public abstract class PKIXRevocationChecker extends PKIXCertPathChecker
PKIXCertPathCheckerfor checking the revocation status of certificates with the PKIX algorithm.
PKIXRevocationChecker checks the revocation status of
certificates with the Online Certificate Status Protocol (OCSP) or
Certificate Revocation Lists (CRLs). OCSP is described in RFC 2560 and
is a network protocol for determining the status of a certificate. A CRL
is a time-stamped list identifying revoked certificates, and RFC 5280
describes an algorithm for determining the revocation status of certificates
PKIXRevocationChecker must be able to check the revocation
status of certificates with OCSP and CRLs. By default, OCSP is the
preferred mechanism for checking revocation status, with CRLs as the
fallback mechanism. However, this preference can be switched to CRLs with
PREFER_CRLS option. In addition, the fallback
mechanism can be disabled with the
PKIXRevocationChecker is obtained by calling the
of a PKIX
CertPathValidator. Additional parameters and options
specific to revocation can be set (by calling the
setOcspResponder method for instance). The
PKIXRevocationChecker is added to a
and then the
PKIXParameters is passed along with the
to be validated to the
of a PKIX
CertPathValidator. When supplying a revocation checker in
this manner, it will be used to check revocation irrespective of the setting
PKIXRevocationChecker may be added to a
PKIXBuilderParameters object for use with a PKIX
Note that when a
PKIXRevocationChecker is added to
PKIXParameters, it clones the
thus any subsequent modifications to the
have no effect.
Any parameter that is not set (or is set to
null) will be set to
the default value for that parameter.
Unless otherwise specified, the methods defined in this class are not thread-safe. Multiple threads that need to access a single object concurrently should synchronize amongst themselves and provide the necessary locking. Multiple threads each manipulating separate objects need not synchronize.
|Modifier and Type||Class and Description|
Various revocation options that can be specified for the revocation checking mechanism.
|Modifier||Constructor and Description|
|Modifier and Type||Method and Description|
Returns a clone of this object.
Gets the optional OCSP request extensions.
Gets the URI that identifies the location of the OCSP responder.
Gets the OCSP responder's certificate.
Gets the OCSP responses.
Gets the revocation options.
Returns a list containing the exceptions that are ignored by the revocation checker when the
Sets the optional OCSP request extensions.
Sets the URI that identifies the location of the OCSP responder.
Sets the OCSP responder's certificate.
Sets the OCSP responses.
Sets the revocation options.
check, check, getSupportedExtensions, init, isForwardCheckingSupported
public void setOcspResponder(URI uri)
ocsp.responderURLsecurity property and any responder specified in a certificate's Authority Information Access Extension, as defined in RFC 5280.
uri- the responder URI
public URI getOcspResponder()
ocsp.responderURLsecurity property. If this parameter or the
ocsp.responderURLproperty is not set, the location is determined from the certificate's Authority Information Access Extension, as defined in RFC 5280.
nullif not set
public void setOcspResponderCert(X509Certificate cert)
cert- the responder's certificate
public X509Certificate getOcspResponderCert()
ocsp.responderCertSerialNumbersecurity properties. If this parameter or the aforementioned properties are not set, then the responder's certificate is determined as specified in RFC 2560.
nullif not set
extensions- a list of extensions. The list is copied to protect against subsequent modification.
public void setOcspResponses(Map<X509Certificate,byte> responses)
responses- a map of OCSP responses. Each key is an
X509Certificatethat maps to the corresponding DER-encoded OCSP response for that certificate. A deep copy of the map is performed to protect against subsequent modification.
public Map<X509Certificate,byte> getOcspResponses()
X509Certificatethat maps to the corresponding DER-encoded OCSP response for that certificate. A deep copy of the map is returned to protect against subsequent modification. Returns an empty map if no responses have been specified.
public void setOptions(Set<PKIXRevocationChecker.Option> options)
options- a set of revocation options. The set is copied to protect against subsequent modification.
public Set<PKIXRevocationChecker.Option> getOptions()
public abstract List<CertPathValidatorException> getSoftFailExceptions()
SOFT_FAILoption is set. The list is cleared each time
initis called. The list is ordered in ascending order according to the certificate index returned by
getIndexmethod of each entry.
An implementation of
PKIXRevocationChecker is responsible for
adding the ignored exceptions to the list.
public PKIXRevocationChecker clone()
Object.clone()method. All subclasses which maintain state must support and override this method, if necessary.
Submit a bug or feature
For further API reference and developer documentation, see Java SE Documentation. That documentation contains more detailed, developer-targeted descriptions, with conceptual overviews, definitions of terms, workarounds, and working code examples.
Copyright © 1993, 2016, Oracle and/or its affiliates. All rights reserved. Use is subject to license terms. Also see the documentation redistribution policy.