com.entrust.toolkit.x509.revocation

Class CollectionRS

java.lang.Object

com.entrust.toolkit.x509.revocation.CollectionRS

All Implemented Interfaces:

RevocationChecker

public final class CollectionRS
extends java.lang.Object
implements RevocationChecker

This class represents a collection a collection of revocation stores.

It acts as the single point of entry for checking the revocation status of a certificate chain.

Field Summary

Fields inherited from interface com.entrust.toolkit.x509.revocation.RevocationChecker

LOG

Constructor Summary

Constructors

Constructor and Description
CollectionRS(ValidationInfo validationInfo) The constructor; creates a new CollectionRS for the provided validation information.

Method Summary

Methods

Modifier and Type	Method and Description
void	attach(RevocationStore revocationStore) Adds a new revocation store to the set of revocation stores managed by this CollectionRS.
void	check(X509Certificate cert) Checks the revocation status of the supplied certificate.
void	check(X509Certificate[] chain) Determines whether any of the certifcates in the chain have been revoked.
void	check(X509Certificate cert, X509Certificate[] chain) Checks the revocation status of a certificate.
void	check(X509Certificate cert, X509Certificate[] chain, int position) Checks the revocation status of a certificate.
CertificateSet	findAIACerts(com.entrust.toolkit.x509.revocation.InternalX509CRL crl) Search through all certificate stores for certificates located at the AIA ca-Issuers accessLocation.
CRLConfig	getCRLConfig() This method collects the configuration settings used by this object and constructs a CRLConfig object that represents the revocation configuration used by this object.
CachedCRLRS	getMemoryCRLCache() Returns the CRL cache.
void	requireCRL(boolean crlRequired) Configures this collection of revocation stores to either require or not require a CRL for each certificate in the certificate chain during a 'check' operation.
void	setCRLConfig(CRLConfig crlConfig) This method sets the CRL revocation configuration settings used by this object.
void	setMaximumCRLLifetime(int maxCrlLifetime) Deprecated. all CRLs are required to have their nextUpdate field set (since 6.1 SP1)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

CollectionRS

public CollectionRS(ValidationInfo validationInfo)

The constructor; creates a new CollectionRS for the provided validation information.

A ValidationInfo object contains all the information necessary to validate certificates.

Parameters:

validationInfo - validation information

Throws:

java.lang.IllegalArgumentException - thrown if any of the required parameters are null

Method Detail

requireCRL

public void requireCRL(boolean crlRequired)

Configures this collection of revocation stores to either require or not require a CRL for each certificate in the certificate chain during a 'check' operation.

When set to true, a CRL is required for every certificate in the certificate chain during a 'check' operation. In this case, when checking a chain that contains a certificate for which a CRL cannot be found, a CertificationException exception will be thrown indicating the problem. The only exception to this rule is for 'trusted' certificates; revocation infomation is not required for these certificates since they are implicitly trusted.

When set to false, a CRL is not required for every certificate in the certificate chain during a 'check' operation. In this case, when checking a chain that contains a certificate for which a CRL cannot be found, it is automatically considered not revoked. The default value of this setting is false.

Parameters:

crlRequired - indicates whether or not a CRL is required for every certificate in the certificate chain during a 'check' operation

getMemoryCRLCache

public CachedCRLRS getMemoryCRLCache()

Returns the CRL cache.

Every CRL retrieved from any of the X.509 CRL revocation stores (X509CRLRS) during a 'check' operation is automatically added to the CRL cache. Then, when the revocation status of a certificate chain is being checked, the CRL cache is the first revocation store that is searched for any CRLs.

Returns:

the CRL cache

attach

public void attach(RevocationStore revocationStore)

Adds a new revocation store to the set of revocation stores managed by this CollectionRS.

If none of the default revocation stores indicates that it is responsible for a certificate, it is passed on to revocationStore. This call clears the CRL invalid search cache; see UserConfigSettings.getCRLInvalidSearchTimeout().

Parameters:

revocationStore - an additional revocation store to use when checking a certificate's revocation status

check

public void check(X509Certificate[] chain)
           throws CertificationException

Determines whether any of the certifcates in the chain have been revoked.

Revocation is not checked for 'trusted' certificates in the certificate store. This will include one or more 'root of trust' certificates, as well as any other that been deemed trusted in the CollectionCS using the addTrustedCertificate(X509Certificate) or addTrustedCertificates(X509Certificate[]) APIs.

When checking revocation of a certificate, the collection of revocation stores is searched until the revocation store that contains revocation information about the certificate is found. The revocation status of the certificate is then extracted from that revocation store.

