Back to index...

	/*
	* Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
	* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
	*
	* This code is free software; you can redistribute it and/or modify it
	* under the terms of the GNU General Public License version 2 only, as
	* published by the Free Software Foundation. Oracle designates this
	* particular file as subject to the "Classpath" exception as provided
	* by Oracle in the LICENSE file that accompanied this code.
	*
	* This code is distributed in the hope that it will be useful, but WITHOUT
	* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
	* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
	* version 2 for more details (a copy is included in the LICENSE file that
	* accompanied this code).
	*
	* You should have received a copy of the GNU General Public License version
	* 2 along with this work; if not, write to the Free Software Foundation,
	* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
	*
	* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
	* or visit www.oracle.com if you need additional information or have any
	* questions.
	*/

	package java.security.cert;

	import java.security.InvalidAlgorithmParameterException;
	import java.security.KeyStore;
	import java.security.KeyStoreException;
	import java.util.ArrayList;
	import java.util.Collections;
	import java.util.Date;
	import java.util.Enumeration;
	import java.util.HashSet;
	import java.util.Iterator;
	import java.util.List;
	import java.util.Set;

	/**
	* Parameters used as input for the PKIX {@code CertPathValidator}
	* algorithm.
	* <p>
	* A PKIX {@code CertPathValidator} uses these parameters to
	* validate a {@code CertPath} according to the PKIX certification path
	* validation algorithm.
	*
	* <p>To instantiate a {@code PKIXParameters} object, an
	* application must specify one or more <i>most-trusted CAs</i> as defined by
	* the PKIX certification path validation algorithm. The most-trusted CAs
	* can be specified using one of two constructors. An application
	* can call {@link #PKIXParameters(Set) PKIXParameters(Set)},
	* specifying a {@code Set} of {@code TrustAnchor} objects, each
	* of which identify a most-trusted CA. Alternatively, an application can call
	* {@link #PKIXParameters(KeyStore) PKIXParameters(KeyStore)}, specifying a
	* {@code KeyStore} instance containing trusted certificate entries, each
	* of which will be considered as a most-trusted CA.
	* <p>
	* Once a {@code PKIXParameters} object has been created, other parameters
	* can be specified (by calling {@link #setInitialPolicies setInitialPolicies}
	* or {@link #setDate setDate}, for instance) and then the
	* {@code PKIXParameters} is passed along with the {@code CertPath}
	* to be validated to {@link CertPathValidator#validate
	* CertPathValidator.validate}.
	* <p>
	* Any parameter that is not set (or is set to {@code null}) will
	* be set to the default value for that parameter. The default value for the
	* {@code date} parameter is {@code null}, which indicates
	* the current time when the path is validated. The default for the
	* remaining parameters is the least constrained.
	* <p>
	* <b>Concurrent Access</b>
	* <p>
	* Unless otherwise specified, the methods defined in this class are not
	* thread-safe. Multiple threads that need to access a single
	* object concurrently should synchronize amongst themselves and
	* provide the necessary locking. Multiple threads each manipulating
	* separate objects need not synchronize.
	*
	* @see CertPathValidator
	*
	* @since 1.4
	* @author Sean Mullan
	* @author Yassir Elley
	*/
	public class PKIXParameters implements CertPathParameters {

	private Set<TrustAnchor> unmodTrustAnchors;
	private Date date;
	private List<PKIXCertPathChecker> certPathCheckers;
	private String sigProvider;
	private boolean revocationEnabled = true;
	private Set<String> unmodInitialPolicies;
	private boolean explicitPolicyRequired = false;
	private boolean policyMappingInhibited = false;
	private boolean anyPolicyInhibited = false;
	private boolean policyQualifiersRejected = true;
	private List<CertStore> certStores;
	private CertSelector certSelector;

	/**
	* Creates an instance of {@code PKIXParameters} with the specified
	* {@code Set} of most-trusted CAs. Each element of the
	* set is a {@link TrustAnchor TrustAnchor}.
	* <p>
	* Note that the {@code Set} is copied to protect against
	* subsequent modifications.
	*
	* @param trustAnchors a {@code Set} of {@code TrustAnchor}s
	* @throws InvalidAlgorithmParameterException if the specified
	* {@code Set} is empty {@code (trustAnchors.isEmpty() == true)}
	* @throws NullPointerException if the specified {@code Set} is
	* {@code null}
	* @throws ClassCastException if any of the elements in the {@code Set}
	* are not of type {@code java.security.cert.TrustAnchor}
	*/
	public PKIXParameters(Set<TrustAnchor> trustAnchors)
	throws InvalidAlgorithmParameterException
	{
	setTrustAnchors(trustAnchors);

	this.unmodInitialPolicies = Collections.<String>emptySet();
	this.certPathCheckers = new ArrayList<>();
	this.certStores = new ArrayList<>();
	}

