- java.lang.Object
-
- java.security.cert.X509CRLSelector
-
- All Implemented Interfaces:
Cloneable,CRLSelector
public class X509CRLSelector extends Object implements CRLSelector
ACRLSelectorthat selectsX509CRLsthat match all specified criteria. This class is particularly useful when selecting CRLs from aCertStoreto check revocation status of a particular certificate.When first constructed, an
X509CRLSelectorhas no criteria enabled and each of thegetmethods return a default value (null). Therefore, thematchmethod would returntruefor anyX509CRL. Typically, several criteria are enabled (by callingsetIssuersorsetDateAndTime, for instance) and then theX509CRLSelectoris passed toCertStore.getCRLsor some similar method.Please refer to RFC 5280: Internet X.509 Public Key Infrastructure Certificate and CRL Profile for definitions of the X.509 CRL fields and extensions mentioned below.
Concurrent Access
Unless otherwise specified, the methods defined in this class are not thread-safe. Multiple threads that need to access a single object concurrently should synchronize amongst themselves and provide the necessary locking. Multiple threads each manipulating separate objects need not synchronize.
- Since:
- 1.4
- See Also:
CRLSelector,X509CRL
-
-
Constructor Summary
Constructors Constructor Description X509CRLSelector()Creates anX509CRLSelector.
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description voidaddIssuer(X500Principal issuer)Adds a name to the issuerNames criterion.voidaddIssuerName(byte[] name)Adds a name to the issuerNames criterion.voidaddIssuerName(String name)Denigrated, use addIssuer(X500Principal) or addIssuerName(byte[]) instead.Objectclone()Returns a copy of this object.X509CertificategetCertificateChecking()Returns the certificate being checked.DategetDateAndTime()Returns the dateAndTime criterion.Collection<Object>getIssuerNames()Returns a copy of the issuerNames criterion.Collection<X500Principal>getIssuers()Returns the issuerNames criterion.BigIntegergetMaxCRL()Returns the maxCRLNumber criterion.BigIntegergetMinCRL()Returns the minCRLNumber criterion.booleanmatch(CRL crl)Decides whether aCRLshould be selected.voidsetCertificateChecking(X509Certificate cert)Sets the certificate being checked.voidsetDateAndTime(Date dateAndTime)Sets the dateAndTime criterion.voidsetIssuerNames(Collection<?> names)Note: use setIssuers(Collection) instead or only specify the byte array form of distinguished names when using this method.voidsetIssuers(Collection<X500Principal> issuers)Sets the issuerNames criterion.voidsetMaxCRLNumber(BigInteger maxCRL)Sets the maxCRLNumber criterion.voidsetMinCRLNumber(BigInteger minCRL)Sets the minCRLNumber criterion.StringtoString()Returns a printable representation of theX509CRLSelector.
-
-
-
Method Detail
-
setIssuers
public void setIssuers(Collection<X500Principal> issuers)
Sets the issuerNames criterion. The issuer distinguished name in theX509CRLmust match at least one of the specified distinguished names. Ifnull, any issuer distinguished name will do.This method allows the caller to specify, with a single method call, the complete set of issuer names which
X509CRLsmay contain. The specified value replaces the previous value for the issuerNames criterion.The
namesparameter (if notnull) is aCollectionofX500Principals.Note that the
namesparameter can contain duplicate distinguished names, but they may be removed from theCollectionof names returned by thegetIssuersmethod.Note that a copy is performed on the
Collectionto protect against subsequent modifications.- Parameters:
issuers- aCollectionof X500Principals (ornull)- Since:
- 1.5
- See Also:
getIssuers()
-
setIssuerNames
public void setIssuerNames(Collection<?> names) throws IOException
Note: use setIssuers(Collection) instead or only specify the byte array form of distinguished names when using this method. SeeaddIssuerName(String)for more information.Sets the issuerNames criterion. The issuer distinguished name in the
X509CRLmust match at least one of the specified distinguished names. Ifnull, any issuer distinguished name will do.This method allows the caller to specify, with a single method call, the complete set of issuer names which
X509CRLsmay contain. The specified value replaces the previous value for the issuerNames criterion.The
namesparameter (if notnull) is aCollectionof names. Each name is aStringor a byte array representing a distinguished name (in RFC 2253 or ASN.1 DER encoded form, respectively). Ifnullis supplied as the value for this argument, no issuerNames check will be performed.Note that the
namesparameter can contain duplicate distinguished names, but they may be removed from theCollectionof names returned by thegetIssuerNamesmethod.If a name is specified as a byte array, it should contain a single DER encoded distinguished name, as defined in X.501. The ASN.1 notation for this structure is as follows.
