The CertStore Class
The CertStore class is an engine class used
to provide the functionality of a certificate and certificate revocation
list (CRL) repository. It can be used by CertPathBuilder and CertPathValidator implementations
to find certificates and CRLs or as a general purpose certificate
and CRL retrieval mechanism.
Unlike the java.security.KeyStore class, which provides access to a cache of private keys and trusted certificates, a CertStore is designed to provide access to a potentially vast repository of untrusted certificates and CRLs. For example, an LDAP implementation of CertStore provides access to certificates and CRLs stored in one or more directories using the LDAP protocol.
All public methods of CertStore objects are thread-safe. That is, multiple threads can concurrently invoke these methods on a single CertStore object (or more than one) with no ill effects. This allows a CertPathBuilder to search for a CRL while simultaneously searching for further certificates, for instance.
Creating a CertStore Object
As with all
engine classes, the way to get a CertStore object
for a particular repository type is to call one of the getInstance static
factory methods on the CertStore class:
public static CertStore getInstance(String type,
CertStoreParameters params) public static CertStore getInstance(String type,
CertStoreParameters params, String provider) public static CertStore getInstance(String type,
CertStoreParameters params, Provider provider)The type parameter is the name of a certificate repository type (for example, "LDAP"). Standard CertStore types are listed in Appendix A.
The initialization parameters (params) are specific to the repository type. For example, the initialization parameters for a server-based repository might include the hostname and the port of the server. An InvalidAlgorithmParameterException is thrown if the parameters are not valid for this CertStore type. The getCertStoreParameters method returns the CertStoreParameters that were used to initialize a CertStore:
public final CertStoreParameters getCertStoreParameters()Retrieving Certificates
After you have created
a CertStore object, you can retrieve certificates
from the repository using the getCertificates method.
This method takes a CertSelector (discussed
in more detail later) object as an argument, which specifies a set
of selection criteria for determining which certificates should be
returned:
public final Collection getCertificates(CertSelector selector)
throws CertStoreExceptionThis method returns a Collection of java.security.cert.Certificate objects
that satisfy the selection criteria. An empty Collection is
returned if there are no matches. A CertStoreException is usually
thrown if an unexpected error condition is encountered, such as a
communications failure with a remote repository.
For some CertStore implementations,
it might not be feasible to search the entire repository for certificates
or CRLs that match the specified selection criteria. In these instances,
the CertStore implementation can use information
that is specified in the selectors to locate certificates and CRLs.
For instance, an LDAP CertStore may not search all
entries in the directory. Instead, it might just search entries that
are likely to contain the certificates it is looking for. If the CertSelector provided
does not provide enough information for the LDAP CertStore to
determine which entries it should look in, the LDAP CertStore may
throw a CertStoreException.
Retrieving CRLs
You can also retrieve CRLs
from the repository using the getCRLs method. This
method takes a CRLSelector (discussed
in more detail later) object as an argument, which specifies a set
of selection criteria for determining which CRLs should be returned:
public final Collection getCRLs(CRLSelector selector)
throws CertStoreExceptionThis method returns a Collection of java.security.cert.CRL objects
that satisfy the selection criteria. An empty Collection is
returned if there are no matches.