	/**
	* Creates an instance of {@code PKIXParameters} that
	* populates the set of most-trusted CAs from the trusted
	* certificate entries contained in the specified {@code KeyStore}.
	* Only keystore entries that contain trusted {@code X509Certificates}
	* are considered; all other certificate types are ignored.
	*
	* @param keystore a {@code KeyStore} from which the set of
	* most-trusted CAs will be populated
	* @throws KeyStoreException if the keystore has not been initialized
	* @throws InvalidAlgorithmParameterException if the keystore does
	* not contain at least one trusted certificate entry
	* @throws NullPointerException if the keystore is {@code null}
	*/
	public PKIXParameters(KeyStore keystore)
	throws KeyStoreException, InvalidAlgorithmParameterException
	{
	if (keystore == null)
	throw new NullPointerException("the keystore parameter must be " +
	"non-null");
	Set<TrustAnchor> hashSet = new HashSet<>();
	Enumeration<String> aliases = keystore.aliases();
	while (aliases.hasMoreElements()) {
	String alias = aliases.nextElement();
	if (keystore.isCertificateEntry(alias)) {
	Certificate cert = keystore.getCertificate(alias);
	if (cert instanceof X509Certificate)
	hashSet.add(new TrustAnchor((X509Certificate)cert, null));
	}
	}
	setTrustAnchors(hashSet);
	this.unmodInitialPolicies = Collections.<String>emptySet();
	this.certPathCheckers = new ArrayList<>();
	this.certStores = new ArrayList<>();
	}

	/**
	* Returns an immutable {@code Set} of the most-trusted
	* CAs.
	*
	* @return an immutable {@code Set} of {@code TrustAnchor}s
	* (never {@code null})
	*
	* @see #setTrustAnchors
	*/
	public Set<TrustAnchor> getTrustAnchors() {
	return this.unmodTrustAnchors;
	}

	/**
	* Sets the {@code Set} of most-trusted CAs.
	* <p>
	* Note that the {@code Set} is copied to protect against
	* subsequent modifications.
	*
	* @param trustAnchors a {@code Set} of {@code TrustAnchor}s
	* @throws InvalidAlgorithmParameterException if the specified
	* {@code Set} is empty {@code (trustAnchors.isEmpty() == true)}
	* @throws NullPointerException if the specified {@code Set} is
	* {@code null}
	* @throws ClassCastException if any of the elements in the set
	* are not of type {@code java.security.cert.TrustAnchor}
	*
	* @see #getTrustAnchors
	*/
	public void setTrustAnchors(Set<TrustAnchor> trustAnchors)
	throws InvalidAlgorithmParameterException
	{
	if (trustAnchors == null) {
	throw new NullPointerException("the trustAnchors parameters must" +
	" be non-null");
	}
	if (trustAnchors.isEmpty()) {
	throw new InvalidAlgorithmParameterException("the trustAnchors " +
	"parameter must be non-empty");
	}
	for (Iterator<TrustAnchor> i = trustAnchors.iterator(); i.hasNext(); ) {
	if (!(i.next() instanceof TrustAnchor)) {
	throw new ClassCastException("all elements of set must be "
	+ "of type java.security.cert.TrustAnchor");
	}
	}
	this.unmodTrustAnchors = Collections.unmodifiableSet
	(new HashSet<>(trustAnchors));
	}

	/**
	* Returns an immutable {@code Set} of initial
	* policy identifiers (OID strings), indicating that any one of these
	* policies would be acceptable to the certificate user for the purposes of
	* certification path processing. The default return value is an empty
	* {@code Set}, which is interpreted as meaning that any policy would
	* be acceptable.
	*
	* @return an immutable {@code Set} of initial policy OIDs in
	* {@code String} format, or an empty {@code Set} (implying any
	* policy is acceptable). Never returns {@code null}.
	*
	* @see #setInitialPolicies
	*/
	public Set<String> getInitialPolicies() {
	return this.unmodInitialPolicies;
	}

