DataStudy/Assets/Plugins/Best HTTP/Source/SecureProtocol/pkix/PkixParameters.cs

#if !BESTHTTP_DISABLE_ALTERNATE_SSL && (!UNITY_WEBGL || UNITY_EDITOR)
#pragma warning disable
using System;
using System.Collections;

using BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities;
using BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Collections;
using BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Date;
using BestHTTP.SecureProtocol.Org.BouncyCastle.X509.Store;

namespace BestHTTP.SecureProtocol.Org.BouncyCastle.Pkix
{
	/// <summary>
	/// Summary description for PkixParameters.
	/// </summary>
	public class PkixParameters
//		: ICertPathParameters
	{
		/**
		* This is the default PKIX validity model. Actually there are two variants
		* of this: The PKIX model and the modified PKIX model. The PKIX model
		* verifies that all involved certificates must have been valid at the
		* current time. The modified PKIX model verifies that all involved
		* certificates were valid at the signing time. Both are indirectly choosen
		* with the {@link PKIXParameters#setDate(java.util.Date)} method, so this
		* methods sets the Date when <em>all</em> certificates must have been
		* valid.
		*/
		public const int PkixValidityModel = 0;

		/**
		* This model uses the following validity model. Each certificate must have
		* been valid at the moment where is was used. That means the end
		* certificate must have been valid at the time the signature was done. The
		* CA certificate which signed the end certificate must have been valid,
		* when the end certificate was signed. The CA (or Root CA) certificate must
		* have been valid, when the CA certificate was signed and so on. So the
		* {@link PKIXParameters#setDate(java.util.Date)} method sets the time, when
		* the <em>end certificate</em> must have been valid. <p/> It is used e.g.
		* in the German signature law.
		*/
		public const int ChainValidityModel = 1;

		private ISet trustAnchors;
		private DateTimeObject date;
		private IList certPathCheckers;
		private bool revocationEnabled = true;
		private ISet initialPolicies;
		//private bool checkOnlyEECertificateCrl = false;
		private bool explicitPolicyRequired = false;
		private bool anyPolicyInhibited = false;
		private bool policyMappingInhibited = false;
		private bool policyQualifiersRejected = true;
		private IX509Selector certSelector;
		private IList stores;
		private IX509Selector selector;
		private bool additionalLocationsEnabled;
		private IList additionalStores;
		private ISet trustedACIssuers;
		private ISet necessaryACAttributes;
		private ISet prohibitedACAttributes;
		private ISet attrCertCheckers;
		private int validityModel = PkixValidityModel;
		private bool useDeltas = false;

		/**
		 * Creates an instance of PKIXParameters with the specified Set of
		 * most-trusted CAs. Each element of the set is a TrustAnchor.<br />
		 * <br />
		 * Note that the Set is copied to protect against subsequent modifications.
		 *
		 * @param trustAnchors
		 *            a Set of TrustAnchors
		 *
		 * @exception InvalidAlgorithmParameterException
		 *                if the specified Set is empty
		 *                <code>(trustAnchors.isEmpty() == true)</code>
		 * @exception NullPointerException
		 *                if the specified Set is <code>null</code>
		 * @exception ClassCastException
		 *                if any of the elements in the Set are not of type
		 *                <code>java.security.cert.TrustAnchor</code>
		 */
		public PkixParameters(
			ISet trustAnchors)
		{
			SetTrustAnchors(trustAnchors);

			this.initialPolicies = new HashSet();
			this.certPathCheckers = BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.CreateArrayList();
            this.stores = BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.CreateArrayList();
			this.additionalStores = BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.CreateArrayList();
			this.trustedACIssuers = new HashSet();
			this.necessaryACAttributes = new HashSet();
			this.prohibitedACAttributes = new HashSet();
			this.attrCertCheckers = new HashSet();
		}

