java.security.cert
Class X509CRLSelector
- java.lang.Object
java.security.cert.X509CRLSelector
- public class X509CRLSelector
- extends Object
- implements CRLSelector
CRLSelector
that selects X509CRLs
that
match all specified criteria. This class is particularly useful when
selecting CRLs from a CertStore
to check revocation status
of a particular certificate.
When first constructed, an X509CRLSelector
has no criteria
enabled and each of the get
methods return a default
value (null
). Therefore, the match
method
would return true
for any X509CRL
. Typically,
several criteria are enabled (by calling setIssuerNames
or setDateAndTime
, for instance) and then the
X509CRLSelector
is passed to
CertStore.getCRLs
or some similar
method.
Please refer to RFC 2459 for definitions of the X.509 CRL fields and extensions mentioned below.
Concurrent Access
Unless otherwise specified, the methods defined in this class are not thread-safe. Multiple threads that need to access a single object concurrently should synchronize amongst themselves and provide the necessary locking. Multiple threads each manipulating separate objects need not synchronize.
Constructor Summary
Constructor and Description |
---|
X509CRLSelector()
Creates an
X509CRLSelector .
|
Method Summary
Modifier and Type | Method and Description |
---|---|
|
addIssuer(X500Principal issuer)
Adds a name to the issuerNames criterion.
|
|
addIssuerName(byte[] name)
Adds a name to the issuerNames criterion.
|
|
addIssuerName(String name)
Denigrated, use addIssuer(X500Principal) or
addIssuerName(byte[]) instead.
|
clone()
Returns a copy of this object.
|
|
getCertificateChecking()
Returns the certificate being checked.
|
|
getDateAndTime()
Returns the dateAndTime criterion.
|
|
getIssuerNames()
Returns a copy of the issuerNames criterion.
|
|
getIssuers()
Returns the issuerNames criterion.
|
|
getMaxCRL()
Returns the maxCRLNumber criterion.
|
|
getMinCRL()
Returns the minCRLNumber criterion.
|
|
|
match(CRL crl)
Decides whether a
CRL should be selected.
|
|
setCertificateChecking(X509Certificate cert)
Sets the certificate being checked.
|
|
setDateAndTime(Date dateAndTime)
Sets the dateAndTime criterion.
|
|
setIssuerNames(Collection<?> names)
Note: use setIssuers(Collection) instead
or only specify the byte array form of distinguished names when using
this method.
|
|
setIssuers(Collection<X500Principal> issuers)
Sets the issuerNames criterion.
|
|
setMaxCRLNumber(BigInteger maxCRL)
Sets the maxCRLNumber criterion.
|
|
setMinCRLNumber(BigInteger minCRL)
Sets the minCRLNumber criterion.
|
toString()
Returns a printable representation of the
X509CRLSelector .
|
Methods inherited from class java.lang.Object |
---|
equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait |
Constructor Detail
X509CRLSelector
- public X509CRLSelector()
Method Detail
setIssuerNames
- public void setIssuerNames(Collection<?> names)
- throws IOException
addIssuerName(String)
for more information.
Sets the issuerNames criterion. The issuer distinguished name in the
X509CRL
must match at least one of the specified
distinguished names. If null
, any issuer distinguished name
will do.
This method allows the caller to specify, with a single method call,
the complete set of issuer names which X509CRLs
may contain.
The specified value replaces the previous value for the issuerNames
criterion.
The names
parameter (if not null
) is a
Collection
of names. Each name is a String
or a byte array representing a distinguished name (in RFC 2253 or
ASN.1 DER encoded form, respectively). If null
is supplied
as the value for this argument, no issuerNames check will be performed.
Note that the names
parameter can contain duplicate
distinguished names, but they may be removed from the
Collection
of names returned by the
getIssuerNames
method.
If a name is specified as a byte array, it should contain a single DER encoded distinguished name, as defined in X.501. The ASN.1 notation for this structure is as follows.
Name ::= CHOICE {
RDNSequence }
RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
RelativeDistinguishedName ::=
SET SIZE (1 .. MAX) OF AttributeTypeAndValue
AttributeTypeAndValue ::= SEQUENCE {
type AttributeType,
value AttributeValue }
AttributeType ::= OBJECT IDENTIFIER
AttributeValue ::= ANY DEFINED BY AttributeType
....
DirectoryString ::= CHOICE {
teletexString TeletexString (SIZE (1..MAX)),
printableString PrintableString (SIZE (1..MAX)),
universalString UniversalString (SIZE (1..MAX)),
utf8String UTF8String (SIZE (1.. MAX)),
bmpString BMPString (SIZE (1..MAX)) }
Note that a deep copy is performed on the Collection
to
protect against subsequent modifications.
names
- a Collection
of names (or null
) IOException
- if a parsing error occurs setIssuers
- public void setIssuers(Collection<X500Principal> issuers)
X509CRL
must match at least one of the specified
distinguished names. If null
, any issuer distinguished name
will do.
This method allows the caller to specify, with a single method call,
the complete set of issuer names which X509CRLs
may contain.
The specified value replaces the previous value for the issuerNames
criterion.
The names
parameter (if not null
) is a
Collection
of X500Principal
s.
