com.entrust.toolkit.x509.revocation

Class DirectoryCRLRS

java.lang.Object

com.entrust.toolkit.x509.revocation.RevocationStore

com.entrust.toolkit.x509.revocation.DirectoryCRLRS

public final class DirectoryCRLRS
extends RevocationStore

An implementation of a revocation store that provides access to X.509 CRLs stored in an LDAP directory.

By default, a user's revocation checking mechanism (CollectionRS) has an LDAP directory revocation store attached. When searching for CRLs, this revocation store is only searched if appropriate CRLs were not found in the memory CRL cache (also attached to the user's revocation store by default). Any time CRLs are retrieved from this revocation store, the memory CRL cache is automatically updated with the retrieved CRLs.

This type of revocation store is only capable of extracting CRLs from CRL distribution points that contain either a Distinguished Name (DN) or an LDAP URL. In the case of a DN, the user's directory (the directory contained in the validation information provided to the constructor) is searched for CRLs. In the case of an LDAP URL, an appropriate JNDIDirecotry is created internally and searched for CRLs (unless the LDAP URL does not contain a host, in which case the user's directory is used).

In order to be used with a distribution point that contains an LDAP URL, the URL must be valid LDAP URL according to RFC 2255, and must contain the 'dn' component. If the 'hostport' component does not specify a port, '389' is automatically used by default.

This type of revocation store is only able to retrieve CRLs when the user it is associated with is online (when the user is offline, online methods of CRL retrieval are not used).

See Also:

CollectionRS, RFC 2255, The LDAP URL Format

Field Summary

Fields

Modifier and Type	Field and Description
static int	DEFAULT_INVALID_SEARCH_TIMEOUT By default, the number of milliseconds for which an invalid directory search will not be repeated.

Fields inherited from class com.entrust.toolkit.x509.revocation.RevocationStore

m_enableOfflineLookup, m_validationInfo

Constructor Summary

Constructors

Constructor and Description
DirectoryCRLRS(ValidationInfo validationInfo) The constructor; creates a new DirectoryCRLRS object.

Method Summary

Modifier and Type	Method and Description
protected GeneralName	getCrlsByType(java.util.Collection crls, CRLType crlType, GeneralNames dpDistributionPoint) Retrieves all CRLs of the indicated type that exist at the indicated distribution point.
int	getInvalidSearchTimeout() Returns the invalid search timeout.
protected java.lang.String	getName() Returns the name of this X.509 CRL revocation store.
void	setInvalidSearchTimeout(int invalidSearchTimeout) Sets the invalid search timeout.

Methods inherited from class com.entrust.toolkit.x509.revocation.RevocationStore

enableOfflineLookup

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

DEFAULT_INVALID_SEARCH_TIMEOUT

public static final int DEFAULT_INVALID_SEARCH_TIMEOUT

By default, the number of milliseconds for which an invalid directory search will not be repeated.

See Also:

Constant Field Values

Constructor Detail

DirectoryCRLRS

public DirectoryCRLRS(ValidationInfo validationInfo)

The constructor; creates a new DirectoryCRLRS object.

Parameters:

validationInfo - the user's certificate validation information (provides access to the user's directory)

Method Detail

getInvalidSearchTimeout

public int getInvalidSearchTimeout()

Returns the invalid search timeout.

The invalid search timeout is number of milliseconds for which an invalid directory search will not be repeated. A directory search is considered invalid when the search does not return any properly formatted CRLs (DER encoded ASN.1 formatted X.509 CRL). Performance can be improved by ensuring that known invalid searches are not repeated. Thus, once an invalid directory search is done, it is not repeated the period of time returned.

A directory search is uniquely identified by the following directory related components that were used during: host, port, attribute, entry (identified by DN).

Returns:

the invalid search timeout (milliseconds)

setInvalidSearchTimeout

public void setInvalidSearchTimeout(int invalidSearchTimeout)

Sets the invalid search timeout.

The invalid search timeout is number of milliseconds for which an invalid directory search will not be repeated. A directory search is considered invalid when the search does not return any properly formatted CRLs (DER encoded ASN.1 formatted X.509 CRL). Performance can be improved by ensuring that known invalid searches are not repeated. Thus, once an invalid directory search is done, it is not repeated the period of time returned.

A directory search is uniquely identified by the following directory related components that were used during: host, port, attribute, entry (identified by DN).

The invalid search timeout cannot be set to a value less than 0; any attempt to do so will result in the invalid search timeout being set to 0.

Parameters:

invalidSearchTimeout - the invalid search timeout (milliseconds)

getCrlsByType

protected GeneralName getCrlsByType(java.util.Collection crls,
                                    CRLType crlType,
                                    GeneralNames dpDistributionPoint)

Retrieves all CRLs of the indicated type that exist at the indicated distribution point.

Specified by:

getCrlsByType in class RevocationStore

Parameters:

crls - a collection of X.509 CRLs in InternalX509CRL format; all retrieved CRLs will be added to this collection

crlType - the type of CRLs to be retrieved

dpDistributionPoint - the distribution point in GeneralNames format from which the CRLs will be loaded

Returns:

a GeneralName representation of the distribution point name the CRLs were loaded from if any were in fact loaded; null otherwise

getName

protected java.lang.String getName()

Returns the name of this X.509 CRL revocation store.

Specified by:

getName in class RevocationStore

Returns:

the name of the this X.509 CRL revocation store