//		// TODO implement for other keystores (see Java build)?
//		/**
//		 * Creates an instance of <code>PKIXParameters</code> that
//		 * populates the set of most-trusted CAs from the trusted
//		 * certificate entries contained in the specified <code>KeyStore</code>.
//		 * Only keystore entries that contain trusted <code>X509Certificates</code>
//		 * are considered; all other certificate types are ignored.
//		 *
//		 * @param keystore a <code>KeyStore</code> from which the set of
//		 * most-trusted CAs will be populated
//		 * @throws KeyStoreException if the keystore has not been initialized
//		 * @throws InvalidAlgorithmParameterException if the keystore does
//		 * not contain at least one trusted certificate entry
//		 * @throws NullPointerException if the keystore is <code>null</code>
//		 */
//		public PkixParameters(
//			Pkcs12Store keystore)
////			throws KeyStoreException, InvalidAlgorithmParameterException
//		{
//			if (keystore == null)
//				throw new ArgumentNullException("keystore");
//			ISet trustAnchors = new HashSet();
//			foreach (string alias in keystore.Aliases)
//			{
//				if (keystore.IsCertificateEntry(alias))
//				{
//					X509CertificateEntry x509Entry = keystore.GetCertificate(alias);
//					trustAnchors.Add(new TrustAnchor(x509Entry.Certificate, null));
//				}
//			}
//			SetTrustAnchors(trustAnchors);
//
//			this.initialPolicies = new HashSet();
//			this.certPathCheckers = new ArrayList();
//			this.stores = new ArrayList();
//			this.additionalStores = new ArrayList();
//			this.trustedACIssuers = new HashSet();
//			this.necessaryACAttributes = new HashSet();
//			this.prohibitedACAttributes = new HashSet();
//			this.attrCertCheckers = new HashSet();
//		}

		public virtual bool IsRevocationEnabled
		{
			get { return revocationEnabled; }
			set { revocationEnabled = value; }
		}

		public virtual bool IsExplicitPolicyRequired
		{
			get { return explicitPolicyRequired; }
			set { this.explicitPolicyRequired = value; }
		}

		public virtual bool IsAnyPolicyInhibited
		{
			get { return anyPolicyInhibited; }
			set { this.anyPolicyInhibited = value; }
		}

		public virtual bool IsPolicyMappingInhibited
		{
			get { return policyMappingInhibited; }
			set { this.policyMappingInhibited = value; }
		}

		public virtual bool IsPolicyQualifiersRejected
		{
			get { return policyQualifiersRejected; }
			set { this.policyQualifiersRejected = value; }
		}

		//public bool IsCheckOnlyEECertificateCrl
		//{
		//	get { return this.checkOnlyEECertificateCrl; }
		//	set { this.checkOnlyEECertificateCrl = value; }
		//}

		public virtual DateTimeObject Date
		{
			get { return this.date; }
			set { this.date = value; }
		}

		// Returns a Set of the most-trusted CAs.
		public virtual ISet GetTrustAnchors()
		{
			return new HashSet(this.trustAnchors);
		}

		// Sets the set of most-trusted CAs.
		// Set is copied to protect against subsequent modifications.
		public virtual void SetTrustAnchors(
			ISet tas)
		{
			if (tas == null)
				throw new ArgumentNullException("value");
			if (tas.IsEmpty)
				throw new ArgumentException("non-empty set required", "value");

			// Explicit copy to enforce type-safety
			this.trustAnchors = new HashSet();
			foreach (TrustAnchor ta in tas)
			{
				if (ta != null)
				{
					trustAnchors.Add(ta);
				}
			}
		}

		/**
		* Returns the required constraints on the target certificate. The
		* constraints are returned as an instance of CertSelector. If
		* <code>null</code>, no constraints are defined.<br />
		* <br />
		* Note that the CertSelector returned is cloned to protect against
		* subsequent modifications.
		*
		* @return a CertSelector specifying the constraints on the target
		*         certificate (or <code>null</code>)
		*
		* @see #setTargetCertConstraints(CertSelector)
		*/
		public virtual X509CertStoreSelector GetTargetCertConstraints()
		{
			if (certSelector == null)
			{
				return null;
			}

			return (X509CertStoreSelector)certSelector.Clone();
		}

		/**
		 * Sets the required constraints on the target certificate. The constraints
		 * are specified as an instance of CertSelector. If null, no constraints are
		 * defined.<br />
		 * <br />
		 * Note that the CertSelector specified is cloned to protect against
		 * subsequent modifications.
		 *
		 * @param selector
		 *            a CertSelector specifying the constraints on the target
		 *            certificate (or <code>null</code>)
		 *
		 * @see #getTargetCertConstraints()
		 */
		public virtual void SetTargetCertConstraints(
			IX509Selector selector)
		{
			if (selector == null)
			{
				certSelector = null;
			}
			else
			{
				certSelector = (IX509Selector)selector.Clone();
			}
		}

