Class PKIXRevocationChecker
- All Implemented Interfaces:
-
Cloneable
,CertPathChecker
public abstract class PKIXRevocationChecker extends PKIXCertPathChecker
PKIXCertPathChecker
for checking the revocation status of certificates with the PKIX algorithm. A PKIXRevocationChecker
checks the revocation status of certificates with the Online Certificate Status Protocol (OCSP) or Certificate Revocation Lists (CRLs). OCSP is described in RFC 2560 and is a network protocol for determining the status of a certificate. A CRL is a time-stamped list identifying revoked certificates, and RFC 5280 describes an algorithm for determining the revocation status of certificates using CRLs.
Each PKIXRevocationChecker
must be able to check the revocation status of certificates with OCSP and CRLs. By default, OCSP is the preferred mechanism for checking revocation status, with CRLs as the fallback mechanism. However, this preference can be switched to CRLs with the PREFER_CRLS
option. In addition, the fallback mechanism can be disabled with the NO_FALLBACK
option.
A PKIXRevocationChecker
is obtained by calling the getRevocationChecker
method of a PKIX CertPathValidator
. Additional parameters and options specific to revocation can be set (by calling the setOcspResponder
method for instance). The PKIXRevocationChecker
is added to a PKIXParameters
object using the addCertPathChecker
or setCertPathCheckers
method, and then the PKIXParameters
is passed along with the CertPath
to be validated to the validate
method of a PKIX CertPathValidator
. When supplying a revocation checker in this manner, it will be used to check revocation irrespective of the setting of the RevocationEnabled
flag. Similarly, a PKIXRevocationChecker
may be added to a PKIXBuilderParameters
object for use with a PKIX CertPathBuilder
.
Note that when a PKIXRevocationChecker
is added to PKIXParameters
, it clones the PKIXRevocationChecker
; thus any subsequent modifications to the PKIXRevocationChecker
have no effect.
Any parameter that is not set (or is set to null
) will be set to the default value for that parameter.
Concurrent Access
Unless otherwise specified, the methods defined in this class are not thread-safe. Multiple threads that need to access a single object concurrently should synchronize amongst themselves and provide the necessary locking. Multiple threads each manipulating separate objects need not synchronize.
Nested Class Summary
Modifier and Type | Class | Description |
---|---|---|
static enum |
PKIXRevocationChecker.Option |
Various revocation options that can be specified for the revocation checking mechanism. |
Constructor Summary
Modifier | Constructor | Description |
---|---|---|
protected |
Default constructor. |
Method Summary
Modifier and Type | Method | Description |
---|---|---|
PKIXRevocationChecker |
clone() |
Returns a clone of this object. |
List<Extension> |
getOcspExtensions() |
Gets the optional OCSP request extensions. |
URI |
getOcspResponder() |
Gets the URI that identifies the location of the OCSP responder. |
X509Certificate |
getOcspResponderCert() |
Gets the OCSP responder's certificate. |
Map<X509Certificate, |
getOcspResponses() |
Gets the OCSP responses. |
Set<PKIXRevocationChecker.Option> |
getOptions() |
Gets the revocation options. |
abstract List<CertPathValidatorException> |
getSoftFailExceptions() |
Returns a list containing the exceptions that are ignored by the revocation checker when the SOFT_FAIL option is set. |
void |
setOcspExtensions |
Sets the optional OCSP request extensions. |
void |
setOcspResponder |
Sets the URI that identifies the location of the OCSP responder. |
void |
setOcspResponderCert |
Sets the OCSP responder's certificate. |
void |
setOcspResponses |
Sets the OCSP responses. |
void |
setOptions |
Sets the revocation options. |
Methods declared in class java.security.cert.PKIXCertPathChecker
check, check, getSupportedExtensions, init, isForwardCheckingSupported
Constructor Details
PKIXRevocationChecker
protected PKIXRevocationChecker()
Method Details
setOcspResponder
public void setOcspResponder(URI uri)
ocsp.responderURL
security property and any responder specified in a certificate's Authority Information Access Extension, as defined in RFC 5280.- Parameters:
-
uri
- the responder URI
getOcspResponder
public URI getOcspResponder()
ocsp.responderURL
security property. If this parameter or the ocsp.responderURL
property is not set, the location is determined from the certificate's Authority Information Access Extension, as defined in RFC 5280.- Returns:
- the responder URI, or
null
if not set
setOcspResponderCert
public void setOcspResponderCert(X509Certificate cert)
ocsp.responderCertSubjectName
, ocsp.responderCertIssuerName
, and ocsp.responderCertSerialNumber
security properties.- Parameters:
-
cert
- the responder's certificate
getOcspResponderCert
public X509Certificate getOcspResponderCert()
ocsp.responderCertSubjectName
, ocsp.responderCertIssuerName
, and ocsp.responderCertSerialNumber
security properties. If this parameter or the aforementioned properties are not set, then the responder's certificate is determined as specified in RFC 2560.- Returns:
- the responder's certificate, or
null
if not set
setOcspExtensions
public void setOcspExtensions(List<Extension> extensions)
- Parameters:
-
extensions
- a list of extensions. The list is copied to protect against subsequent modification.
getOcspExtensions
public List<Extension> getOcspExtensions()
- Returns:
- an unmodifiable list of extensions. The list is empty if no extensions have been specified.
setOcspResponses
public void setOcspResponses(Map<X509Certificate,byte[]> responses)
- Parameters:
-
responses
- a map of OCSP responses. Each key is anX509Certificate
that maps to the corresponding DER-encoded OCSP response for that certificate. A deep copy of the map is performed to protect against subsequent modification.
getOcspResponses
public Map<X509Certificate,byte[]> getOcspResponses()
- Returns:
- a map of OCSP responses. Each key is an
X509Certificate
that maps to the corresponding DER-encoded OCSP response for that certificate. A deep copy of the map is returned to protect against subsequent modification. Returns an empty map if no responses have been specified.
setOptions
public void setOptions(Set<PKIXRevocationChecker.Option> options)
- Parameters:
-
options
- a set of revocation options. The set is copied to protect against subsequent modification.
getOptions
public Set<PKIXRevocationChecker.Option> getOptions()
- Returns:
- an unmodifiable set of revocation options. The set is empty if no options have been specified.
getSoftFailExceptions
public abstract List<CertPathValidatorException> getSoftFailExceptions()
SOFT_FAIL
option is set. The list is cleared each time init
is called. The list is ordered in ascending order according to the certificate index returned by getIndex
method of each entry. An implementation of PKIXRevocationChecker
is responsible for adding the ignored exceptions to the list.
- Returns:
- an unmodifiable list containing the ignored exceptions. The list is empty if no exceptions have been ignored.
clone
public PKIXRevocationChecker clone()
PKIXCertPathChecker
Object.clone()
method. All subclasses which maintain state must support and override this method, if necessary.- Overrides:
-
clone
in classPKIXCertPathChecker
- Returns:
- a copy of this
PKIXCertPathChecker
- See Also:
© 1993, 2021, Oracle and/or its affiliates. All rights reserved.
Documentation extracted from Debian's OpenJDK Development Kit package.
Licensed under the GNU General Public License, version 2, with the Classpath Exception.
Various third party code in OpenJDK is licensed under different licenses (see Debian package).
Java and OpenJDK are trademarks or registered trademarks of Oracle and/or its affiliates.
https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/security/cert/PKIXRevocationChecker.html