- All Implemented Interfaces:
- Cloneable,- CertPathChecker
PKIXCertPathChecker for checking the revocation status of
 certificates with the PKIX algorithm.
 A PKIXRevocationChecker checks the revocation status of
 certificates with the Online Certificate Status Protocol (OCSP) or
 Certificate Revocation Lists (CRLs). OCSP is described in RFC 2560 and
 is a network protocol for determining the status of a certificate. A CRL
 is a time-stamped list identifying revoked certificates, and RFC 5280
 describes an algorithm for determining the revocation status of certificates
 using CRLs.
 
Each PKIXRevocationChecker must be able to check the revocation
 status of certificates with OCSP and CRLs. By default, OCSP is the
 preferred mechanism for checking revocation status, with CRLs as the
 fallback mechanism. However, this preference can be switched to CRLs with
 the PREFER_CRLS option. In addition, the fallback
 mechanism can be disabled with the NO_FALLBACK
 option.
 
A PKIXRevocationChecker is obtained by calling the
 getRevocationChecker method
 of a PKIX CertPathValidator. Additional parameters and options
 specific to revocation can be set (by calling the
 setOcspResponder method for instance). The
 PKIXRevocationChecker is added to a PKIXParameters object
 using the addCertPathChecker
 or setCertPathCheckers method,
 and then the PKIXParameters is passed along with the CertPath
 to be validated to the validate method
 of a PKIX CertPathValidator. When supplying a revocation checker in
 this manner, it will be used to check revocation irrespective of the setting
 of the RevocationEnabled flag,
 and will override the default revocation checking mechanism of the PKIX
 service provider. Similarly, a PKIXRevocationChecker may be added
 to a PKIXBuilderParameters object for use with a PKIX
 CertPathBuilder.
 
Note that when a PKIXRevocationChecker is added to
 PKIXParameters, it clones the PKIXRevocationChecker;
 thus any subsequent modifications to the PKIXRevocationChecker
 have no effect.
 
Any parameter that is not set (or is set to null) will be set to
 the default value for that parameter.
 
Concurrent Access
Unless otherwise specified, the methods defined in this class are not thread-safe. Multiple threads that need to access a single object concurrently should synchronize amongst themselves and provide the necessary locking. Multiple threads each manipulating separate objects need not synchronize.
- Since:
- 1.8
- See Also:
- 
Nested Class SummaryNested ClassesModifier and TypeClassDescriptionstatic enumVarious revocation options that can be specified for the revocation checking mechanism.
- 
Constructor SummaryConstructors
- 
Method SummaryModifier and TypeMethodDescriptionclone()Returns a clone of this object.Gets the optional OCSP request extensions.Gets the URI that identifies the location of the OCSP responder.Gets the OCSP responder's certificate.Map<X509Certificate, byte[]> Gets the OCSP responses.Gets the revocation options.abstract List<CertPathValidatorException> Returns a list containing the exceptions that are ignored by the revocation checker when theSOFT_FAILoption is set.voidsetOcspExtensions(List<Extension> extensions) Sets the optional OCSP request extensions.voidsetOcspResponder(URI uri) Sets the URI that identifies the location of the OCSP responder.voidSets the OCSP responder's certificate.voidsetOcspResponses(Map<X509Certificate, byte[]> responses) Sets the OCSP responses.voidsetOptions(Set<PKIXRevocationChecker.Option> options) Sets the revocation options.Methods declared in class java.security.cert.PKIXCertPathCheckercheck, check, getSupportedExtensions, init, isForwardCheckingSupported
- 
Constructor Details- 
PKIXRevocationCheckerprotected PKIXRevocationChecker()Default constructor.
 
- 
- 
Method Details- 
setOcspResponderSets the URI that identifies the location of the OCSP responder. This overrides theocsp.responderURLsecurity property and any responder specified in a certificate's Authority Information Access Extension, as defined in RFC 5280.- Parameters:
- uri- the responder URI
 
- 
getOcspResponderGets the URI that identifies the location of the OCSP responder. This overrides theocsp.responderURLsecurity property. If this parameter or theocsp.responderURLproperty is not set, the location is determined from the certificate's Authority Information Access Extension, as defined in RFC 5280.- Returns:
- the responder URI, or nullif not set
 
- 
setOcspResponderCertSets the OCSP responder's certificate. This overrides theocsp.responderCertSubjectName,ocsp.responderCertIssuerName, andocsp.responderCertSerialNumbersecurity properties.- Parameters:
- cert- the responder's certificate
 
- 
getOcspResponderCertGets the OCSP responder's certificate. This overrides theocsp.responderCertSubjectName,ocsp.responderCertIssuerName, andocsp.responderCertSerialNumbersecurity properties. If this parameter or the aforementioned properties are not set, then the responder's certificate is determined as specified in RFC 2560.- Returns:
- the responder's certificate, or nullif not set
 
- 
setOcspExtensionsSets the optional OCSP request extensions.- Parameters:
- extensions- a list of extensions. The list is copied to protect against subsequent modification.
 
- 
getOcspExtensionsGets the optional OCSP request extensions.- Returns:
- an unmodifiable list of extensions. The list is empty if no extensions have been specified.
 
- 
setOcspResponsesSets the OCSP responses. These responses are used to determine the revocation status of the specified certificates when OCSP is used.- Parameters:
- responses- a map of OCSP responses. Each key is an- X509Certificatethat maps to the corresponding DER-encoded OCSP response for that certificate. A deep copy of the map is performed to protect against subsequent modification.
 
- 
getOcspResponsesGets the OCSP responses. These responses are used to determine the revocation status of the specified certificates when OCSP is used.- Returns:
- a map of OCSP responses. Each key is an
        X509Certificatethat maps to the corresponding DER-encoded OCSP response for that certificate. A deep copy of the map is returned to protect against subsequent modification. Returns an empty map if no responses have been specified.
 
- 
setOptionsSets the revocation options.- Parameters:
- options- a set of revocation options. The set is copied to protect against subsequent modification.
 
- 
getOptionsGets the revocation options.- Returns:
- an unmodifiable set of revocation options. The set is empty if no options have been specified.
 
- 
getSoftFailExceptionsReturns a list containing the exceptions that are ignored by the revocation checker when theSOFT_FAILoption is set. The list is cleared each timeinitis called. The list is ordered in ascending order according to the certificate index returned bygetIndexmethod of each entry.An implementation of PKIXRevocationCheckeris responsible for adding the ignored exceptions to the list.- Returns:
- an unmodifiable list containing the ignored exceptions. The list is empty if no exceptions have been ignored.
 
- 
cloneDescription copied from class:PKIXCertPathCheckerReturns a clone of this object. Calls theObject.clone()method. All subclasses which maintain state must support and override this method, if necessary.- Overrides:
- clonein class- PKIXCertPathChecker
- Returns:
- a copy of this PKIXCertPathChecker
- See Also:
 
 
-