		/**
		* Returns an immutable Set of initial policy identifiers (OID strings),
		* indicating that any one of these policies would be acceptable to the
		* certificate user for the purposes of certification path processing. The
		* default return value is an empty <code>Set</code>, which is
		* interpreted as meaning that any policy would be acceptable.
		*
		* @return an immutable <code>Set</code> of initial policy OIDs in String
		*         format, or an empty <code>Set</code> (implying any policy is
		*         acceptable). Never returns <code>null</code>.
		*
		* @see #setInitialPolicies(java.util.Set)
		*/
		public virtual ISet GetInitialPolicies()
		{
			ISet returnSet = initialPolicies;

			// TODO Can it really be null?
			if (initialPolicies == null)
			{
				returnSet = new HashSet();
			}

			return new HashSet(returnSet);
		}

		/**
		* Sets the <code>Set</code> of initial policy identifiers (OID strings),
		* indicating that any one of these policies would be acceptable to the
		* certificate user for the purposes of certification path processing. By
		* default, any policy is acceptable (i.e. all policies), so a user that
		* wants to allow any policy as acceptable does not need to call this
		* method, or can call it with an empty <code>Set</code> (or
		* <code>null</code>).<br />
		* <br />
		* Note that the Set is copied to protect against subsequent modifications.<br />
		* <br />
		*
		* @param initialPolicies
		*            a Set of initial policy OIDs in String format (or
		*            <code>null</code>)
		*
		* @exception ClassCastException
		*                if any of the elements in the set are not of type String
		*
		* @see #getInitialPolicies()
		*/
		public virtual void SetInitialPolicies(
			ISet initialPolicies)
		{
			this.initialPolicies = new HashSet();
			if (initialPolicies != null)
			{
				foreach (string obj in initialPolicies)
				{
					if (obj != null)
					{
						this.initialPolicies.Add(obj);
					}
				}
			}
		}

		/**
		* Sets a <code>List</code> of additional certification path checkers. If
		* the specified List contains an object that is not a PKIXCertPathChecker,
		* it is ignored.<br />
		* <br />
		* Each <code>PKIXCertPathChecker</code> specified implements additional
		* checks on a certificate. Typically, these are checks to process and
		* verify private extensions contained in certificates. Each
		* <code>PKIXCertPathChecker</code> should be instantiated with any
		* initialization parameters needed to execute the check.<br />
		* <br />
		* This method allows sophisticated applications to extend a PKIX
		* <code>CertPathValidator</code> or <code>CertPathBuilder</code>. Each
		* of the specified PKIXCertPathCheckers will be called, in turn, by a PKIX
		* <code>CertPathValidator</code> or <code>CertPathBuilder</code> for
		* each certificate processed or validated.<br />
		* <br />
		* Regardless of whether these additional PKIXCertPathCheckers are set, a
		* PKIX <code>CertPathValidator</code> or <code>CertPathBuilder</code>
		* must perform all of the required PKIX checks on each certificate. The one
		* exception to this rule is if the RevocationEnabled flag is set to false
		* (see the {@link #setRevocationEnabled(boolean) setRevocationEnabled}
		* method).<br />
		* <br />
		* Note that the List supplied here is copied and each PKIXCertPathChecker
		* in the list is cloned to protect against subsequent modifications.
		*
		* @param checkers
		*            a List of PKIXCertPathCheckers. May be null, in which case no
		*            additional checkers will be used.
		* @exception ClassCastException
		*                if any of the elements in the list are not of type
		*                <code>java.security.cert.PKIXCertPathChecker</code>
		* @see #getCertPathCheckers()
		*/
		public virtual void SetCertPathCheckers(IList checkers)
		{
            certPathCheckers = BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.CreateArrayList();
			if (checkers != null)
			{
				foreach (PkixCertPathChecker obj in checkers)
				{
					certPathCheckers.Add(obj.Clone());
				}
			}
		}