Specified by:

check in interface RevocationChecker

Parameters:

chain - the certificate chain

Throws:

RevocationException - if any of the certificates in chain are revoked

CertificationException - if revocation status could not be determined

check

public void check(X509Certificate cert,
         X509Certificate[] chain)
           throws CertificationException

Checks the revocation status of a certificate.

Revocation is not checked for 'trusted' certificates in the certificate store. This will include one or more 'root of trust' certificates, as well as any other that been deemed trusted in the CollectionCS using the addTrustedCertificate(X509Certificate) or addTrustedCertificates(X509Certificate[]) APIs.

When checking revocation of a certificate, the collection of revocation stores is searched until the revocation store that contains revocation information about the certificate is found. The revocation status of the certificate is then extracted from that revocation store.

All CRLs retrieved from the revocation store by this method are validated prior to being used to check the revocation status of the certificate.

Specified by:

check in interface RevocationChecker

Parameters:

cert - the certificate whose revocation status is being checked

chain - the certificate chain (root certificate is located at position zero)

Throws:

RevocationException - if the certificate has been revoked

CertificationException - if a fatal error occurs while attempting to retrieve CRLs (revocation store access failure, appropriate CRL required but not found)

Since:

7.1 SP1 Patch

check

public void check(X509Certificate cert,
         X509Certificate[] chain,
         int position)
           throws CertificationException

Checks the revocation status of a certificate.

Revocation is not checked for 'trusted' certificates in the certificate store. This will include one or more 'root of trust' certificates, as well as any other that been deemed trusted in the CollectionCS using the addTrustedCertificate(X509Certificate) or addTrustedCertificates(X509Certificate[]) APIs.

When checking revocation of a certificate, the collection of revocation stores is searched until the revocation store that contains revocation information about the certificate is found. The revocation status of the certificate is then extracted from that revocation store.

All CRLs retrieved from the revocation store by this method are validated prior to being used to check the revocation status of the certificate.

Specified by:

check in interface RevocationChecker

Parameters:

cert - the certificate whose revocation status is being checked

chain - the certificate chain (root certificate is located at position zero)

position - The position in the certificate chain

Throws:

RevocationException - if the certificate has been revoked

CertificationException - if a fatal error occurs while attempting to retrieve CRLs (revocation store access failure, appropriate CRL required but not found)

Since:

7.2

check

public void check(X509Certificate cert)
           throws CertificationException

Checks the revocation status of the supplied certificate.

Revocation is not checked for 'trusted' certificates in the certificate store. This will include one or more 'root of trust' certificates, as well as any other that been deemed trusted in the CollectionCS using the addTrustedCertificate(X509Certificate) or addTrustedCertificates(X509Certificate[]) APIs.

When checking revocation of a certificate, the collection of revocation stores is searched until the revocation store that contains revocation information about the certificate is found. The revocation status of the certificate is then extracted from that revocation store.

All CRLs retrieved from the revocation store by this method are validated prior to being used to check the revocation status of the certificate.

Specified by:

check in interface RevocationChecker

Parameters:

cert - the certificate whose revocation status is being checked

Throws:

RevocationException - if the certificate has been revoked

CertificationException - if a fatal error occurs while attempting to retrieve CRLs (revocation store access failure, appropriate CRL required but not found)

Since:

7.2

findAIACerts

public CertificateSet findAIACerts(com.entrust.toolkit.x509.revocation.InternalX509CRL crl)

Search through all certificate stores for certificates located at the AIA ca-Issuers accessLocation. Return an array of all the certificates found.

Parameters:

crl - The InternalX509CRL CRL

Returns:

A CertificateSet containing the certificates found using the CRL AIA Extension

Throws:

CertificationException - if problem occurs

setMaximumCRLLifetime

public void setMaximumCRLLifetime(int maxCrlLifetime)

Deprecated. all CRLs are required to have their nextUpdate field set (since 6.1 SP1)

Sets the maximum allowed CRL lifetime for a CRL whose nextUpdate field is not set.

A CRL whose nextUpdate field is set is considered valid until the time specified in that field plus the time specified as the grace period in the policy certificate (2 hours by default). A CRL whose nextUpdate field is not set is considered valid for the amount of time specified by this API (1 week by default).

Parameters:

maxCrlLifetime - the number of hours for which a CRL with an empty nextUpdate field will be considered valid

setCRLConfig

public void setCRLConfig(CRLConfig crlConfig)

This method sets the CRL revocation configuration settings used by this object.

Parameters:

CRLConfig - The CRL Configuraiton settings to use.

Since:

8.0

See Also:

CRLConfig

getCRLConfig

public CRLConfig getCRLConfig()

This method collects the configuration settings used by this object and constructs a CRLConfig object that represents the revocation configuration used by this object.

Returns:

The CRLConfig object that represents the configuration used by this ColletionRS object

Since:

8.0

See Also:

CRLConfig