- All Implemented Interfaces:
Cloneable
,CRLSelector
CRLSelector
that selects X509CRLs
that
match all specified criteria. This class is particularly useful when
selecting CRLs from a CertStore
to check revocation status
of a particular certificate.
When first constructed, an X509CRLSelector
has no criteria
enabled and each of the get
methods return a default
value (null
). Therefore, the match
method
would return true
for any X509CRL
. Typically,
several criteria are enabled (by calling setIssuers
or setDateAndTime
, for instance) and then the
X509CRLSelector
is passed to
CertStore.getCRLs
or some similar
method.
Please refer to RFC 5280: Internet X.509 Public Key Infrastructure Certificate and CRL Profile for definitions of the X.509 CRL fields and extensions mentioned below.
Concurrent Access
Unless otherwise specified, the methods defined in this class are not thread-safe. Multiple threads that need to access a single object concurrently should synchronize amongst themselves and provide the necessary locking. Multiple threads each manipulating separate objects need not synchronize.
- Since:
- 1.4
- See Also:
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionvoid
addIssuer
(X500Principal issuer) Adds a name to the issuerNames criterion.void
addIssuerName
(byte[] name) Adds a name to the issuerNames criterion.void
addIssuerName
(String name) Deprecated.clone()
Returns a copy of this object.Returns the certificate being checked.Returns the dateAndTime criterion.Returns a copy of the issuerNames criterion.Returns the issuerNames criterion.Returns the maxCRLNumber criterion.Returns the minCRLNumber criterion.boolean
Decides whether aCRL
should be selected.void
Sets the certificate being checked.void
setDateAndTime
(Date dateAndTime) Sets the dateAndTime criterion.void
setIssuerNames
(Collection<?> names) Note: use setIssuers(Collection) instead or only specify the byte array form of distinguished names when using this method.void
setIssuers
(Collection<X500Principal> issuers) Sets the issuerNames criterion.void
setMaxCRLNumber
(BigInteger maxCRL) Sets the maxCRLNumber criterion.void
setMinCRLNumber
(BigInteger minCRL) Sets the minCRLNumber criterion.toString()
Returns a printable representation of theX509CRLSelector
.
-
Constructor Details
-
X509CRLSelector
public X509CRLSelector()Creates anX509CRLSelector
. Initially, no criteria are set so anyX509CRL
will match.
-
-
Method Details
-
setIssuers
Sets the issuerNames criterion. The issuer distinguished name in theX509CRL
must match at least one of the specified distinguished names. Ifnull
, any issuer distinguished name will do.This method allows the caller to specify, with a single method call, the complete set of issuer names which
X509CRLs
may contain. The specified value replaces the previous value for the issuerNames criterion.The
names
parameter (if notnull
) is aCollection
ofX500Principal
s.Note that the
names
parameter can contain duplicate distinguished names, but they may be removed from theCollection
of names returned by thegetIssuers
method.Note that a copy is performed on the
Collection
to protect against subsequent modifications.- Parameters:
issuers
- aCollection
of X500Principals (ornull
)- Since:
- 1.5
- See Also:
-
setIssuerNames
Note: use setIssuers(Collection) instead or only specify the byte array form of distinguished names when using this method. SeeaddIssuerName(String)
for more information.Sets the issuerNames criterion. The issuer distinguished name in the
X509CRL
must match at least one of the specified distinguished names. Ifnull
, any issuer distinguished name will do.This method allows the caller to specify, with a single method call, the complete set of issuer names which
X509CRLs
may contain. The specified value replaces the previous value for the issuerNames criterion.The
names
parameter (if notnull
) is aCollection
of names. Each name is aString
or a byte array representing a distinguished name (in RFC 2253 or ASN.1 DER encoded form, respectively). Ifnull
is supplied as the value for this argument, no issuerNames check will be performed.Note that the
names
parameter can contain duplicate distinguished names, but they may be removed from theCollection
of names returned by thegetIssuerNames
method.If a name is specified as a byte array, it should contain a single DER encoded distinguished name, as defined in X.501. The ASN.1 notation for this structure is as follows.
Name ::= CHOICE { RDNSequence } RDNSequence ::= SEQUENCE OF RelativeDistinguishedName RelativeDistinguishedName ::= SET SIZE (1 .. MAX) OF AttributeTypeAndValue AttributeTypeAndValue ::= SEQUENCE { type AttributeType, value AttributeValue } AttributeType ::= OBJECT IDENTIFIER AttributeValue ::= ANY DEFINED BY AttributeType .... DirectoryString ::= CHOICE { teletexString TeletexString (SIZE (1..MAX)), printableString PrintableString (SIZE (1..MAX)), universalString UniversalString (SIZE (1..MAX)), utf8String UTF8String (SIZE (1.. MAX)), bmpString BMPString (SIZE (1..MAX)) }
Note that a deep copy is performed on the
Collection
to protect against subsequent modifications.- Parameters:
names
- aCollection
of names (ornull
)- Throws:
IOException
- if a parsing error occurs- See Also:
-
addIssuer
Adds a name to the issuerNames criterion. The issuer distinguished name in theX509CRL
must match at least one of the specified distinguished names.This method allows the caller to add a name to the set of issuer names which
X509CRLs
may contain. The specified name is added to any previous value for the issuerNames criterion. If the specified name is a duplicate, it may be ignored.- Parameters:
issuer
- the issuer as X500Principal- Since:
- 1.5
-
addIssuerName
Deprecated.UseaddIssuer(X500Principal)
oraddIssuerName(byte[])
instead. This method should not be relied on as it can fail to match some CRLs because of a loss of encoding information in the RFC 2253 String form of some distinguished names.Adds a name to the issuerNames criterion. The issuer distinguished name in theX509CRL
must match at least one of the specified distinguished names.This method allows the caller to add a name to the set of issuer names which
X509CRLs
may contain. The specified name is added to any previous value for the issuerNames criterion. If the specified name is a duplicate, it may be ignored.- Parameters:
name
- the name in RFC 2253 form- Throws:
IOException
- if a parsing error occurs
-
addIssuerName
Adds a name to the issuerNames criterion. The issuer distinguished name in theX509CRL
must match at least one of the specified distinguished names.This method allows the caller to add a name to the set of issuer names which
X509CRLs
may contain. The specified name is added to any previous value for the issuerNames criterion. If the specified name is a duplicate, it may be ignored. If a name is specified as a byte array, it should contain a single DER encoded distinguished name, as defined in X.501. The ASN.1 notation for this structure is as follows.The name is provided as a byte array. This byte array should contain a single DER encoded distinguished name, as defined in X.501. The ASN.1 notation for this structure appears in the documentation for
setIssuerNames(Collection names)
.Note that the byte array supplied here is cloned to protect against subsequent modifications.
