A PKIXCertPathChecker for checking the revocation status of certificates with the PKIX algorithm.

A PKIXRevocationChecker checks the revocation status of certificates with the Online Certificate Status Protocol (OCSP) or Certificate Revocation Lists (CRLs). OCSP is described in RFC 2560 and is a network protocol for determining the status of a certificate. A CRL is a time-stamped list identifying revoked certificates, and RFC 5280 describes an algorithm for determining the revocation status of certificates using CRLs.

Each PKIXRevocationChecker must be able to check the revocation status of certificates with OCSP and CRLs. By default, OCSP is the preferred mechanism for checking revocation status, with CRLs as the fallback mechanism. However, this preference can be switched to CRLs with the PREFER_CRLS option. In addition, the fallback mechanism can be disabled with the NO_FALLBACK option.

A PKIXRevocationChecker is obtained by calling the getRevocationChecker method of a PKIX CertPathValidator. Additional parameters and options specific to revocation can be set (by calling the setOcspResponder method for instance). The PKIXRevocationChecker is added to a PKIXParameters object using the addCertPathChecker or setCertPathCheckers method, and then the PKIXParameters is passed along with the CertPath to be validated to the validate method of a PKIX CertPathValidator. When supplying a revocation checker in this manner, it will be used to check revocation irrespective of the setting of the RevocationEnabled flag, and will override the default revocation checking mechanism of the PKIX service provider. Similarly, a PKIXRevocationChecker may be added to a PKIXBuilderParameters object for use with a PKIX CertPathBuilder.

Note that when a PKIXRevocationChecker is added to PKIXParameters, it clones the PKIXRevocationChecker; thus any subsequent modifications to the PKIXRevocationChecker have no effect.

Any parameter that is not set (or is set to null) will be set to the default value for that parameter.

Concurrent Access

Unless otherwise specified, the methods defined in this class are not thread-safe. Multiple threads that need to access a single object concurrently should synchronize amongst themselves and provide the necessary locking. Multiple threads each manipulating separate objects need not synchronize.

Nested and Inner Type Summary

Modifier and Type	Class and Description
public static enum	PKIXRevocationChecker.Option Various revocation options that can be specified for the revocation checking mechanism.

Modifier and Type	Field and Description
private List<Extension>	ocspExtensions
private URI	ocspResponder
private X509Certificate	ocspResponderCert
private Map<X509Certificate, byte[]>	ocspResponses
private Set<PKIXRevocationChecker.Option>	options

Access	Constructor and Description
protected	PKIXRevocationChecker() Default constructor.

Method Summary

Modifier and Type	Method and Description
public PKIXRevocationChecker	clone() Overrides java.security.cert.PKIXCertPathChecker.clone. Returns a clone of this object.
public List<Extension>	Returns: an unmodifiable list of extensions. The list is empty if no extensions have been specified. getOcspExtensions() Gets the optional OCSP request extensions.
public URI	Returns: the responder URI, or `null` if not set getOcspResponder() Gets the URI that identifies the location of the OCSP responder.
public X509Certificate	Returns: the responder's certificate, or `null` if not set getOcspResponderCert() Gets the OCSP responder's certificate.
public Map<X509Certificate, byte[]>	Returns: a map of OCSP responses. Each key is an `X509Certificate` that maps to the corresponding DER-encoded OCSP response for that certificate. A deep copy of the map is returned to protect against subsequent modification. Returns an empty map if no responses have been specified. getOcspResponses() Gets the OCSP responses.
public Set<PKIXRevocationChecker.Option>	Returns: an unmodifiable set of revocation options. The set is empty if no options have been specified. getOptions() Gets the revocation options.
public abstract List<CertPathValidatorException>	Returns: an unmodifiable list containing the ignored exceptions. The list is empty if no exceptions have been ignored. getSoftFailExceptions() Returns a list containing the exceptions that are ignored by the revocation checker when the `SOFT_FAIL` option is set.
public void	setOcspExtensions(List<Extension> a list of extensions. The list is copied to protect against subsequent modification. extensions) Sets the optional OCSP request extensions.
public void	setOcspResponder(URI the responder URI uri) Sets the URI that identifies the location of the OCSP responder.
public void	setOcspResponderCert(X509Certificate the responder's certificate cert) Sets the OCSP responder's certificate.
public void	setOcspResponses(Map<X509Certificate, byte[]> a map of OCSP responses. Each key is an `X509Certificate` that maps to the corresponding DER-encoded OCSP response for that certificate. A deep copy of the map is performed to protect against subsequent modification. responses) Sets the OCSP responses.
public void	setOptions(Set<PKIXRevocationChecker.Option> a set of revocation options. The set is copied to protect against subsequent modification. options) Sets the revocation options.

