public final class CachedCRLRS extends RevocationStore
A memory CRL cache provides the best performance of all of Entrust's
revocation store implementations. It holds the X.509 CRLs as already parsed
X509CRL objects in memory.
By default, a user's revocation checking mechanism
(CollectionRS) has a memory CRL cache attached. When searching
for CRLs, this revocation store is always searched first; others are only
searched if appropriate CRLs could not be found in the memory CRL cache.
Any time CRLs are retrieved from another revocation store (not the memory
CRL cache) that is attached to the user's revocation checking mechanism, the
memory CRL cache is automatically updated with the retrieved CRLs.
The cache keeps itself current by automatically removing all non-current CRLs under the distribution points from which they were retrieved. This process occurs every time an attempt is made to retrieve CRLs from the cache. A CRL is non-current when the CRL entry lifetime has been exceeded (stale) or when the CRL 'notAfter' time has been exceeded taking into account the CRL grace period (expired). The CRL grace period is a client policy setting that specifies an additional amount of time after the 'nextUpdate' date that a CRL will be considered unexpired.
CollectionRS| Modifier and Type | Field and Description |
|---|---|
long |
DEFAULT_CACHE_ENTRY_LIFETIME
By default, the amount of time in milliseconds that a CRL will be stored
in the cache before it is considered stale and removed.
|
m_enableOfflineLookup, m_validationInfo| Constructor and Description |
|---|
CachedCRLRS(ValidationInfo validationInfo)
The constructor; creates and initializes a new
CachedCRLRS
object. |
| Modifier and Type | Method and Description |
|---|---|
void |
flush()
Flushes the cache; removes all CRLs from the cache.
|
long |
getCacheEntryLifetime()
Returns the cache entry lifetime in milliseconds.
|
DistPointAndCRL[] |
getCRLs()
Returns all the X.509 CRLs contained in this revocation store as an array
of
DistPointAndCRL objects, from which specific distribution
points and CRLs can be retrieved. |
protected GeneralName |
getCrlsByType(java.util.Collection crls,
CRLType crlType,
GeneralNames dpDistributionPoint)
Retrieves all CRLs of the indicated type that exist at the indicated
distrubution point.
|
protected java.lang.String |
getName()
Returns the name of this X.509 CRL revocation store.
|
boolean |
isDisabled()
Indicates whether or not the cache is enabled/disabled.
|
void |
removeCRLs(GeneralName distributionPointName)
Removes all CRLs from the cache that are stored under the indicated
distribution point name.
|
void |
setCacheEntryLifetime(long cacheEntryLifetime)
Sets the cache entry lifetime in milliseconds.
|
void |
setDisabled(boolean disabled)
Allows this cache to be enabled/disabled.
|
enableOfflineLookuppublic long DEFAULT_CACHE_ENTRY_LIFETIME
public CachedCRLRS(ValidationInfo validationInfo)
CachedCRLRS
object.
validationInfo - the user's certificate validation information (provides access to the
user's directory)public DistPointAndCRL[] getCRLs()
DistPointAndCRL objects, from which specific distribution
points and CRLs can be retrieved.
All CRLs retrieved from the memory CRL cache using this API are always current; no stale CRLs (cache entry lifetime exceeded) or expired CRLs ('nextUpdate' time reached). Non-current CRLs are automatically removed from the cache.
DistPointAndCRL objectspublic long getCacheEntryLifetime()
The cache entry lifetime inticates the amount of time that a CRL will be stored in the cache before it is considered stale and automatically removed.
public void setCacheEntryLifetime(long cacheEntryLifetime)
The cache entry lifetime indicates the amount of time that a CRL will be stored in the cache before it is considered stale and automatically removed.
The cache entry lifetime cannot be set to a value less than 0; attempts
to do so will result in the DEFAULT_CACHE_ENTRY_LIFETIME being
used.
public void removeCRLs(GeneralName distributionPointName)
distributionPointName - the distribution point name under which all stored CRLs will be
removedpublic void flush()
public void setDisabled(boolean disabled)
By default, the cache will be enabled. When the cache is disabled, it will not be used (checked or updated) by the certificate revocation checking mechanism. By disabling the cache you can ensure that CRLs will always be retrieved from another revocation store (Directory based, HTTP based, ...). This can be useful for applications that always require current CRLs and are not concerned with the performance penalty involved with not using a cache.
Disabling the cache only disables it usage by the certificate revocation checking mechanism. All public APIs will still operate identically to when the cache is enabled.
disabled - true to disable the cache; false to enable
the cachepublic boolean isDisabled()
true if the cache is disabled; false
otherwiseprotected java.lang.String getName()
getName in class RevocationStoreprotected GeneralName getCrlsByType(java.util.Collection crls, CRLType crlType, GeneralNames dpDistributionPoint)
Any CRLs that are retrieved are be added to the collection of X.509
CRLs in iaik.x509.X509CRL format. Also, all CRLs retrieved
from the memory CRL cache using this API are always current; no stale
CRLs (cache entry lifetime exceeded) or expired CRLs ('nextUpdate' time
reached). Non-current CRLs are automatically removed from the cache.
Checking is not done to see if any of the the X.509 CRLs that are retrieved and add to the collection already exist in the collection. It is assumed that the collection passed in will be empty, and thus duplicate entries need not be considered (unless the cache could contain duplicate CRLs at a single distribution point which it cannot).
When the cache has been disabled, this method does not do anything.
getCrlsByType in class RevocationStorecrls - a collection of X.509 CRLs in X509CRL format; all
retrieved CRLs will be added to this collectioncrlType - the type of CRLs to be retrieved; ignored by this implementation,
all available CRLs at the distribution point are returneddpDistributionPoint - the distribution point in GeneralNames format from which
the CRLs will be retrievedGeneralName representation of the distribution point
name the CRLs were retrieved from if any were in fact retrieved;
null otherwise