OCSPRevocationChecker ("Entrust Authority Security Toolkit for the Java Platform")

java.lang.Object
- com.entrust.toolkit.x509.revocation.OCSPRevocationChecker

All Implemented Interfaces:

RevocationChecker
```
public class OCSPRevocationChecker
extends java.lang.Object
implements RevocationChecker
```
A RevocationChecker that checks revocation using the OCSP protocol. OCSP is defined in RFC 2560.

Since:

7.2

Field Summary

Fields
Modifier and Type Field and Description

protected static int CLOCK_SKEW
Clock sync between client and server can be just over an hour and 6 minutes (4000 seconds) - 1:06:40.
- Fields inherited from interface com.entrust.toolkit.x509.revocation.RevocationChecker
  LOG

Fields
Modifier and Type	Field and Description
`protected static int`	`CLOCK_SKEW` Clock sync between client and server can be just over an hour and 6 minutes (4000 seconds) - 1:06:40.

Constructor Summary

Constructors
Constructor and Description
`OCSPRevocationChecker(OCSPConfiguration config, KeyAndCertContainer keyMaterial, ValidationInfo validationInfo)` The OCSPRevocationChecker constructor.

Method Summary

Methods
Modifier and Type	Method and Description
`void`	`check(X509Certificate certificate)` This method will check Revocation of the given certificate using OCSP.
`void`	`check(X509Certificate[] chain)` Given a certificate chain, this method will check Revocation on the chain using OCSP.
`void`	`check(X509Certificate cert, X509Certificate[] chain)` The Main method of checking whether the certificate is revoked in the OCSP revocation checkers.
`void`	`check(X509Certificate certificate, X509Certificate[] chain, int position)` This method will check Revocation of the given certificate using OCSP.
`boolean`	`equals(java.lang.Object obj)` Tests whether the `OCSPConfiguration` stored in the OCSPRevocationChecker object is equal to the `OCSPConfiguration` stored in the passed in OCSPRevocationChecker.

Methods inherited from class java.lang.Object
clone, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

- Field Detail
  - CLOCK_SKEW
```
protected static final int CLOCK_SKEW
```
    Clock sync between client and server can be just over an hour and 6 minutes (4000 seconds) - 1:06:40. The reason for this is so client server machines with different daylight savings time settings still have a chance of working
    
    See Also:
    Constant Field Values
- Constructor Detail
  - OCSPRevocationChecker
```
public OCSPRevocationChecker(OCSPConfiguration config,
                     KeyAndCertContainer keyMaterial,
                     ValidationInfo validationInfo)
```
    The OCSPRevocationChecker constructor.
    This class creates an OCSPRevocationChecker given an OCSPConfiguration. The OCSPConfiguration must not be null, otherwise an IllegalArgumentException will be thrown.
    A ValidationInfo object is also required, and cannot be null.
    Optionally, a KeyAndCertContainer can be passed to as a source of KeyAndCertificate information. This object is only required if OCSP client requests will be signed.
    
    Parameters:
    config - The OCSPConfiguration associated with this RevocationChecker
    keyMaterial - The key material that can be used to sign OCSP requests
    validationInfo - The validationInfo associated with this revocation checker
    
    Throws:
    
    java.lang.IllegalArgumentException - if the OCSPConfiguration or ValidationInfo parameters are null.
- Method Detail
  - check
```
public void check(X509Certificate[] chain)
           throws CertificationException
```
    Given a certificate chain, this method will check Revocation on the chain using OCSP. Depending on the OCSPConfiguration specified by this revocation checker, one of the following will be done:
    1. If AIAChecking is false, and no local accessLocation is defined, an exception is thrown indicating nothing can be done.
    2. If AIAChecking is true, and no local accessLocation is defined, then only the accessLocation(s) in the AIA will be used to try and determine revocaton status.
    3. If AIAChecking is true, and a local accessLocation is defined, then any accessLocations contained in the AIA location of the certificate will first be checked. If no successful revocation status is found then the local accessLocation will be checked if the certificates issuer DN is configured in the local configuraitons DN list, or if there are no certificates in the DN list (indicating revocation should always be used for this responder).
    4. If AIAChecking is false, and there is a locally defined accessLocation, the local accessLocation will be checked if the certificates issuer DN is configured in the local configurations DN list, or if there are no certificates in the DN list (indicating revocation should always be used for this responder).
    
    Specified by:
    
    check in interface RevocationChecker
    
    Parameters:
    chain - The chain of certificates to be checked for revocation. If the given chain is null, then the method just returns.
    