Inherited from java.security.cert.PKIXCertPathChecker:: check check getSupportedExtensions init isForwardCheckingSupported

Field Detail

ocspExtensions	back to summary
private List<Extension> ocspExtensions

ocspResponder	back to summary
private URI ocspResponder

ocspResponderCert	back to summary
private X509Certificate ocspResponderCert

ocspResponses	back to summary
private Map<X509Certificate, byte[]> ocspResponses

options	back to summary
private Set<PKIXRevocationChecker.Option> options

Constructor Detail

PKIXRevocationChecker	back to summary
protected PKIXRevocationChecker() Default constructor.

Method Detail

clone back to summary

clone	back to summary
public PKIXRevocationChecker clone() Overrides java.security.cert.PKIXCertPathChecker.clone. Doc from java.security.cert.PKIXCertPathChecker.clone. Returns a clone of this object. Calls the `Object.clone()` method. All subclasses which maintain state must support and override this method, if necessary. Returns:PKIXRevocationChecker a copy of this `PKIXCertPathChecker` Annotations @Override

public PKIXRevocationChecker clone()

Overrides java.security.cert.PKIXCertPathChecker.clone.

Doc from java.security.cert.PKIXCertPathChecker.clone.

Returns a clone of this object. Calls the Object.clone() method. All subclasses which maintain state must support and override this method, if necessary.

Returns:PKIXRevocationChecker

a copy of this PKIXCertPathChecker

Annotations

@Override

getOcspExtensions	back to summary
public List<Extension> getOcspExtensions() Gets the optional OCSP request extensions. Returns:List<Extension> an unmodifiable list of extensions. The list is empty if no extensions have been specified.

getOcspExtensions

back to summary

public List<Extension> getOcspExtensions()

Gets the optional OCSP request extensions.

Returns:List<Extension>: an unmodifiable list of extensions. The list is empty if no extensions have been specified.

getOcspResponder back to summary

getOcspResponder	back to summary
public URI getOcspResponder() Gets the URI that identifies the location of the OCSP responder. This overrides the `ocsp.responderURL` security property. If this parameter or the `ocsp.responderURL` property is not set, the location is determined from the certificate's Authority Information Access Extension, as defined in RFC 5280. Returns:URI the responder URI, or `null` if not set

public URI getOcspResponder()

Gets the URI that identifies the location of the OCSP responder. This overrides the ocsp.responderURL security property. If this parameter or the ocsp.responderURL property is not set, the location is determined from the certificate's Authority Information Access Extension, as defined in RFC 5280.

Returns:URI: the responder URI, or null if not set

getOcspResponderCert back to summary

getOcspResponderCert	back to summary
public X509Certificate getOcspResponderCert() Gets the OCSP responder's certificate. This overrides the `ocsp.responderCertSubjectName`, `ocsp.responderCertIssuerName`, and `ocsp.responderCertSerialNumber` security properties. If this parameter or the aforementioned properties are not set, then the responder's certificate is determined as specified in RFC 2560. Returns:X509Certificate the responder's certificate, or `null` if not set

public X509Certificate getOcspResponderCert()

Gets the OCSP responder's certificate. This overrides the ocsp.responderCertSubjectName, ocsp.responderCertIssuerName, and ocsp.responderCertSerialNumber security properties. If this parameter or the aforementioned properties are not set, then the responder's certificate is determined as specified in RFC 2560.

Returns:X509Certificate: the responder's certificate, or null if not set

getOcspResponses back to summary

getOcspResponses	back to summary
public Map<X509Certificate, byte[]> getOcspResponses() Gets the OCSP responses. These responses are used to determine the revocation status of the specified certificates when OCSP is used. Returns:Map<X509Certificate, byte[]> a map of OCSP responses. Each key is an `X509Certificate` that maps to the corresponding DER-encoded OCSP response for that certificate. A deep copy of the map is returned to protect against subsequent modification. Returns an empty map if no responses have been specified.

public Map<X509Certificate, byte[]> getOcspResponses()

Gets the OCSP responses. These responses are used to determine the revocation status of the specified certificates when OCSP is used.