	/**
	* Sets the {@code Set} of initial policy identifiers
	* (OID strings), indicating that any one of these
	* policies would be acceptable to the certificate user for the purposes of
	* certification path processing. By default, any policy is acceptable
	* (i.e. all policies), so a user that wants to allow any policy as
	* acceptable does not need to call this method, or can call it
	* with an empty {@code Set} (or {@code null}).
	* <p>
	* Note that the {@code Set} is copied to protect against
	* subsequent modifications.
	*
	* @param initialPolicies a {@code Set} of initial policy
	* OIDs in {@code String} format (or {@code null})
	* @throws ClassCastException if any of the elements in the set are
	* not of type {@code String}
	*
	* @see #getInitialPolicies
	*/
	public void setInitialPolicies(Set<String> initialPolicies) {
	if (initialPolicies != null) {
	for (Iterator<String> i = initialPolicies.iterator();
	i.hasNext();) {
	if (!(i.next() instanceof String))
	throw new ClassCastException("all elements of set must be "
	+ "of type java.lang.String");
	}
	this.unmodInitialPolicies =
	Collections.unmodifiableSet(new HashSet<>(initialPolicies));
	} else
	this.unmodInitialPolicies = Collections.<String>emptySet();
	}

	/**
	* Sets the list of {@code CertStore}s to be used in finding
	* certificates and CRLs. May be {@code null}, in which case
	* no {@code CertStore}s will be used. The first
	* {@code CertStore}s in the list may be preferred to those that
	* appear later.
	* <p>
	* Note that the {@code List} is copied to protect against
	* subsequent modifications.
	*
	* @param stores a {@code List} of {@code CertStore}s (or
	* {@code null})
	* @throws ClassCastException if any of the elements in the list are
	* not of type {@code java.security.cert.CertStore}
	*
	* @see #getCertStores
	*/
	public void setCertStores(List<CertStore> stores) {
	if (stores == null) {
	this.certStores = new ArrayList<>();
	} else {
	for (Iterator<CertStore> i = stores.iterator(); i.hasNext();) {
	if (!(i.next() instanceof CertStore)) {
	throw new ClassCastException("all elements of list must be "
	+ "of type java.security.cert.CertStore");
	}
	}
	this.certStores = new ArrayList<>(stores);
	}
	}

	/**
	* Adds a {@code CertStore} to the end of the list of
	* {@code CertStore}s used in finding certificates and CRLs.
	*
	* @param store the {@code CertStore} to add. If {@code null},
	* the store is ignored (not added to list).
	*/
	public void addCertStore(CertStore store) {
	if (store != null) {
	this.certStores.add(store);
	}
	}

	/**
	* Returns an immutable {@code List} of {@code CertStore}s that
	* are used to find certificates and CRLs.
	*
	* @return an immutable {@code List} of {@code CertStore}s
	* (may be empty, but never {@code null})
	*
	* @see #setCertStores
	*/
	public List<CertStore> getCertStores() {
	return Collections.unmodifiableList
	(new ArrayList<>(this.certStores));
	}

	/**
	* Sets the RevocationEnabled flag. If this flag is true, the default
	* revocation checking mechanism of the underlying PKIX service provider
	* will be used. If this flag is false, the default revocation checking
	* mechanism will be disabled (not used).
	* <p>
	* When a {@code PKIXParameters} object is created, this flag is set
	* to true. This setting reflects the most common strategy for checking
	* revocation, since each service provider must support revocation
	* checking to be PKIX compliant. Sophisticated applications should set
	* this flag to false when it is not practical to use a PKIX service
	* provider's default revocation checking mechanism or when an alternative
	* revocation checking mechanism is to be substituted (by also calling the
	* {@link #addCertPathChecker addCertPathChecker} or {@link
	* #setCertPathCheckers setCertPathCheckers} methods).
	*
	* @param val the new value of the RevocationEnabled flag
	*/
	public void setRevocationEnabled(boolean val) {
	revocationEnabled = val;
	}

	/**
	* Checks the RevocationEnabled flag. If this flag is true, the default
	* revocation checking mechanism of the underlying PKIX service provider
	* will be used. If this flag is false, the default revocation checking
	* mechanism will be disabled (not used). See the {@link
	* #setRevocationEnabled setRevocationEnabled} method for more details on
	* setting the value of this flag.
	*
	* @return the current value of the RevocationEnabled flag
	*/
	public boolean isRevocationEnabled() {
	return revocationEnabled;
	}

