathChecker)checker.clone());
591         }
592     }
593 
594     /**
595      * Returns the signature provider's name, or {@code null}
596      * if not set.
597      *
598      * @return the signature provider's name (or {@code null})
599      * @see #setSigProvider
600      */
601     public String getSigProvider() {
602         return this.sigProvider;
603     }
604 
605     /**
606      * Sets the signature provider's name. The specified provider will be
607      * preferred when creating {@link java.security.Signature Signature}
608      * objects. If {@code null} or not set, the first provider found
609      * supporting the algorithm will be used.
610      *
611      * @param sigProvider the signature provider's name (or {@code null})
612      * @see #getSigProvider
613     */
614     public void setSigProvider(String sigProvider) {
615         this.sigProvider = sigProvider;
616     }
617 
618     /**
619      * Returns the required constraints on the target certificate.
620      * The constraints are returned as an instance of {@code CertSelector}.
621      * If {@code null}, no constraints are defined.
622      *
623      * <p>Note that the {@code CertSelector} returned is cloned
624      * to protect against subsequent modifications.
625      *
626      * @return a {@code CertSelector} specifying the constraints
627      * on the target certificate (or {@code null})
628      * @see #setTargetCertConstraints
629      */
630     public CertSelector getTargetCertConstraints() {
631         if (certSelector != null) {
632             return (CertSelector) certSelector.clone();
633         } else {
634             return null;
635         }
636     }
637 
638     /**
639      * Sets the required constraints on the target certificate.
640      * The constraints are specified as an instance of
641      * {@code CertSelector}. If {@code null}, no constraints are
642      * defined.
643      *
644      * <p>Note that the {@code CertSelector} specified is cloned
645      * to protect against subsequent modifications.
646      *
647      * @param selector a {@code CertSelector} specifying the constraints
648      * on the target certificate (or {@code null})
649      * @see #getTargetCertConstraints
650      */
651     public void setTargetCertConstraints(CertSelector selector) {
652         if (selector != null)
653             certSelector = (CertSelector) selector.clone();
654         else
655             certSelector = null;
656     }
657 
658     /**
659      * Makes a copy of this {@code PKIXParameters} object. Changes
660      * to the copy will not affect the original and vice versa.
661      *
662      * @return a copy of this {@code PKIXParameters} object
663      */
664     public Object clone() {
665         try {
666             PKIXParameters copy = (PKIXParameters)super.clone();
667 
668             // must clone these because addCertStore, et al. modify them
669             if (certStores != null) {
670                 copy.certStores = new ArrayList<CertStore>(certStores);
671             }
672             if (certPathCheckers != null) {
673                 copy.certPathCheckers =
674                     new ArrayList<PKIXCertPathChecker>(certPathCheckers.size());
675                 for (PKIXCertPathChecker checker : certPathCheckers) {
676                     copy.certPathCheckers.add(
677                                     (PKIXCertPathChecker)checker.clone());
678                 }
679             }
680 
681             // other class fields are immutable to public, don't bother
682             // to clone the read-only fields.
683             return copy;
684         } catch (CloneNotSupportedException e) {
685             /* Cannot happen */
686             throw new InternalError(e.toString(), e);
687         }
688     }
689 
690     /**
691      * Returns a formatted string describing the parameters.
692      *
693      * @return a formatted string describing the parameters.
694      */
695     public String toString() {
696         StringBuffer sb = new StringBuffer();
697         sb.append("[\n");
698 
699         /* start with trusted anchor info */
700         if (unmodTrustAnchors != null) {
701             sb.append("  Trust Anchors: " + unmodTrustAnchors.toString()
702                 + "\n");
703         }
704 
705         /* now, append initial state information */
706         if (unmodInitialPolicies != null) {
707             if (unmodInitialPolicies.isEmpty()) {
708                 sb.append("  Initial Policy OIDs: any\n");
709             } else {
710                 sb.append("  Initial Policy OIDs: ["
711                     + unmodInitialPolicies.toString() + "]\n");
712             }
713         }
714 
715         /* now, append constraints on all certificates in the path */
716         sb.append("  Validity Date: " + String.valueOf(date) + "\n");
717         sb.append("  Signature Provider: " + String.valueOf(sigProvider) + "\n");
718         sb.append("  Default Revocation Enabled: " + revocationEnabled + "\n");
719         sb.append("  Explicit Policy Required: " + explicitPolicyRequired + "\n");
720         sb.append("  Policy Mapping Inhibited: " + policyMappingInhibited + "\n");
721         sb.append("  Any Policy Inhibited: " + anyPolicyInhibited + "\n");
722         sb.append("  Policy Qualifiers Rejected: " + policyQualifiersRejected + "\n");
723 
724         /* now, append target cert requirements */
725         sb.append("  Target Cert Constraints: " + String.valueOf(certSelector) + "\n");
726 
727         /* finally, append miscellaneous parameters */
728         if (certPathCheckers != null)
729             sb.append("  Certification Path Checkers: ["
730                 + certPathCheckers.toString() + "]\n");
731         if (certStores != null)
732             sb.append("  CertStores: [" + certStores.toString() + "]\n");
733         sb.append("]");
734         return sb.toString();
735     }
736 }