Returns:Map<X509Certificate, byte[]>: a map of OCSP responses. Each key is an X509Certificate that maps to the corresponding DER-encoded OCSP response for that certificate. A deep copy of the map is returned to protect against subsequent modification. Returns an empty map if no responses have been specified.

getOptions	back to summary
public Set<PKIXRevocationChecker.Option> getOptions() Gets the revocation options. Returns:Set<PKIXRevocationChecker.Option> an unmodifiable set of revocation options. The set is empty if no options have been specified.

getOptions

back to summary

public Set<PKIXRevocationChecker.Option> getOptions()

Gets the revocation options.

Returns:Set<PKIXRevocationChecker.Option>: an unmodifiable set of revocation options. The set is empty if no options have been specified.

getSoftFailExceptions back to summary

getSoftFailExceptions	back to summary
public abstract List<CertPathValidatorException> getSoftFailExceptions() Returns a list containing the exceptions that are ignored by the revocation checker when the `SOFT_FAIL` option is set. The list is cleared each time `init` is called. The list is ordered in ascending order according to the certificate index returned by `getIndex` method of each entry. An implementation of `PKIXRevocationChecker` is responsible for adding the ignored exceptions to the list. Returns:List<CertPathValidatorException> an unmodifiable list containing the ignored exceptions. The list is empty if no exceptions have been ignored.

public abstract List<CertPathValidatorException> getSoftFailExceptions()

Returns a list containing the exceptions that are ignored by the revocation checker when the SOFT_FAIL option is set. The list is cleared each time init is called. The list is ordered in ascending order according to the certificate index returned by getIndex method of each entry.

An implementation of PKIXRevocationChecker is responsible for adding the ignored exceptions to the list.

Returns:List<CertPathValidatorException>: an unmodifiable list containing the ignored exceptions. The list is empty if no exceptions have been ignored.

setOcspExtensions	back to summary
public void setOcspExtensions(List<Extension> extensions) Sets the optional OCSP request extensions. Parameters extensions:List<Extension> a list of extensions. The list is copied to protect against subsequent modification.

setOcspExtensions

back to summary

public void setOcspExtensions(List<Extension> extensions)

Sets the optional OCSP request extensions.

Parameters

extensions:List<Extension>: a list of extensions. The list is copied to protect against subsequent modification.

setOcspResponder back to summary

setOcspResponder	back to summary
public void setOcspResponder(URI uri) Sets the URI that identifies the location of the OCSP responder. This overrides the `ocsp.responderURL` security property and any responder specified in a certificate's Authority Information Access Extension, as defined in RFC 5280. Parameters uri:URI the responder URI

public void setOcspResponder(URI uri)

Sets the URI that identifies the location of the OCSP responder. This overrides the ocsp.responderURL security property and any responder specified in a certificate's Authority Information Access Extension, as defined in RFC 5280.

Parameters

uri:URI: the responder URI

setOcspResponderCert back to summary

setOcspResponderCert	back to summary
public void setOcspResponderCert(X509Certificate cert) Sets the OCSP responder's certificate. This overrides the `ocsp.responderCertSubjectName`, `ocsp.responderCertIssuerName`, and `ocsp.responderCertSerialNumber` security properties. Parameters cert:X509Certificate the responder's certificate

public void setOcspResponderCert(X509Certificate cert)

Sets the OCSP responder's certificate. This overrides the ocsp.responderCertSubjectName, ocsp.responderCertIssuerName, and ocsp.responderCertSerialNumber security properties.

Parameters

cert:X509Certificate: the responder's certificate

setOcspResponses back to summary

setOcspResponses	back to summary
public void setOcspResponses(Map<X509Certificate, byte[]> responses) Sets the OCSP responses. These responses are used to determine the revocation status of the specified certificates when OCSP is used. Parameters responses:Map<X509Certificate, byte[]> a map of OCSP responses. Each key is an `X509Certificate` that maps to the corresponding DER-encoded OCSP response for that certificate. A deep copy of the map is performed to protect against subsequent modification.

public void setOcspResponses(Map<X509Certificate, byte[]> responses)

Sets the OCSP responses. These responses are used to determine the revocation status of the specified certificates when OCSP is used.