Name ::= CHOICE { RDNSequence } RDNSequence ::= SEQUENCE OF RelativeDistinguishedName RelativeDistinguishedName ::= SET SIZE (1 .. MAX) OF AttributeTypeAndValue AttributeTypeAndValue ::= SEQUENCE { type AttributeType, value AttributeValue } AttributeType ::= OBJECT IDENTIFIER AttributeValue ::= ANY DEFINED BY AttributeType .... DirectoryString ::= CHOICE { teletexString TeletexString (SIZE (1..MAX)), printableString PrintableString (SIZE (1..MAX)), universalString UniversalString (SIZE (1..MAX)), utf8String UTF8String (SIZE (1.. MAX)), bmpString BMPString (SIZE (1..MAX)) }Note that a deep copy is performed on the
Collectionto protect against subsequent modifications.- Parameters:
names- aCollectionof names (ornull)- Throws:
IOException- if a parsing error occurs- See Also:
getIssuerNames()
-
addIssuer
public void addIssuer(X500Principal issuer)
Adds a name to the issuerNames criterion. The issuer distinguished name in theX509CRLmust match at least one of the specified distinguished names.This method allows the caller to add a name to the set of issuer names which
X509CRLsmay contain. The specified name is added to any previous value for the issuerNames criterion. If the specified name is a duplicate, it may be ignored.- Parameters:
issuer- the issuer as X500Principal- Since:
- 1.5
-
addIssuerName
public void addIssuerName(String name) throws IOException
Denigrated, use addIssuer(X500Principal) or addIssuerName(byte[]) instead. This method should not be relied on as it can fail to match some CRLs because of a loss of encoding information in the RFC 2253 String form of some distinguished names.Adds a name to the issuerNames criterion. The issuer distinguished name in the
X509CRLmust match at least one of the specified distinguished names.This method allows the caller to add a name to the set of issuer names which
X509CRLsmay contain. The specified name is added to any previous value for the issuerNames criterion. If the specified name is a duplicate, it may be ignored.- Parameters:
name- the name in RFC 2253 form- Throws:
IOException- if a parsing error occurs
-
addIssuerName
public void addIssuerName(byte[] name) throws IOExceptionAdds a name to the issuerNames criterion. The issuer distinguished name in theX509CRLmust match at least one of the specified distinguished names.This method allows the caller to add a name to the set of issuer names which
X509CRLsmay contain. The specified name is added to any previous value for the issuerNames criterion. If the specified name is a duplicate, it may be ignored. If a name is specified as a byte array, it should contain a single DER encoded distinguished name, as defined in X.501. The ASN.1 notation for this structure is as follows.The name is provided as a byte array. This byte array should contain a single DER encoded distinguished name, as defined in X.501. The ASN.1 notation for this structure appears in the documentation for
setIssuerNames(Collection names).Note that the byte array supplied here is cloned to protect against subsequent modifications.
