Added in API level 24

Summary: Protected Ctors | Methods | Inherited Methods

PKIXRevocationChecker

public abstract class PKIXRevocationChecker
extends PKIXCertPathChecker

java.lang.Object
↳	java.security.cert.PKIXCertPathChecker
	↳	java.security.cert.PKIXRevocationChecker

A PKIXCertPathChecker for checking the revocation status of certificates with the PKIX algorithm.

A PKIXRevocationChecker checks the revocation status of certificates with the Online Certificate Status Protocol (OCSP) or Certificate Revocation Lists (CRLs). OCSP is described in RFC 2560 and is a network protocol for determining the status of a certificate. A CRL is a time-stamped list identifying revoked certificates, and RFC 5280 describes an algorithm for determining the revocation status of certificates using CRLs.

Each PKIXRevocationChecker must be able to check the revocation status of certificates with OCSP and CRLs. By default, OCSP is the preferred mechanism for checking revocation status, with CRLs as the fallback mechanism. However, this preference can be switched to CRLs with the PREFER_CRLS option. In addition, the fallback mechanism can be disabled with the NO_FALLBACK option.

A PKIXRevocationChecker is obtained by calling the getRevocationChecker method of a PKIX CertPathValidator. Additional parameters and options specific to revocation can be set (by calling the setOcspResponder method for instance). The PKIXRevocationChecker is added to a PKIXParameters object using the addCertPathChecker or setCertPathCheckers method, and then the PKIXParameters is passed along with the CertPath to be validated to the validate method of a PKIX CertPathValidator. When supplying a revocation checker in this manner, it will be used to check revocation irrespective of the setting of the RevocationEnabled flag. Similarly, a PKIXRevocationChecker may be added to a PKIXBuilderParameters object for use with a PKIX CertPathBuilder.

Note that when a PKIXRevocationChecker is added to PKIXParameters, it clones the PKIXRevocationChecker; thus any subsequent modifications to the PKIXRevocationChecker have no effect.

Any parameter that is not set (or is set to null) will be set to the default value for that parameter.

Concurrent Access

Unless otherwise specified, the methods defined in this class are not thread-safe. Multiple threads that need to access a single object concurrently should synchronize amongst themselves and provide the necessary locking. Multiple threads each manipulating separate objects need not synchronize.

Summary

Protected constructors
`PKIXRevocationChecker()` Default constructor.

Public methods
`PKIXRevocationChecker`	`clone()` Returns a clone of this object.
`List<Extension>`	`getOcspExtensions()` Gets the optional OCSP request extensions.
`URI`	`getOcspResponder()` Gets the URI that identifies the location of the OCSP responder.
`X509Certificate`	`getOcspResponderCert()` Gets the OCSP responder's certificate.
`Map<X509Certificate, byte[]>`	`getOcspResponses()` Gets the OCSP responses.
`Set<PKIXRevocationChecker.Option>`	`getOptions()` Gets the revocation options.
`abstract List<CertPathValidatorException>`	`getSoftFailExceptions()` Returns a list containing the exceptions that are ignored by the revocation checker when the `SOFT_FAIL` option is set.
`void`	`setOcspExtensions(List<Extension> extensions)` Sets the optional OCSP request extensions.
`void`	`setOcspResponder(URI uri)` Sets the URI that identifies the location of the OCSP responder.
`void`	`setOcspResponderCert(X509Certificate cert)` Sets the OCSP responder's certificate.
`void`	`setOcspResponses(Map<X509Certificate, byte[]> responses)` Sets the OCSP responses.
`void`	`setOptions(Set<PKIXRevocationChecker.Option> options)` Sets the revocation options.

Inherited methods

From class


        
          java.security.cert.PKIXCertPathChecker

`void`	`check(Certificate cert)` Performs the check(s) on the specified certificate using its internal state. This implementation calls `check(cert, java.util.Collections.<String>emptySet())`.
`abstract void`	`check(Certificate cert, Collection<String> unresolvedCritExts)` Performs the check(s) on the specified certificate using its internal state and removes any critical extensions that it processes from the specified collection of OID strings that represent the unresolved critical extensions.
`Object`	`clone()` Returns a clone of this object.
`abstract Set<String>`	`getSupportedExtensions()` Returns an immutable `Set` of X.509 certificate extensions that this `PKIXCertPathChecker` supports (i.e.
`abstract void`	`init(boolean forward)` Initializes the internal state of this `PKIXCertPathChecker`.
`abstract boolean`	`isForwardCheckingSupported()` Indicates if forward checking is supported.

From class


        
          java.lang.Object

`Object`	`clone()` Creates and returns a copy of this object.
`boolean`	`equals(Object obj)` Indicates whether some other object is "equal to" this one.
`void`	`finalize()` Called by the garbage collector on an object when garbage collection determines that there are no more references to the object.
`final Class<?>`	`getClass()` Returns the runtime class of this `Object`.
`int`	`hashCode()` Returns a hash code value for the object.
`final void`	`notify()` Wakes up a single thread that is waiting on this object's monitor.
`final void`	`notifyAll()` Wakes up all threads that are waiting on this object's monitor.
`String`	`toString()` Returns a string representation of the object.
`final void`	`wait(long timeoutMillis, int nanos)` Causes the current thread to wait until it is awakened, typically by being notified or interrupted, or until a certain amount of real time has elapsed.
`final void`	`wait(long timeoutMillis)` Causes the current thread to wait until it is awakened, typically by being notified or interrupted, or until a certain amount of real time has elapsed.
`final void`	`wait()` Causes the current thread to wait until it is awakened, typically by being notified or interrupted.