		/**
		 * Returns the List of certification path checkers. Each PKIXCertPathChecker
		 * in the returned IList is cloned to protect against subsequent modifications.
		 *
		 * @return an immutable List of PKIXCertPathCheckers (may be empty, but not
		 *         <code>null</code>)
		 *
		 * @see #setCertPathCheckers(java.util.List)
		 */
		public virtual IList GetCertPathCheckers()
		{
			IList checkers = BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.CreateArrayList();
			foreach (PkixCertPathChecker obj in certPathCheckers)
			{
				checkers.Add(obj.Clone());
			}
			return checkers;
		}

		/**
		 * Adds a <code>PKIXCertPathChecker</code> to the list of certification
		 * path checkers. See the {@link #setCertPathCheckers setCertPathCheckers}
		 * method for more details.
		 * <p>
		 * Note that the <code>PKIXCertPathChecker</code> is cloned to protect
		 * against subsequent modifications.</p>
		 *
		 * @param checker a <code>PKIXCertPathChecker</code> to add to the list of
		 * checks. If <code>null</code>, the checker is ignored (not added to list).
		 */
		public virtual void AddCertPathChecker(
			PkixCertPathChecker checker)
		{
			if (checker != null)
			{
				certPathCheckers.Add(checker.Clone());
			}
		}

		public virtual object Clone()
		{
			// FIXME Check this whole method against the Java implementation!

			PkixParameters parameters = new PkixParameters(GetTrustAnchors());
			parameters.SetParams(this);
			return parameters;


//			PkixParameters obj = new PkixParameters(new HashSet());
////			(PkixParameters) this.MemberwiseClone();
//			obj.x509Stores = new ArrayList(x509Stores);
//			obj.certPathCheckers = new ArrayList(certPathCheckers);
//
//			//Iterator iter = certPathCheckers.iterator();
//			//obj.certPathCheckers = new ArrayList();
//			//while (iter.hasNext())
//			//{
//			//	obj.certPathCheckers.add(((PKIXCertPathChecker)iter.next())
//			//		.clone());
//			//}
//			//if (initialPolicies != null)
//			//{
//			//	obj.initialPolicies = new HashSet(initialPolicies);
//			//}
////			if (trustAnchors != null)
////			{
////				obj.trustAnchors = new HashSet(trustAnchors);
////			}
////			if (certSelector != null)
////			{
////				obj.certSelector = (X509CertStoreSelector) certSelector.Clone();
////			}
//			return obj;
		}

		/**
		* Method to support <code>Clone()</code> under J2ME.
		* <code>super.Clone()</code> does not exist and fields are not copied.
		*
		* @param params Parameters to set. If this are
		*            <code>ExtendedPkixParameters</code> they are copied to.
		*/
		protected virtual void SetParams(
			PkixParameters parameters)
		{
			Date = parameters.Date;
			SetCertPathCheckers(parameters.GetCertPathCheckers());
			IsAnyPolicyInhibited = parameters.IsAnyPolicyInhibited;
			IsExplicitPolicyRequired = parameters.IsExplicitPolicyRequired;
			IsPolicyMappingInhibited = parameters.IsPolicyMappingInhibited;
			IsRevocationEnabled = parameters.IsRevocationEnabled;
			SetInitialPolicies(parameters.GetInitialPolicies());
			IsPolicyQualifiersRejected = parameters.IsPolicyQualifiersRejected;
			SetTargetCertConstraints(parameters.GetTargetCertConstraints());
			SetTrustAnchors(parameters.GetTrustAnchors());

			validityModel = parameters.validityModel;
			useDeltas = parameters.useDeltas;
			additionalLocationsEnabled = parameters.additionalLocationsEnabled;
			selector = parameters.selector == null ? null
				: (IX509Selector) parameters.selector.Clone();
			stores = BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.CreateArrayList(parameters.stores);
            additionalStores = BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.CreateArrayList(parameters.additionalStores);
			trustedACIssuers = new HashSet(parameters.trustedACIssuers);
			prohibitedACAttributes = new HashSet(parameters.prohibitedACAttributes);
			necessaryACAttributes = new HashSet(parameters.necessaryACAttributes);
			attrCertCheckers = new HashSet(parameters.attrCertCheckers);
		}