    Throws:
    
    CertificationException - if revocation status could not be determined
    
    RevocationException - if the status of the certificate was revoked.
  - check
```
public void check(X509Certificate certificate,
         X509Certificate[] chain,
         int position)
           throws CertificationException
```
    This method will check Revocation of the given certificate using OCSP. Depending on the OCSPConfiguration specified by this revocation checker, one of the following will be done:
    1. If AIAChecking is false, and no local accessLocation is defined, an exception is thrown indicating nothing can be done.
    2. If AIAChecking is true, and no local accessLocation is defined, then only the accessLocation(s) in the AIA will be used to try and determine revocaton status.
    3. If AIAChecking is true, and a local accessLocation is defined, then any accessLocations contained in the AIA location of the certificate will first be checked. If no successful revocation status is found then the local accessLocation will be checked if the certificates issuer DN is configured in the local configuraitons DN list, or if there are no certificates in the DN list (indicating revocation should always be used for this responder).
    4. If AIAChecking is false, and there is a locally defined accessLocation, the local accessLocation will be checked if the certificates issuer DN is configured in the local configurations DN list, or if there are no certificates in the DN list (indicating revocation should always be used for this responder).
    The position is the integer position of the certificate in the chain. This position is not required, but if used may help to speed up Issuer certificate searches. Especially with long certificate chains.
    
    Specified by:
    
    check in interface RevocationChecker
    
    Parameters:
    certificate - the certificate which revocation will be checked
    chain - the certificate chain
    position - of certificate in chain
    
    Throws:
    
    CertificationException - if revocation status could not be determined
    
    RevocationException - if the status of the certificate was revoked.
  - check
```
public void check(X509Certificate certificate)
           throws CertificationException
```
    This method will check Revocation of the given certificate using OCSP. Depending on the OCSPConfiguration specified by this revocation checker, one of the following will be done:
    1. If AIAChecking is false, and no local accessLocation is defined, an exception is thrown indicating nothing can be done.
    2. If AIAChecking is true, and no local accessLocation is defined, then only the accessLocation(s) in the AIA will be used to try and determine revocaton status.
    3. If AIAChecking is true, and a local accessLocation is defined, then any accessLocations contained in the AIA location of the certificate will first be checked. If no successful revocation status is found then the local accessLocation will be checked if the certificates issuer DN is configured in the local configuraitons DN list, or if there are no certificates in the DN list (indicating revocation should always be used for this responder).
    4. If AIAChecking is false, and there is a locally defined accessLocation, the local accessLocation will be checked if the certificates issuer DN is configured in the local configurations DN list, or if there are no certificates in the DN list (indicating revocation should always be used for this responder).
    The position is the integer position of the certificate in the chain. This position is not required, but if used may help to speed up Issuer certificate searches. Especially with long certificate chains.
    
    Specified by:
    
    check in interface RevocationChecker
    
    Parameters:
    certificate - the certificate which revocation will be checked
    
    Throws:
    
    CertificationException - if revocation status could not be determined.
    
    RevocationException - if the status of the certificate was revoked.
  - check
```
public void check(X509Certificate cert,
         X509Certificate[] chain)
           throws CertificationException
```
    The Main method of checking whether the certificate is revoked in the OCSP revocation checkers. There are four things that can be done:
    1. If AIAChecking is false, and no local accessLocation is defined, an exception is thrown indicating nothing can be done.
    2. If AIAChecking is true, and no local accessLocation is defined, then only the accessLocation(s) in the AIA will be used to try and determine revocaton status.
    3. If AIAChecking is true, and a local accessLocation is defined, then any accessLocations contained in the AIA location of the certificate will first be checked. If no successful revocation status is found then the local accessLocation will be checked if the certificates issuer DN is configured in the local configuraitons DN list, or if there are no certificates in the DN list (indicating revocation should always be used for this responder).
    4. If AIAChecking is false, and there is a locally defined accessLocation, the local accessLocation will be checked if the certificates issuer DN is configured in the local configurations DN list, or if there are no certificates in the DN list (indicating revocation should always be used for this responder).
    
    Specified by:
    
    check in interface RevocationChecker
    
    Parameters:
    cert - The certificate being checked for revocation
    chain - the complete certificate chain in which cert is included.
    
    Throws:
    
    CertificationException - if no revocation information can be found.
    
    RevocationException - if certificate is revoked.
  - equals
```
public boolean equals(java.lang.Object obj)
```
    Tests whether the OCSPConfiguration stored in the OCSPRevocationChecker object is equal to the OCSPConfiguration stored in the passed in OCSPRevocationChecker.
    
    Overrides:
    
    equals in class java.lang.Object

Class OCSPRevocationChecker

Field Summary

Fields inherited from interface com.entrust.toolkit.x509.revocation.RevocationChecker

Constructor Summary

Method Summary

Methods inherited from class java.lang.Object

Field Detail

CLOCK_SKEW

Constructor Detail

OCSPRevocationChecker

Method Detail

check

check

check

check

equals