Parameters

responses:Map<X509Certificate, byte[]>: a map of OCSP responses. Each key is an X509Certificate that maps to the corresponding DER-encoded OCSP response for that certificate. A deep copy of the map is performed to protect against subsequent modification.

setOptions	back to summary
public void setOptions(Set<PKIXRevocationChecker.Option> options) Sets the revocation options. Parameters options:Set<PKIXRevocationChecker.Option> a set of revocation options. The set is copied to protect against subsequent modification.

setOptions

back to summary

public void setOptions(Set<PKIXRevocationChecker.Option> options)

Sets the revocation options.

Parameters

options:Set<PKIXRevocationChecker.Option>: a set of revocation options. The set is copied to protect against subsequent modification.

java.security.cert back to summary

public final Enum PKIXRevocationChecker.Option

Class Inheritance

extends Enum<PKIXRevocationChecker.Option>

java.lang.Object
java.lang.Enum
java.security.cert.PKIXRevocationChecker.Option

Various revocation options that can be specified for the revocation checking mechanism.

Field Summary

Modifier and Type	Field and Description
public static final PKIXRevocationChecker.Option	NO_FALLBACK Disable the fallback mechanism.
public static final PKIXRevocationChecker.Option	ONLY_END_ENTITY Only check the revocation status of end-entity certificates.
public static final PKIXRevocationChecker.Option	PREFER_CRLS Prefer CRLs to OSCP.
public static final PKIXRevocationChecker.Option	SOFT_FAIL Allow revocation check to succeed if the revocation status cannot be determined for one of the following reasons: The CRL or OCSP response cannot be obtained because of a network error. The OCSP responder returns one of the following errors specified in section 2.3 of RFC 2560: internalError or tryLater.

Constructor Summary

Access	Constructor and Description
private	Option()

Method Summary

Modifier and Type	Method and Description
public static PKIXRevocationChecker.Option	valueOf(String name)
public static PKIXRevocationChecker.Option[]	values()

Inherited from java.lang.Enum:: clone compareTo describeConstable equals finalize getDeclaringClass hashCode name ordinal toString valueOf

Field Detail

NO_FALLBACK	back to summary
public static final PKIXRevocationChecker.Option NO_FALLBACK Disable the fallback mechanism.

ONLY_END_ENTITY	back to summary
public static final PKIXRevocationChecker.Option ONLY_END_ENTITY Only check the revocation status of end-entity certificates.

PREFER_CRLS	back to summary
public static final PKIXRevocationChecker.Option PREFER_CRLS Prefer CRLs to OSCP. The default behavior is to prefer OCSP. Each PKIX implementation should document further details of their specific preference rules and fallback policies.

SOFT_FAIL back to summary

SOFT_FAIL	back to summary
public static final PKIXRevocationChecker.Option SOFT_FAIL Allow revocation check to succeed if the revocation status cannot be determined for one of the following reasons: The CRL or OCSP response cannot be obtained because of a network error. The OCSP responder returns one of the following errors specified in section 2.3 of RFC 2560: internalError or tryLater. Note that these conditions apply to both OCSP and CRLs, and unless the `NO_FALLBACK` option is set, the revocation check is allowed to succeed only if both mechanisms fail under one of the conditions as stated above. Exceptions that cause the network errors are ignored but can be later retrieved by calling the `getSoftFailExceptions` method.

public static final PKIXRevocationChecker.Option SOFT_FAIL

Allow revocation check to succeed if the revocation status cannot be determined for one of the following reasons:

The CRL or OCSP response cannot be obtained because of a network error.
The OCSP responder returns one of the following errors specified in section 2.3 of RFC 2560: internalError or tryLater.

Note that these conditions apply to both OCSP and CRLs, and unless the NO_FALLBACK option is set, the revocation check is allowed to succeed only if both mechanisms fail under one of the conditions as stated above. Exceptions that cause the network errors are ignored but can be later retrieved by calling the getSoftFailExceptions method.

Constructor Detail

Option	back to summary
private Option()

Method Detail

valueOf	back to summary
public static PKIXRevocationChecker.Option valueOf(String name)

values	back to summary
public static PKIXRevocationChecker.Option[] values()

public abstract Class PKIXRevocationChecker

Nested and Inner Type Summary

Field Summary

Constructor Summary

Method Summary

Field Detail

Constructor Detail

Method Detail

public final Enum PKIXRevocationChecker.Option

Field Summary

Constructor Summary

Method Summary

Field Detail

Constructor Detail

Method Detail