CertStore

Collection CertStore

The Collection CertStore implementation can hold any objects that are an instance of java.security.cert.Certificate or java.security.cert.CRL.

The certificates and CRLs may or may not be returned in any particular order and can not contain duplicates.

LDAP CertStore

The LDAP CertStore implementation retrieves certificates and CRLs from an LDAP directory using the LDAP schema defined in RFC 2587. The implementation fetches certificates from the directory based on the values of the subject, issuer, and basicConstraints selection criteria specified in the X509CertSelector. If subject name is specified, it checks for the name of an object in the naming service that matches the subject name. If the basicConstraints is -2, it looks up the attribute with type to be userCertificate. If the basicConstraints is larger than -2, it looks up the attribute with type to be one of userCertificate, caCertificate, or crossCertificate. If the issuer name is specified, and the basicConstraints is larger than -2, it looks up the directory with the issuer name and attribute type to be caCertificate or crossCertificate. Then the certificates are checked using X509CertSelector.match() before being added to the resulting collection.

If none of the conditions specified previously applies, then an exception is thrown to indicate that it was impossible to fetch certificates using the criteria supplied. Note that even if one or more of the conditions apply, the Collection returned may still be empty if there are no certificates in the directory.

The implementation fetches CRLs from the issuer DNs specified in the setCertificateChecking, addIssuerNames or setIssuerNames methods of the X509CRLSelector class. It checks for the name of an object in the naming service that matches the CRL's issuer DN, and the attribute type of CRL is one of certificateRevocationList, authorityRevocationList, or deltaRevocationList. The CRLs are fetched and checked using X509CRLSelector.match() before being added to the resulting collection.

If none of the conditions specified previously applies, then an exception is thrown to indicate that it was impossible to fetch CRLs using the criteria supplied. Note that even if one or more of the conditions apply, the Collection returned may still be empty if there are no CRLs in the directory.

Caching

By default each LDAP CertStore instance caches lookups for a maximum of 10 minutes. The cache lifetime can be changed by setting the system property ibm.security.certpath.ldap.cache.lifetime to a value in seconds. A value of 0 disables the cache completely. A value of -1 means unlimited lifetime.

If the system property com.ibm.security.enableCRLDP is set to true, CRL's which are downloaded from a CRL distribution point, found within one of the certificates being processed, will also be cached for a maximum of 10 minutes. This is a separate cache from the cache maintained by each LDAPCertStore. There is currently no system property that can be used to modify the default object lifetime for this cache.

Support for the CRL Distribution Points Extension

CRL Distribution Points is an optional extension in X.509 Certificate. It provides information on where and how to locate the corresponding CRL. The common way for a CA to provide CRL list is publish the list on an HTTP server or an LDAP server. The current version of Cert Path API support both mechanisms. By default, the CRL checking is disabled. Users have to set a system property to enable it, for example:

java -Dcom.ibm.security.enableCRLDP=true

Debugging

Debugging support can be enabled by setting the java.security.debug property to certpath. For example:

java -Djava.security.debug=certpath BuildCertPath

This will print additional debugging information to standard error.