Note that the names
parameter can contain duplicate
distinguished names, but they may be removed from the
Collection
of names returned by the
getIssuers
method.
Note that a copy is performed on the Collection
to
protect against subsequent modifications.
addIssuerName
- public void addIssuerName(String name)
- throws IOException
Adds a name to the issuerNames criterion. The issuer distinguished
name in the X509CRL
must match at least one of the specified
distinguished names.
This method allows the caller to add a name to the set of issuer names
which X509CRLs
may contain. The specified name is added to
any previous value for the issuerNames criterion.
If the specified name is a duplicate, it may be ignored.
addIssuerName
- public void addIssuerName(byte[] name)
- throws IOException
X509CRL
must match at least one of the specified
distinguished names.
This method allows the caller to add a name to the set of issuer names
which X509CRLs
may contain. The specified name is added to
any previous value for the issuerNames criterion. If the specified name
is a duplicate, it may be ignored.
If a name is specified as a byte array, it should contain a single DER
encoded distinguished name, as defined in X.501. The ASN.1 notation for
this structure is as follows.
The name is provided as a byte array. This byte array should contain
a single DER encoded distinguished name, as defined in X.501. The ASN.1
notation for this structure appears in the documentation for
setIssuerNames(Collection names)
.
Note that the byte array supplied here is cloned to protect against subsequent modifications.
name
- a byte array containing the name in ASN.1 DER encoded form IOException
- if a parsing error occurs addIssuer
- public void addIssuer(X500Principal issuer)
X509CRL
must match at least one of the specified
distinguished names.
This method allows the caller to add a name to the set of issuer names
which X509CRLs
may contain. The specified name is added to
any previous value for the issuerNames criterion.
If the specified name is a duplicate, it may be ignored.
issuer
- the issuer as X500Principal setMinCRLNumber
- public void setMinCRLNumber(BigInteger minCRL)
X509CRL
must have a
CRL number extension whose value is greater than or equal to the
specified value. If null
, no minCRLNumber check will be
done.
minCRL
- the minimum CRL number accepted (or null
) setMaxCRLNumber
- public void setMaxCRLNumber(BigInteger maxCRL)
X509CRL
must have a
CRL number extension whose value is less than or equal to the specified
value. If null
, no maxCRLNumber check will be done.
maxCRL
- the maximum CRL number accepted (or null
) setDateAndTime
- public void setDateAndTime(Date dateAndTime)
X509CRL
and earlier than the value of the nextUpdate
component. There is no match if the X509CRL
does not
contain a nextUpdate component. If null
, no dateAndTime
check will be done.
Note that the Date
supplied here is cloned to protect
against subsequent modifications.
dateAndTime
- the Date
to match against (or
null
) setCertificateChecking
- public void setCertificateChecking( X509Certificate cert)
CertStore
find
CRLs that would be relevant when checking revocation for the specified
certificate. If null
is specified, then no such optional
information is provided.
getIssuerNames
- public Collection<Object> getIssuerNames( )
X509CRL
must match at least one of the
specified distinguished names. If the value returned is
null
, any issuer distinguished name will do.
If the value returned is not null
, it is a
Collection
of names. Each name is a String
or a byte
array representing a distinguished name (in RFC 2253 or ASN.1 DER
encoded form, respectively). Note that the
Collection
returned may contain duplicate names.
If a name is specified as a byte array, it should contain a single DER
encoded distinguished name, as defined in X.501. The ASN.1 notation for
this structure is given in the documentation for
setIssuerNames(Collection names)
.
Note that a deep copy is performed on the Collection
to
protect against subsequent modifications.
Collection
with one entry per name (or
null
) getIssuers
- public Collection<X500Principal> getIssuers( )
X509CRL
must match at least one of the specified
distinguished names. If the value returned is null
, any
issuer distinguished name will do.
If the value returned is not null
, it is a
unmodifiable Collection
of X500Principal
s.
Collection
of names
(or null
) getMinCRL
- public BigInteger getMinCRL()
X509CRL
must have
a CRL number extension whose value is greater than or equal to the
specified value. If null
, no minCRLNumber check will be
done.
null
) getMaxCRL
- public BigInteger getMaxCRL()
X509CRL
must have
a CRL number extension whose value is less than or equal to the
specified value. If null
, no maxCRLNumber check will be
done.
null
) getDateAndTime
- public Date getDateAndTime()
X509CRL
and earlier than the value of the nextUpdate
component. There is no match if the X509CRL
does not
contain a nextUpdate component. If null
, no dateAndTime
check will be done.
Note that the Date
returned is cloned to protect against
subsequent modifications.
getCertificateChecking
- public X509Certificate getCertificateChecking( )
CertStore
find
CRLs that would be relevant when checking revocation for the specified
certificate. If the value returned is null
, then no such
optional information is provided.
null
) toString
- public String toString()
X509CRLSelector
.
String
describing the contents of the
X509CRLSelector
match
- public boolean match(CRL crl)
CRL
should be selected.
match
in interface CRLSelector
crl
- the CRL
to be checked true
if the CRL
should be selected,
false
otherwise clone
- public Object clone()
X509CRLSelector
. Initially, no criteria are set so anyX509CRL
will match.