- Parameters:
name
- a byte array containing the name in ASN.1 DER encoded form- Throws:
IOException
- if a parsing error occurs
-
setMinCRLNumber
Sets the minCRLNumber criterion. TheX509CRL
must have a CRL number extension whose value is greater than or equal to the specified value. Ifnull
, no minCRLNumber check will be done.- Parameters:
minCRL
- the minimum CRL number accepted (ornull
)
-
setMaxCRLNumber
Sets the maxCRLNumber criterion. TheX509CRL
must have a CRL number extension whose value is less than or equal to the specified value. Ifnull
, no maxCRLNumber check will be done.- Parameters:
maxCRL
- the maximum CRL number accepted (ornull
)
-
setDateAndTime
Sets the dateAndTime criterion. The specified date must be equal to or later than the value of the thisUpdate component of theX509CRL
and earlier than the value of the nextUpdate component. There is no match if theX509CRL
does not contain a nextUpdate component. Ifnull
, no dateAndTime check will be done.Note that the
Date
supplied here is cloned to protect against subsequent modifications.- Parameters:
dateAndTime
- theDate
to match against (ornull
)- See Also:
-
setCertificateChecking
Sets the certificate being checked. This is not a criterion. Rather, it is optional information that may help aCertStore
find CRLs that would be relevant when checking revocation for the specified certificate. Ifnull
is specified, then no such optional information is provided.- Parameters:
cert
- theX509Certificate
being checked (ornull
)- See Also:
-
getIssuers
Returns the issuerNames criterion. The issuer distinguished name in theX509CRL
must match at least one of the specified distinguished names. If the value returned isnull
, any issuer distinguished name will do.If the value returned is not
null
, it is a unmodifiableCollection
ofX500Principal
s.- Returns:
- an unmodifiable
Collection
of names (ornull
) - Since:
- 1.5
- See Also:
-
getIssuerNames
Returns a copy of the issuerNames criterion. The issuer distinguished name in theX509CRL
must match at least one of the specified distinguished names. If the value returned isnull
, any issuer distinguished name will do.If the value returned is not
null
, it is aCollection
of names. Each name is aString
or a byte array representing a distinguished name (in RFC 2253 or ASN.1 DER encoded form, respectively). Note that theCollection
returned may contain duplicate names.If a name is specified as a byte array, it should contain a single DER encoded distinguished name, as defined in X.501. The ASN.1 notation for this structure is given in the documentation for
setIssuerNames(Collection names)
.Note that a deep copy is performed on the
Collection
to protect against subsequent modifications.- Returns:
- a
Collection
of names (ornull
) - See Also:
-
getMinCRL
Returns the minCRLNumber criterion. TheX509CRL
must have a CRL number extension whose value is greater than or equal to the specified value. Ifnull
, no minCRLNumber check will be done.- Returns:
- the minimum CRL number accepted (or
null
)
-
getMaxCRL
Returns the maxCRLNumber criterion. TheX509CRL
must have a CRL number extension whose value is less than or equal to the specified value. Ifnull
, no maxCRLNumber check will be done.- Returns:
- the maximum CRL number accepted (or
null
)
-
getDateAndTime
Returns the dateAndTime criterion. The specified date must be equal to or later than the value of the thisUpdate component of theX509CRL
and earlier than the value of the nextUpdate component. There is no match if theX509CRL
does not contain a nextUpdate component. Ifnull
, no dateAndTime check will be done.Note that the
Date
returned is cloned to protect against subsequent modifications.- Returns:
- the
Date
to match against (ornull
) - See Also:
-
getCertificateChecking
Returns the certificate being checked. This is not a criterion. Rather, it is optional information that may help aCertStore
find CRLs that would be relevant when checking revocation for the specified certificate. If the value returned isnull
, then no such optional information is provided.- Returns:
- the certificate being checked (or
null
) - See Also:
-
toString
-
match
Decides whether aCRL
should be selected.- Specified by:
match
in interfaceCRLSelector
- Parameters:
crl
- theCRL
to be checked- Returns:
true
if theCRL
should be selected,false
otherwise
-
clone
Returns a copy of this object.- Specified by:
clone
in interfaceCRLSelector
- Overrides:
clone
in classObject
- Returns:
- the copy
- See Also:
-
addIssuer(X500Principal)
oraddIssuerName(byte[])
instead.