	/**
	* Sets the ExplicitPolicyRequired flag. If this flag is true, an
	* acceptable policy needs to be explicitly identified in every certificate.
	* By default, the ExplicitPolicyRequired flag is false.
	*
	* @param val {@code true} if explicit policy is to be required,
	* {@code false} otherwise
	*/
	public void setExplicitPolicyRequired(boolean val) {
	explicitPolicyRequired = val;
	}

	/**
	* Checks if explicit policy is required. If this flag is true, an
	* acceptable policy needs to be explicitly identified in every certificate.
	* By default, the ExplicitPolicyRequired flag is false.
	*
	* @return {@code true} if explicit policy is required,
	* {@code false} otherwise
	*/
	public boolean isExplicitPolicyRequired() {
	return explicitPolicyRequired;
	}

	/**
	* Sets the PolicyMappingInhibited flag. If this flag is true, policy
	* mapping is inhibited. By default, policy mapping is not inhibited (the
	* flag is false).
	*
	* @param val {@code true} if policy mapping is to be inhibited,
	* {@code false} otherwise
	*/
	public void setPolicyMappingInhibited(boolean val) {
	policyMappingInhibited = val;
	}

	/**
	* Checks if policy mapping is inhibited. If this flag is true, policy
	* mapping is inhibited. By default, policy mapping is not inhibited (the
	* flag is false).
	*
	* @return true if policy mapping is inhibited, false otherwise
	*/
	public boolean isPolicyMappingInhibited() {
	return policyMappingInhibited;
	}

	/**
	* Sets state to determine if the any policy OID should be processed
	* if it is included in a certificate. By default, the any policy OID
	* is not inhibited ({@link #isAnyPolicyInhibited isAnyPolicyInhibited()}
	* returns {@code false}).
	*
	* @param val {@code true} if the any policy OID is to be
	* inhibited, {@code false} otherwise
	*/
	public void setAnyPolicyInhibited(boolean val) {
	anyPolicyInhibited = val;
	}

	/**
	* Checks whether the any policy OID should be processed if it
	* is included in a certificate.
	*
	* @return {@code true} if the any policy OID is inhibited,
	* {@code false} otherwise
	*/
	public boolean isAnyPolicyInhibited() {
	return anyPolicyInhibited;
	}

	/**
	* Sets the PolicyQualifiersRejected flag. If this flag is true,
	* certificates that include policy qualifiers in a certificate
	* policies extension that is marked critical are rejected.
	* If the flag is false, certificates are not rejected on this basis.
	*
	* <p> When a {@code PKIXParameters} object is created, this flag is
	* set to true. This setting reflects the most common (and simplest)
	* strategy for processing policy qualifiers. Applications that want to use
	* a more sophisticated policy must set this flag to false.
	* <p>
	* Note that the PKIX certification path validation algorithm specifies
	* that any policy qualifier in a certificate policies extension that is
	* marked critical must be processed and validated. Otherwise the
	* certification path must be rejected. If the policyQualifiersRejected flag
	* is set to false, it is up to the application to validate all policy
	* qualifiers in this manner in order to be PKIX compliant.
	*
	* @param qualifiersRejected the new value of the PolicyQualifiersRejected
	* flag
	* @see #getPolicyQualifiersRejected
	* @see PolicyQualifierInfo
	*/
	public void setPolicyQualifiersRejected(boolean qualifiersRejected) {
	policyQualifiersRejected = qualifiersRejected;
	}

	/**
	* Gets the PolicyQualifiersRejected flag. If this flag is true,
	* certificates that include policy qualifiers in a certificate policies
	* extension that is marked critical are rejected.
	* If the flag is false, certificates are not rejected on this basis.
	*
	* <p> When a {@code PKIXParameters} object is created, this flag is
	* set to true. This setting reflects the most common (and simplest)
	* strategy for processing policy qualifiers. Applications that want to use
	* a more sophisticated policy must set this flag to false.
	*
	* @return the current value of the PolicyQualifiersRejected flag
	* @see #setPolicyQualifiersRejected
	*/
	public boolean getPolicyQualifiersRejected() {
	return policyQualifiersRejected;
	}

	/**
	* Returns the time for which the validity of the certification path
	* should be determined. If {@code null}, the current time is used.
	* <p>
	* Note that the {@code Date} returned is copied to protect against
	* subsequent modifications.
	*
	* @return the {@code Date}, or {@code null} if not set
	* @see #setDate
	*/
	public Date getDate() {
	if (date == null)
	return null;
	else
	return (Date) this.date.clone();
	}