From interface


        
          java.security.cert.CertPathChecker

`abstract void`	`check(Certificate cert)` Performs the check(s) on the specified certificate using its internal state.
`abstract void`	`init(boolean forward)` Initializes the internal state of this `CertPathChecker`.
`abstract boolean`	`isForwardCheckingSupported()` Indicates if forward checking is supported.

Protected constructors

PKIXRevocationChecker

Added in API level 24

protected PKIXRevocationChecker ()

Default constructor.

Public methods

clone

Added in API level 24

public PKIXRevocationChecker clone ()

Returns a clone of this object. Calls the Object.clone() method. All subclasses which maintain state must support and override this method, if necessary.

Returns
`PKIXRevocationChecker`	a copy of this `PKIXCertPathChecker`

getOcspExtensions

Added in API level 24

public List<Extension> getOcspExtensions ()

Gets the optional OCSP request extensions.

Returns
`List<Extension>`	an unmodifiable list of extensions. The list is empty if no extensions have been specified.

getOcspResponder

Added in API level 24

public URI getOcspResponder ()

Gets the URI that identifies the location of the OCSP responder. This overrides the ocsp.responderURL security property. If this parameter or the ocsp.responderURL property is not set, the location is determined from the certificate's Authority Information Access Extension, as defined in RFC 5280.

Returns
`URI`	the responder URI, or `null` if not set

getOcspResponderCert

Added in API level 24

public X509Certificate getOcspResponderCert ()

Gets the OCSP responder's certificate. This overrides the ocsp.responderCertSubjectName, ocsp.responderCertIssuerName, and ocsp.responderCertSerialNumber security properties. If this parameter or the aforementioned properties are not set, then the responder's certificate is determined as specified in RFC 2560.

Returns
`X509Certificate`	the responder's certificate, or `null` if not set

getOcspResponses

Added in API level 24

public Map<X509Certificate, byte[]> getOcspResponses ()

Gets the OCSP responses. These responses are used to determine the revocation status of the specified certificates when OCSP is used.

Returns
`Map<X509Certificate, byte[]>`	a map of OCSP responses. Each key is an `X509Certificate` that maps to the corresponding DER-encoded OCSP response for that certificate. A deep copy of the map is returned to protect against subsequent modification. Returns an empty map if no responses have been specified.

getOptions

Added in API level 24

public Set<PKIXRevocationChecker.Option> getOptions ()

Gets the revocation options.

Returns
`Set<PKIXRevocationChecker.Option>`	an unmodifiable set of revocation options. The set is empty if no options have been specified.

getSoftFailExceptions

Added in API level 24

public abstract List<CertPathValidatorException> getSoftFailExceptions ()

Returns a list containing the exceptions that are ignored by the revocation checker when the SOFT_FAIL option is set. The list is cleared each time init is called. The list is ordered in ascending order according to the certificate index returned by getIndex method of each entry.

An implementation of PKIXRevocationChecker is responsible for adding the ignored exceptions to the list.

Returns
`List<CertPathValidatorException>`	an unmodifiable list containing the ignored exceptions. The list is empty if no exceptions have been ignored.

setOcspExtensions

Added in API level 24

public void setOcspExtensions (List<Extension> extensions)

Sets the optional OCSP request extensions.

Parameters
`extensions`	`List`: a list of extensions. The list is copied to protect against subsequent modification.

setOcspResponder

Added in API level 24

public void setOcspResponder (URI uri)

Sets the URI that identifies the location of the OCSP responder. This overrides the ocsp.responderURL security property and any responder specified in a certificate's Authority Information Access Extension, as defined in RFC 5280.

Parameters
`uri`	`URI`: the responder URI

setOcspResponderCert

Added in API level 24

public void setOcspResponderCert (X509Certificate cert)

Sets the OCSP responder's certificate. This overrides the ocsp.responderCertSubjectName, ocsp.responderCertIssuerName, and ocsp.responderCertSerialNumber security properties.

Parameters
`cert`	`X509Certificate`: the responder's certificate

setOcspResponses

Added in API level 24

public void setOcspResponses (Map<X509Certificate, byte[]> responses)

Sets the OCSP responses. These responses are used to determine the revocation status of the specified certificates when OCSP is used.

Parameters
`responses`	`Map`: a map of OCSP responses. Each key is an `X509Certificate` that maps to the corresponding DER-encoded OCSP response for that certificate. A deep copy of the map is performed to protect against subsequent modification.

setOptions

Added in API level 24

public void setOptions (Set<PKIXRevocationChecker.Option> options)

Sets the revocation options.

Parameters
`options`	`Set`: a set of revocation options. The set is copied to protect against subsequent modification.