The X509CRLSelector Class
The X509CRLSelector
class is an implementation
of the CRLSelector
interface that defines a set of
criteria for selecting X.509 CRLs. An X509CRL
object
must match all of the specified criteria to be selected by
the match
method. The selection criteria are designed
to be useful to a CertPathValidator
or CertPathBuilder
implementation
that must retrieve CRLs from a repository to check the revocation
status of certificates in an X.509 certification path.
Refer to http://www.ietf.org/rfc/rfc3280.txt for definitions of the X.509 CRL fields and extensions mentioned in this section.
Creating an X509CRLSelector Object
AnX509CRLSelector
object
is created by calling the default constructor: public X509CRLSelector()
No
criteria are initially set (any X509CRL will match). Setting Selection Criteria
The selection
criteria allow a caller to match on different components of an X.509
CRL. Most of the methods for setting selection criteria are described
here. Refer to the X509CRLSelector
API documentation for
details on the remaining methods.
setIssuerNames
method sets the issuerNames criterion:
public void setIssuerNames(Collection names)
The issuer distinguished name in the CRL must match
at least one of the specified distinguished names. Each entry of the names
argument
is either a String
or a byte array (representing
the name, in RFC 2253 or ASN.1 DER encoded form, respectively). If
null, any issuer distinguished name is valid.
setMinCRLNumber
and setMaxCRLNumber
methods set the
minCRLNumber and maxCRLNumber criterion:
public void setMinCRLNumber(BigInteger minCRL)
public void setMaxCRLNumber(BigInteger maxCRL)
The CRL must have a CRL Number extension whose
value is greater than or equal to the specified value if the setMinCRLNumber
method
is called, and less than or equal to the specified value if the setMaxCRLNumber
method
is called. If the value passed to one of these methods is null, the
corresponding check is not done.
setDateAndTime
method sets the dateAndTime criterion:
public void setDateAndTime(Date dateAndTime)
The specified date must be equal to or later than the value of the thisUpdate component of the CRL and earlier than the value of the nextUpdate component. If null, no dateAndTime check will be done.
setCertificateChecking
method sets the certificate whose revocation status
is being checked:
public void setCertificateChecking(X509Certificate cert)
Setting the certificate is not a criterion. Rather, it is optional information that can help a CertStore find CRLs that would be relevant when checking revocation for the specified certificate. If null is specified, then no such optional information is provided. An application should always call this method when checking revocation for a particular certificate, as it might provide the CertStore with more information for finding the correct CRLs and filtering out irrelevant ones.
Getting Selection Criteria
The current values for each of the selection criteria can be retrieved using an appropriateget
method.
Refer to the X509CRLSelector
API documentation for
further details on these methodsExample
X509CRLSelector
to retrieve CRLs from an LDAP repository is similar
to the X509CertSelector
example. Suppose we want to retrieve all current (as of the
current date and time) CRLs issued by a specific CA and with a minimum CRL number. First, we create
an X509CRLSelector
object and call the appropriate methods to set the selection
criteria:
X509CRLSelector xcrls = new X509CRLSelector();
// select CRLs satisfying current date and time
xcrls.setDateAndTime(new Date());
// select CRLs issued by 'O=xyz, C=us'
xcrls.addIssuerName("O=xyz, C=us");
// select only CRLs with a CRL number at least '2'
xcrls.setMinCRLNumber(new BigInteger("2"));
getCRLs
method of our
CertStore
object (created in the X509CertSelector
example):
Collection crls = cs.getCRLs(xcrls);