- Parameters:
name- a byte array containing the name in ASN.1 DER encoded form- Throws:
IOException- if a parsing error occurs
-
setMinCRLNumber
public void setMinCRLNumber(BigInteger minCRL)
Sets the minCRLNumber criterion. TheX509CRLmust have a CRL number extension whose value is greater than or equal to the specified value. Ifnull, no minCRLNumber check will be done.- Parameters:
minCRL- the minimum CRL number accepted (ornull)
-
setMaxCRLNumber
public void setMaxCRLNumber(BigInteger maxCRL)
Sets the maxCRLNumber criterion. TheX509CRLmust have a CRL number extension whose value is less than or equal to the specified value. Ifnull, no maxCRLNumber check will be done.- Parameters:
maxCRL- the maximum CRL number accepted (ornull)
-
setDateAndTime
public void setDateAndTime(Date dateAndTime)
Sets the dateAndTime criterion. The specified date must be equal to or later than the value of the thisUpdate component of theX509CRLand earlier than the value of the nextUpdate component. There is no match if theX509CRLdoes not contain a nextUpdate component. Ifnull, no dateAndTime check will be done.Note that the
Datesupplied here is cloned to protect against subsequent modifications.- Parameters:
dateAndTime- theDateto match against (ornull)- See Also:
getDateAndTime()
-
setCertificateChecking
public void setCertificateChecking(X509Certificate cert)
Sets the certificate being checked. This is not a criterion. Rather, it is optional information that may help aCertStorefind CRLs that would be relevant when checking revocation for the specified certificate. Ifnullis specified, then no such optional information is provided.- Parameters:
cert- theX509Certificatebeing checked (ornull)- See Also:
getCertificateChecking()
-
getIssuers
public Collection<X500Principal> getIssuers()
Returns the issuerNames criterion. The issuer distinguished name in theX509CRLmust match at least one of the specified distinguished names. If the value returned isnull, any issuer distinguished name will do.If the value returned is not
null, it is a unmodifiableCollectionofX500Principals.- Returns:
- an unmodifiable
Collectionof names (ornull) - Since:
- 1.5
- See Also:
setIssuers(java.util.Collection<javax.security.auth.x500.X500Principal>)
-
getIssuerNames
public Collection<Object> getIssuerNames()
Returns a copy of the issuerNames criterion. The issuer distinguished name in theX509CRLmust match at least one of the specified distinguished names. If the value returned isnull, any issuer distinguished name will do.If the value returned is not
null, it is aCollectionof names. Each name is aStringor a byte array representing a distinguished name (in RFC 2253 or ASN.1 DER encoded form, respectively). Note that theCollectionreturned may contain duplicate names.If a name is specified as a byte array, it should contain a single DER encoded distinguished name, as defined in X.501. The ASN.1 notation for this structure is given in the documentation for
setIssuerNames(Collection names).Note that a deep copy is performed on the
Collectionto protect against subsequent modifications.- Returns:
- a
Collectionof names (ornull) - See Also:
setIssuerNames(java.util.Collection<?>)
-
getMinCRL
public BigInteger getMinCRL()
Returns the minCRLNumber criterion. TheX509CRLmust have a CRL number extension whose value is greater than or equal to the specified value. Ifnull, no minCRLNumber check will be done.- Returns:
- the minimum CRL number accepted (or
null)
-
getMaxCRL
public BigInteger getMaxCRL()
Returns the maxCRLNumber criterion. TheX509CRLmust have a CRL number extension whose value is less than or equal to the specified value. Ifnull, no maxCRLNumber check will be done.- Returns:
- the maximum CRL number accepted (or
null)
-
getDateAndTime
public Date getDateAndTime()
Returns the dateAndTime criterion. The specified date must be equal to or later than the value of the thisUpdate component of theX509CRLand earlier than the value of the nextUpdate component. There is no match if theX509CRLdoes not contain a nextUpdate component. Ifnull, no dateAndTime check will be done.Note that the
Datereturned is cloned to protect against subsequent modifications.- Returns:
- the
Dateto match against (ornull) - See Also:
setDateAndTime(java.util.Date)
-
getCertificateChecking
public X509Certificate getCertificateChecking()
Returns the certificate being checked. This is not a criterion. Rather, it is optional information that may help aCertStorefind CRLs that would be relevant when checking revocation for the specified certificate. If the value returned isnull, then no such optional information is provided.- Returns:
- the certificate being checked (or
null) - See Also:
setCertificateChecking(java.security.cert.X509Certificate)
-
toString
public String toString()
Returns a printable representation of theX509CRLSelector.
-
match
public boolean match(CRL crl)
Decides whether aCRLshould be selected.- Specified by:
matchin interfaceCRLSelector- Parameters:
crl- theCRLto be checked- Returns:
trueif theCRLshould be selected,falseotherwise
-
-