		/**
		 * Whether delta CRLs should be used for checking the revocation status.
		 * Defaults to <code>false</code>.
		 */
		public virtual bool IsUseDeltasEnabled
		{
			get { return useDeltas; }
			set { useDeltas = value; }
		}

		/**
		* The validity model.
		* @see #CHAIN_VALIDITY_MODEL
		* @see #PKIX_VALIDITY_MODEL
		*/
		public virtual int ValidityModel
		{
			get { return validityModel; }
			set { validityModel = value; }
		}

		/**
		* Sets the Bouncy Castle Stores for finding CRLs, certificates, attribute
		* certificates or cross certificates.
		* <p>
		* The <code>IList</code> is cloned.
		* </p>
		*
		* @param stores A list of stores to use.
		* @see #getStores
		* @throws ClassCastException if an element of <code>stores</code> is not
		*             a {@link Store}.
		*/
		public virtual void SetStores(
			IList stores)
		{
			if (stores == null)
			{
                this.stores = BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.CreateArrayList();
			}
			else
			{
				foreach (object obj in stores)
				{
					if (!(obj is IX509Store))
					{
						throw new InvalidCastException(
							"All elements of list must be of type " + typeof(IX509Store).FullName);
					}
				}
                this.stores = BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.CreateArrayList(stores);
			}
		}

		/**
		* Adds a Bouncy Castle {@link Store} to find CRLs, certificates, attribute
		* certificates or cross certificates.
		* <p>
		* This method should be used to add local stores, like collection based
		* X.509 stores, if available. Local stores should be considered first,
		* before trying to use additional (remote) locations, because they do not
		* need possible additional network traffic.
		* </p><p>
		* If <code>store</code> is <code>null</code> it is ignored.
		* </p>
		*
		* @param store The store to add.
		* @see #getStores
		*/
		public virtual void AddStore(
			IX509Store store)
		{
			if (store != null)
			{
				stores.Add(store);
			}
		}

		/**
		* Adds an additional Bouncy Castle {@link Store} to find CRLs, certificates,
		* attribute certificates or cross certificates.
		* <p>
		* You should not use this method. This method is used for adding additional
		* X.509 stores, which are used to add (remote) locations, e.g. LDAP, found
		* during X.509 object processing, e.g. in certificates or CRLs. This method
		* is used in PKIX certification path processing.
		* </p><p>
		* If <code>store</code> is <code>null</code> it is ignored.
		* </p>
		*
		* @param store The store to add.
		* @see #getStores()
		*/
		public virtual void AddAdditionalStore(
			IX509Store store)
		{
			if (store != null)
			{
				additionalStores.Add(store);
			}
		}

		/**
		* Returns an <code>IList</code> of additional Bouncy Castle
		* <code>Store</code>s used for finding CRLs, certificates, attribute
		* certificates or cross certificates.
		*
		* @return an immutable <code>IList</code> of additional Bouncy Castle
		*         <code>Store</code>s. Never <code>null</code>.
		*
		* @see #addAddionalStore(Store)
		*/
		public virtual IList GetAdditionalStores()
		{
            return BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.CreateArrayList(additionalStores);
		}

		/**
		* Returns an <code>IList</code> of Bouncy Castle
		* <code>Store</code>s used for finding CRLs, certificates, attribute
		* certificates or cross certificates.
		*
		* @return an immutable <code>IList</code> of Bouncy Castle
		*         <code>Store</code>s. Never <code>null</code>.
		*
		* @see #setStores(IList)
		*/
		public virtual IList GetStores()
		{
            return BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Platform.CreateArrayList(stores);
		}