	/**
	* Sets the time for which the validity of the certification path
	* should be determined. If {@code null}, the current time is used.
	* <p>
	* Note that the {@code Date} supplied here is copied to protect
	* against subsequent modifications.
	*
	* @param date the {@code Date}, or {@code null} for the
	* current time
	* @see #getDate
	*/
	public void setDate(Date date) {
	if (date != null)
	this.date = (Date) date.clone();
	else
	date = null;
	}

	/**
	* Sets a {@code List} of additional certification path checkers. If
	* the specified {@code List} contains an object that is not a
	* {@code PKIXCertPathChecker}, it is ignored.
	* <p>
	* Each {@code PKIXCertPathChecker} specified implements
	* additional checks on a certificate. Typically, these are checks to
	* process and verify private extensions contained in certificates.
	* Each {@code PKIXCertPathChecker} should be instantiated with any
	* initialization parameters needed to execute the check.
	* <p>
	* This method allows sophisticated applications to extend a PKIX
	* {@code CertPathValidator} or {@code CertPathBuilder}.
	* Each of the specified {@code PKIXCertPathChecker}s will be called,
	* in turn, by a PKIX {@code CertPathValidator} or
	* {@code CertPathBuilder} for each certificate processed or
	* validated.
	* <p>
	* Regardless of whether these additional {@code PKIXCertPathChecker}s
	* are set, a PKIX {@code CertPathValidator} or
	* {@code CertPathBuilder} must perform all of the required PKIX
	* checks on each certificate. The one exception to this rule is if the
	* RevocationEnabled flag is set to false (see the {@link
	* #setRevocationEnabled setRevocationEnabled} method).
	* <p>
	* Note that the {@code List} supplied here is copied and each
	* {@code PKIXCertPathChecker} in the list is cloned to protect
	* against subsequent modifications.
	*
	* @param checkers a {@code List} of {@code PKIXCertPathChecker}s.
	* May be {@code null}, in which case no additional checkers will be
	* used.
	* @throws ClassCastException if any of the elements in the list
	* are not of type {@code java.security.cert.PKIXCertPathChecker}
	* @see #getCertPathCheckers
	*/
	public void setCertPathCheckers(List<PKIXCertPathChecker> checkers) {
	if (checkers != null) {
	List<PKIXCertPathChecker> tmpList = new ArrayList<>();
	for (PKIXCertPathChecker checker : checkers) {
	tmpList.add((PKIXCertPathChecker)checker.clone());
	}
	this.certPathCheckers = tmpList;
	} else {
	this.certPathCheckers = new ArrayList<>();
	}
	}

	/**
	* Returns the {@code List} of certification path checkers.
	* The returned {@code List} is immutable, and each
	* {@code PKIXCertPathChecker} in the {@code List} is cloned
	* to protect against subsequent modifications.
	*
	* @return an immutable {@code List} of
	* {@code PKIXCertPathChecker}s (may be empty, but not
	* {@code null})
	* @see #setCertPathCheckers
	*/
	public List<PKIXCertPathChecker> getCertPathCheckers() {
	List<PKIXCertPathChecker> tmpList = new ArrayList<>();
	for (PKIXCertPathChecker ck : certPathCheckers) {
	tmpList.add((PKIXCertPathChecker)ck.clone());
	}
	return Collections.unmodifiableList(tmpList);
	}

	/**
	* Adds a {@code PKIXCertPathChecker} to the list of certification
	* path checkers. See the {@link #setCertPathCheckers setCertPathCheckers}
	* method for more details.
	* <p>
	* Note that the {@code PKIXCertPathChecker} is cloned to protect
	* against subsequent modifications.
	*
	* @param checker a {@code PKIXCertPathChecker} to add to the list of
	* checks. If {@code null}, the checker is ignored (not added to list).
	*/
	public void addCertPathChecker(PKIXCertPathChecker checker) {
	if (checker != null) {
	certPathCheckers.add((PKIXCertPathChecker)checker.clone());
	}
	}

	/**
	* Returns the signature provider's name, or {@code null}
	* if not set.
	*
	* @return the signature provider's name (or {@code null})
	* @see #setSigProvider
	*/
	public String getSigProvider() {
	return this.sigProvider;
	}

