- java.lang.Object
-
- java.security.cert.PKIXCertPathChecker
-
- java.security.cert.PKIXRevocationChecker
-
- All Implemented Interfaces:
Cloneable,CertPathChecker
public abstract class PKIXRevocationChecker extends PKIXCertPathChecker
APKIXCertPathCheckerfor checking the revocation status of certificates with the PKIX algorithm.A
PKIXRevocationCheckerchecks the revocation status of certificates with the Online Certificate Status Protocol (OCSP) or Certificate Revocation Lists (CRLs). OCSP is described in RFC 2560 and is a network protocol for determining the status of a certificate. A CRL is a time-stamped list identifying revoked certificates, and RFC 5280 describes an algorithm for determining the revocation status of certificates using CRLs.Each
PKIXRevocationCheckermust be able to check the revocation status of certificates with OCSP and CRLs. By default, OCSP is the preferred mechanism for checking revocation status, with CRLs as the fallback mechanism. However, this preference can be switched to CRLs with thePREFER_CRLSoption. In addition, the fallback mechanism can be disabled with theNO_FALLBACKoption.A
PKIXRevocationCheckeris obtained by calling thegetRevocationCheckermethod of a PKIXCertPathValidator. Additional parameters and options specific to revocation can be set (by calling thesetOcspRespondermethod for instance). ThePKIXRevocationCheckeris added to aPKIXParametersobject using theaddCertPathCheckerorsetCertPathCheckersmethod, and then thePKIXParametersis passed along with theCertPathto be validated to thevalidatemethod of a PKIXCertPathValidator. When supplying a revocation checker in this manner, it will be used to check revocation irrespective of the setting of theRevocationEnabledflag. Similarly, aPKIXRevocationCheckermay be added to aPKIXBuilderParametersobject for use with a PKIXCertPathBuilder.Note that when a
PKIXRevocationCheckeris added toPKIXParameters, it clones thePKIXRevocationChecker; thus any subsequent modifications to thePKIXRevocationCheckerhave no effect.Any parameter that is not set (or is set to
null) will be set to the default value for that parameter.Concurrent Access
Unless otherwise specified, the methods defined in this class are not thread-safe. Multiple threads that need to access a single object concurrently should synchronize amongst themselves and provide the necessary locking. Multiple threads each manipulating separate objects need not synchronize.
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static classPKIXRevocationChecker.OptionVarious revocation options that can be specified for the revocation checking mechanism.
-
Constructor Summary
Constructors Modifier Constructor Description protectedPKIXRevocationChecker()Default constructor.
-
Method Summary
All Methods Instance Methods Abstract Methods Concrete Methods Modifier and Type Method Description List<Extension>getOcspExtensions()Gets the optional OCSP request extensions.URIgetOcspResponder()Gets the URI that identifies the location of the OCSP responder.X509CertificategetOcspResponderCert()Gets the OCSP responder's certificate.Map<X509Certificate,byte[]>getOcspResponses()Gets the OCSP responses.Set<PKIXRevocationChecker.Option>getOptions()Gets the revocation options.abstract List<CertPathValidatorException>getSoftFailExceptions()Returns a list containing the exceptions that are ignored by the revocation checker when theSOFT_FAILoption is set.voidsetOcspExtensions(List<Extension> extensions)Sets the optional OCSP request extensions.voidsetOcspResponder(URI uri)Sets the URI that identifies the location of the OCSP responder.voidsetOcspResponderCert(X509Certificate cert)Sets the OCSP responder's certificate.voidsetOcspResponses(Map<X509Certificate,byte[]> responses)Sets the OCSP responses.voidsetOptions(Set<PKIXRevocationChecker.Option> options)Sets the revocation options.-
Methods declared in class java.security.cert.PKIXCertPathChecker
check, check, clone, getSupportedExtensions, init, isForwardCheckingSupported
-
-
-
-
Method Detail
-
setOcspResponder
public void setOcspResponder(URI uri)
Sets the URI that identifies the location of the OCSP responder. This overrides theocsp.responderURLsecurity property and any responder specified in a certificate's Authority Information Access Extension, as defined in RFC 5280.- Parameters:
uri- the responder URI
-
getOcspResponder
public URI getOcspResponder()
Gets the URI that identifies the location of the OCSP responder. This overrides theocsp.responderURLsecurity property. If this parameter or theocsp.responderURLproperty is not set, the location is determined from the certificate's Authority Information Access Extension, as defined in RFC 5280.- Returns:
- the responder URI, or
nullif not set
-
setOcspResponderCert
public void setOcspResponderCert(X509Certificate cert)
Sets the OCSP responder's certificate. This overrides theocsp.responderCertSubjectName,ocsp.responderCertIssuerName, andocsp.responderCertSerialNumbersecurity properties.- Parameters:
cert- the responder's certificate
-
getOcspResponderCert
public X509Certificate getOcspResponderCert()
Gets the OCSP responder's certificate. This overrides theocsp.responderCertSubjectName,ocsp.responderCertIssuerName, andocsp.responderCertSerialNumbersecurity properties. If this parameter or the aforementioned properties are not set, then the responder's certificate is determined as specified in RFC 2560.- Returns:
- the responder's certificate, or
nullif not set
-
setOcspExtensions
public void setOcspExtensions(List<Extension> extensions)
Sets the optional OCSP request extensions.- Parameters:
extensions- a list of extensions. The list is copied to protect against subsequent modification.
-
getOcspExtensions
public List<Extension> getOcspExtensions()
Gets the optional OCSP request extensions.- Returns:
- an unmodifiable list of extensions. The list is empty if no extensions have been specified.
-
setOcspResponses
public void setOcspResponses(Map<X509Certificate,byte[]> responses)
Sets the OCSP responses. These responses are used to determine the revocation status of the specified certificates when OCSP is used.- Parameters:
responses- a map of OCSP responses. Each key is anX509Certificatethat maps to the corresponding DER-encoded OCSP response for that certificate. A deep copy of the map is performed to protect against subsequent modification.
-
getOcspResponses
public Map<X509Certificate,byte[]> getOcspResponses()
Gets the OCSP responses. These responses are used to determine the revocation status of the specified certificates when OCSP is used.- Returns:
- a map of OCSP responses. Each key is an
X509Certificatethat maps to the corresponding DER-encoded OCSP response for that certificate. A deep copy of the map is returned to protect against subsequent modification. Returns an empty map if no responses have been specified.
-
setOptions
public void setOptions(Set<PKIXRevocationChecker.Option> options)
Sets the revocation options.- Parameters:
options- a set of revocation options. The set is copied to protect against subsequent modification.
-
getOptions
public Set<PKIXRevocationChecker.Option> getOptions()
Gets the revocation options.- Returns:
- an unmodifiable set of revocation options. The set is empty if no options have been specified.
-
getSoftFailExceptions
public abstract List<CertPathValidatorException> getSoftFailExceptions()
Returns a list containing the exceptions that are ignored by the revocation checker when theSOFT_FAILoption is set. The list is cleared each timeinitis called. The list is ordered in ascending order according to the certificate index returned bygetIndexmethod of each entry.An implementation of
PKIXRevocationCheckeris responsible for adding the ignored exceptions to the list.- Returns:
- an unmodifiable list containing the ignored exceptions. The list is empty if no exceptions have been ignored.
-
-