		/**
		* Returns if additional {@link X509Store}s for locations like LDAP found
		* in certificates or CRLs should be used.
		*
		* @return Returns <code>true</code> if additional stores are used.
		*/
		public virtual bool IsAdditionalLocationsEnabled
		{
			get { return additionalLocationsEnabled; }
		}

		/**
		* Sets if additional {@link X509Store}s for locations like LDAP found in
		* certificates or CRLs should be used.
		*
		* @param enabled <code>true</code> if additional stores are used.
		*/
		public virtual void SetAdditionalLocationsEnabled(
			bool enabled)
		{
			additionalLocationsEnabled = enabled;
		}

		/**
		* Returns the required constraints on the target certificate or attribute
		* certificate. The constraints are returned as an instance of
		* <code>IX509Selector</code>. If <code>null</code>, no constraints are
		* defined.
		*
		* <p>
		* The target certificate in a PKIX path may be a certificate or an
		* attribute certificate.
		* </p><p>
		* Note that the <code>IX509Selector</code> returned is cloned to protect
		* against subsequent modifications.
		* </p>
		* @return a <code>IX509Selector</code> specifying the constraints on the
		*         target certificate or attribute certificate (or <code>null</code>)
		* @see #setTargetConstraints
		* @see X509CertStoreSelector
		* @see X509AttributeCertStoreSelector
		*/
		public virtual IX509Selector GetTargetConstraints()
		{
			if (selector != null)
			{
				return (IX509Selector) selector.Clone();
			}
			else
			{
				return null;
			}
		}

		/**
		* Sets the required constraints on the target certificate or attribute
		* certificate. The constraints are specified as an instance of
		* <code>IX509Selector</code>. If <code>null</code>, no constraints are
		* defined.
		* <p>
		* The target certificate in a PKIX path may be a certificate or an
		* attribute certificate.
		* </p><p>
		* Note that the <code>IX509Selector</code> specified is cloned to protect
		* against subsequent modifications.
		* </p>
		*
		* @param selector a <code>IX509Selector</code> specifying the constraints on
		*            the target certificate or attribute certificate (or
		*            <code>null</code>)
		* @see #getTargetConstraints
		* @see X509CertStoreSelector
		* @see X509AttributeCertStoreSelector
		*/
		public virtual void SetTargetConstraints(IX509Selector selector)
		{
			if (selector != null)
			{
				this.selector = (IX509Selector) selector.Clone();
			}
			else
			{
				this.selector = null;
			}
		}

		/**
		* Returns the trusted attribute certificate issuers. If attribute
		* certificates is verified the trusted AC issuers must be set.
		* <p>
		* The returned <code>ISet</code> consists of <code>TrustAnchor</code>s.
		* </p><p>
		* The returned <code>ISet</code> is immutable. Never <code>null</code>
		* </p>
		*
		* @return Returns an immutable set of the trusted AC issuers.
		*/
		public virtual ISet GetTrustedACIssuers()
		{
			return new HashSet(trustedACIssuers);
		}

		/**
		* Sets the trusted attribute certificate issuers. If attribute certificates
		* is verified the trusted AC issuers must be set.
		* <p>
		* The <code>trustedACIssuers</code> must be a <code>ISet</code> of
		* <code>TrustAnchor</code>
		* </p><p>
		* The given set is cloned.
		* </p>
		*
		* @param trustedACIssuers The trusted AC issuers to set. Is never
		*            <code>null</code>.
		* @throws ClassCastException if an element of <code>stores</code> is not
		*             a <code>TrustAnchor</code>.
		*/
		public virtual void SetTrustedACIssuers(
			ISet trustedACIssuers)
		{
			if (trustedACIssuers == null)
			{
				this.trustedACIssuers = new HashSet();
			}
			else
			{
				foreach (object obj in trustedACIssuers)
				{
					if (!(obj is TrustAnchor))
					{
						throw new InvalidCastException("All elements of set must be "
							+ "of type " + typeof(TrustAnchor).FullName + ".");
					}
				}
				this.trustedACIssuers = new HashSet(trustedACIssuers);
			}
		}