	/**
	* Sets the signature provider's name. The specified provider will be
	* preferred when creating {@link java.security.Signature Signature}
	* objects. If {@code null} or not set, the first provider found
	* supporting the algorithm will be used.
	*
	* @param sigProvider the signature provider's name (or {@code null})
	* @see #getSigProvider
	*/
	public void setSigProvider(String sigProvider) {
	this.sigProvider = sigProvider;
	}

	/**
	* Returns the required constraints on the target certificate.
	* The constraints are returned as an instance of {@code CertSelector}.
	* If {@code null}, no constraints are defined.
	*
	* <p>Note that the {@code CertSelector} returned is cloned
	* to protect against subsequent modifications.
	*
	* @return a {@code CertSelector} specifying the constraints
	* on the target certificate (or {@code null})
	* @see #setTargetCertConstraints
	*/
	public CertSelector getTargetCertConstraints() {
	if (certSelector != null) {
	return (CertSelector) certSelector.clone();
	} else {
	return null;
	}
	}

	/**
	* Sets the required constraints on the target certificate.
	* The constraints are specified as an instance of
	* {@code CertSelector}. If {@code null}, no constraints are
	* defined.
	*
	* <p>Note that the {@code CertSelector} specified is cloned
	* to protect against subsequent modifications.
	*
	* @param selector a {@code CertSelector} specifying the constraints
	* on the target certificate (or {@code null})
	* @see #getTargetCertConstraints
	*/
	public void setTargetCertConstraints(CertSelector selector) {
	if (selector != null)
	certSelector = (CertSelector) selector.clone();
	else
	certSelector = null;
	}

	/**
	* Makes a copy of this {@code PKIXParameters} object. Changes
	* to the copy will not affect the original and vice versa.
	*
	* @return a copy of this {@code PKIXParameters} object
	*/
	public Object clone() {
	try {
	PKIXParameters copy = (PKIXParameters)super.clone();

	// must clone these because addCertStore, et al. modify them
	if (certStores != null) {
	copy.certStores = new ArrayList<>(certStores);
	}
	if (certPathCheckers != null) {
	copy.certPathCheckers =
	new ArrayList<>(certPathCheckers.size());
	for (PKIXCertPathChecker checker : certPathCheckers) {
	copy.certPathCheckers.add(
	(PKIXCertPathChecker)checker.clone());
	}
	}

	// other class fields are immutable to public, don't bother
	// to clone the read-only fields.
	return copy;
	} catch (CloneNotSupportedException e) {
	/* Cannot happen */
	throw new InternalError(e.toString(), e);
	}
	}

	/**
	* Returns a formatted string describing the parameters.
	*
	* @return a formatted string describing the parameters.
	*/
	public String toString() {
	StringBuilder sb = new StringBuilder();
	sb.append("[\n");

	/* start with trusted anchor info */
	if (unmodTrustAnchors != null) {
	sb.append(" Trust Anchors: " + unmodTrustAnchors.toString()
	+ "\n");
	}

	/* now, append initial state information */
	if (unmodInitialPolicies != null) {
	if (unmodInitialPolicies.isEmpty()) {
	sb.append(" Initial Policy OIDs: any\n");
	} else {
	sb.append(" Initial Policy OIDs: ["
	+ unmodInitialPolicies.toString() + "]\n");
	}
	}

	/* now, append constraints on all certificates in the path */
	sb.append(" Validity Date: " + String.valueOf(date) + "\n");
	sb.append(" Signature Provider: " + String.valueOf(sigProvider) + "\n");
	sb.append(" Default Revocation Enabled: " + revocationEnabled + "\n");
	sb.append(" Explicit Policy Required: " + explicitPolicyRequired + "\n");
	sb.append(" Policy Mapping Inhibited: " + policyMappingInhibited + "\n");
	sb.append(" Any Policy Inhibited: " + anyPolicyInhibited + "\n");
	sb.append(" Policy Qualifiers Rejected: " + policyQualifiersRejected + "\n");

	/* now, append target cert requirements */
	sb.append(" Target Cert Constraints: " + String.valueOf(certSelector) + "\n");

	/* finally, append miscellaneous parameters */
	if (certPathCheckers != null)
	sb.append(" Certification Path Checkers: ["
	+ certPathCheckers.toString() + "]\n");
	if (certStores != null)
	sb.append(" CertStores: [" + certStores.toString() + "]\n");
	sb.append("]");
	return sb.toString();
	}
	}

Back to index...