src/share/classes/java/security/cert/PKIXRevocationChecker.java

Print this page




  33 import java.util.Map;
  34 import java.util.Map.Entry;
  35 import java.util.Set;
  36 
  37 /**
  38  * A {@code PKIXCertPathChecker} for checking the revocation status of
  39  * certificates with the PKIX algorithm.
  40  *
  41  * <p>A {@code PKIXRevocationChecker} checks the revocation status of
  42  * certificates with the Online Certificate Status Protocol (OCSP) or
  43  * Certificate Revocation Lists (CRLs). OCSP is described in RFC 2560 and
  44  * is a network protocol for determining the status of a certificate. A CRL
  45  * is a time-stamped list identifying revoked certificates, and RFC 5280
  46  * describes an algorithm for determining the revocation status of certificates
  47  * using CRLs.
  48  *
  49  * <p>Each {@code PKIXRevocationChecker} must be able to check the revocation
  50  * status of certificates with OCSP and CRLs. By default, OCSP is the
  51  * preferred mechanism for checking revocation status, with CRLs as the
  52  * fallback mechanism. However, this preference can be switched to CRLs with
  53  * the {@link Option.PREFER_CRLS} option.
  54  *
  55  * <p>A {@code PKIXRevocationChecker} is obtained by calling the
  56  * {@link CertPathValidator#getRevocationChecker getRevocationChecker} method
  57  * of a PKIX {@code CertPathValidator}. Additional parameters and options
  58  * specific to revocation can be set (by calling {@link #setOCSPResponder}
  59  * method for instance). The {@code PKIXRevocationChecker} is added to
  60  * a {@code PKIXParameters} object using the
  61  * {@link PKIXParameters#addCertPathChecker addCertPathChecker}
  62  * or {@link PKIXParameters#setCertPathCheckers setCertPathCheckers} method,
  63  * and then the {@code PKIXParameters} is passed along with the {@code CertPath}
  64  * to be validated to the {@link CertPathValidator#validate validate} method
  65  * of a PKIX {@code CertPathValidator}. When supplying a revocation checker in
  66  * this manner, do not enable the default revocation checking mechanism (by
  67  * calling {@link PKIXParameters#setRevocationEnabled}.
  68  *
  69  * <p>Note that when a {@code PKIXRevocationChecker} is added to
  70  * {@code PKIXParameters}, it clones the {@code PKIXRevocationChecker};
  71  * thus any subsequent modifications to the {@code PKIXRevocationChecker}
  72  * have no effect.
  73  *




  33 import java.util.Map;
  34 import java.util.Map.Entry;
  35 import java.util.Set;
  36 
  37 /**
  38  * A {@code PKIXCertPathChecker} for checking the revocation status of
  39  * certificates with the PKIX algorithm.
  40  *
  41  * <p>A {@code PKIXRevocationChecker} checks the revocation status of
  42  * certificates with the Online Certificate Status Protocol (OCSP) or
  43  * Certificate Revocation Lists (CRLs). OCSP is described in RFC 2560 and
  44  * is a network protocol for determining the status of a certificate. A CRL
  45  * is a time-stamped list identifying revoked certificates, and RFC 5280
  46  * describes an algorithm for determining the revocation status of certificates
  47  * using CRLs.
  48  *
  49  * <p>Each {@code PKIXRevocationChecker} must be able to check the revocation
  50  * status of certificates with OCSP and CRLs. By default, OCSP is the
  51  * preferred mechanism for checking revocation status, with CRLs as the
  52  * fallback mechanism. However, this preference can be switched to CRLs with
  53  * the {@link Option#PREFER_CRLS PREFER_CRLS} option.
  54  *
  55  * <p>A {@code PKIXRevocationChecker} is obtained by calling the
  56  * {@link CertPathValidator#getRevocationChecker getRevocationChecker} method
  57  * of a PKIX {@code CertPathValidator}. Additional parameters and options
  58  * specific to revocation can be set (by calling {@link #setOCSPResponder}
  59  * method for instance). The {@code PKIXRevocationChecker} is added to
  60  * a {@code PKIXParameters} object using the
  61  * {@link PKIXParameters#addCertPathChecker addCertPathChecker}
  62  * or {@link PKIXParameters#setCertPathCheckers setCertPathCheckers} method,
  63  * and then the {@code PKIXParameters} is passed along with the {@code CertPath}
  64  * to be validated to the {@link CertPathValidator#validate validate} method
  65  * of a PKIX {@code CertPathValidator}. When supplying a revocation checker in
  66  * this manner, do not enable the default revocation checking mechanism (by
  67  * calling {@link PKIXParameters#setRevocationEnabled}.
  68  *
  69  * <p>Note that when a {@code PKIXRevocationChecker} is added to
  70  * {@code PKIXParameters}, it clones the {@code PKIXRevocationChecker};
  71  * thus any subsequent modifications to the {@code PKIXRevocationChecker}
  72  * have no effect.
  73  *