		/**
		* Returns the necessary attributes which must be contained in an attribute
		* certificate.
		* <p>
		* The returned <code>ISet</code> is immutable and contains
		* <code>String</code>s with the OIDs.
		* </p>
		*
		* @return Returns the necessary AC attributes.
		*/
		public virtual ISet GetNecessaryACAttributes()
		{
			return new HashSet(necessaryACAttributes);
		}

		/**
		* Sets the necessary which must be contained in an attribute certificate.
		* <p>
		* The <code>ISet</code> must contain <code>String</code>s with the
		* OIDs.
		* </p><p>
		* The set is cloned.
		* </p>
		*
		* @param necessaryACAttributes The necessary AC attributes to set.
		* @throws ClassCastException if an element of
		*             <code>necessaryACAttributes</code> is not a
		*             <code>String</code>.
		*/
		public virtual void SetNecessaryACAttributes(
			ISet necessaryACAttributes)
		{
			if (necessaryACAttributes == null)
			{
				this.necessaryACAttributes = new HashSet();
			}
			else
			{
				foreach (object obj in necessaryACAttributes)
				{
					if (!(obj is string))
					{
						throw new InvalidCastException("All elements of set must be "
							+ "of type string.");
					}
				}
				this.necessaryACAttributes = new HashSet(necessaryACAttributes);
			}
		}

		/**
		* Returns the attribute certificates which are not allowed.
		* <p>
		* The returned <code>ISet</code> is immutable and contains
		* <code>String</code>s with the OIDs.
		* </p>
		*
		* @return Returns the prohibited AC attributes. Is never <code>null</code>.
		*/
		public virtual ISet GetProhibitedACAttributes()
		{
			return new HashSet(prohibitedACAttributes);
		}

		/**
		* Sets the attribute certificates which are not allowed.
		* <p>
		* The <code>ISet</code> must contain <code>String</code>s with the
		* OIDs.
		* </p><p>
		* The set is cloned.
		* </p>
		*
		* @param prohibitedACAttributes The prohibited AC attributes to set.
		* @throws ClassCastException if an element of
		*             <code>prohibitedACAttributes</code> is not a
		*             <code>String</code>.
		*/
		public virtual void SetProhibitedACAttributes(
			ISet prohibitedACAttributes)
		{
			if (prohibitedACAttributes == null)
			{
				this.prohibitedACAttributes = new HashSet();
			}
			else
			{
				foreach (object obj in prohibitedACAttributes)
				{
					if (!(obj is String))
					{
						throw new InvalidCastException("All elements of set must be "
							+ "of type string.");
					}
				}
				this.prohibitedACAttributes = new HashSet(prohibitedACAttributes);
			}
		}

		/**
		* Returns the attribute certificate checker. The returned set contains
		* {@link PKIXAttrCertChecker}s and is immutable.
		*
		* @return Returns the attribute certificate checker. Is never
		*         <code>null</code>.
		*/
		public virtual ISet GetAttrCertCheckers()
		{
			return new HashSet(attrCertCheckers);
		}

		/**
		* Sets the attribute certificate checkers.
		* <p>
		* All elements in the <code>ISet</code> must a {@link PKIXAttrCertChecker}.
		* </p>
		* <p>
		* The given set is cloned.
		* </p>
		*
		* @param attrCertCheckers The attribute certificate checkers to set. Is
		*            never <code>null</code>.
		* @throws ClassCastException if an element of <code>attrCertCheckers</code>
		*             is not a <code>PKIXAttrCertChecker</code>.
		*/
		public virtual void SetAttrCertCheckers(
			ISet attrCertCheckers)
		{
			if (attrCertCheckers == null)
			{
				this.attrCertCheckers = new HashSet();
			}
			else
			{
				foreach (object obj in attrCertCheckers)
				{
					if (!(obj is PkixAttrCertChecker))
					{
						throw new InvalidCastException("All elements of set must be "
							+ "of type " + typeof(PkixAttrCertChecker).FullName + ".");
					}
				}
				this.attrCertCheckers = new HashSet(attrCertCheckers);
			}
		}
	}
}
#pragma warning restore
#endif