org.bouncycastle.jce.cert
Class X509CRLSelector

java.lang.Object
  |
  +--org.bouncycastle.jce.cert.X509CRLSelector

All Implemented Interfaces:

java.lang.Cloneable, CRLSelector

Direct Known Subclasses:

X509CRLStoreSelector

public class X509CRLSelector

extends java.lang.Object

implements CRLSelector

A CRLSelector that selects X509CRLs that match all specified criteria. This class is particularly useful when selecting CRLs from a CertStore to check revocation status of a particular certificate.

When first constructed, an X509CRLSelector has no criteria enabled and each of the get methods return a default value ( null). Therefore, the match method would return true for any X509CRL. Typically, several criteria are enabled (by calling setIssuerNames or setDateAndTime, for instance) and then the X509CRLSelector is passed to CertStore.getCRLs or some similar method.

Please refer to RFC 2459 for definitions of the X.509 CRL fields and extensions mentioned below.

Concurrent Access

Unless otherwise specified, the methods defined in this class are not thread-safe. Multiple threads that need to access a single object concurrently should synchronize amongst themselves and provide the necessary locking. Multiple threads each manipulating separate objects need not synchronize.

Uses ASN1InputStream, ASN1Sequence, ASN1ObjectIdentifier, DEROutputStream, ASN1Object, X509Name

See Also:

CRLSelector, X509CRL

Constructor Summary

X509CRLSelector()
Creates an X509CRLSelector.

Method Summary

void	addIssuerName(byte[] name) Adds a name to the issuerNames criterion.
void	addIssuerName(java.lang.String name) Adds a name to the issuerNames criterion.
java.lang.Object	clone() Returns a copy of this object.
boolean	equals(java.lang.Object obj) Decides whether a CRL should be selected.
java.security.cert.X509Certificate	getCertificateChecking() Returns the certificate being checked.
java.util.Date	getDateAndTime() Returns the dateAndTime criterion.
java.util.Collection	getIssuerNames() Returns a copy of the issuerNames criterion.
java.math.BigInteger	getMaxCRL() Returns the maxCRLNumber criterion.
java.math.BigInteger	getMinCRL() Returns the minCRLNumber criterion.
boolean	match(java.security.cert.CRL crl) Decides whether a CRL should be selected. Uses X509Name.toString to parse and to compare the crl parameter issuer and CRLNumber to access the CRL number extension.
void	setCertificateChecking(java.security.cert.X509Certificate cert) Sets the certificate being checked.
void	setDateAndTime(java.util.Date dateAndTime) Sets the dateAndTime criterion.
void	setIssuerNames(java.util.Collection names) Sets the issuerNames criterion.
void	setMaxCRLNumber(java.math.BigInteger maxCRL) Sets the maxCRLNumber criterion.
void	setMinCRLNumber(java.math.BigInteger minCRL) Sets the minCRLNumber criterion.
java.lang.String	toString() Returns a printable representation of the X509CRLSelector. Uses X509Name.toString to format the output

Methods inherited from class java.lang.Object

finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Constructor Detail

X509CRLSelector

public X509CRLSelector()

Creates an X509CRLSelector. Initially, no criteria are set so any X509CRL will match.

Method Detail

setIssuerNames

public void setIssuerNames(java.util.Collection names)
                    throws java.io.IOException

Sets the issuerNames criterion. The issuer distinguished name in the X509CRL must match at least one of the specified distinguished names. If null, any issuer distinguished name will do.

This method allows the caller to specify, with a single method call, the complete set of issuer names which X509CRLs may contain. The specified value replaces the previous value for the issuerNames criterion.

The names parameter (if not null) is a Collection of names. Each name is a String or a byte array representing a distinguished name (in RFC 2253 or ASN.1 DER encoded form, respectively). If null is supplied as the value for this argument, no issuerNames check will be performed.

Note that the names parameter can contain duplicate distinguished names, but they may be removed from the Collection of names returned by the getIssuerNames method.

If a name is specified as a byte array, it should contain a single DER encoded distinguished name, as defined in X.501. The ASN.1 notation for this structure is as follows. Name ::= CHOICE { RDNSequence } RDNSequence ::= SEQUENCE OF RDN RDN ::= SET SIZE (1 .. MAX) OF AttributeTypeAndValue AttributeTypeAndValue ::= SEQUENCE { type AttributeType, value AttributeValue } AttributeType ::= OBJECT IDENTIFIER AttributeValue ::= ANY DEFINED BY AttributeType []. DirectoryString ::= CHOICE { teletexString TeletexString (SIZE (1..MAX)), printableString PrintableString (SIZE (1..MAX)), universalString UniversalString (SIZE (1..MAX)), utf8String UTF8String (SIZE (1.. MAX)), bmpString BMPString (SIZE (1..MAX)) }

Note that a deep copy is performed on the Collection to protect against subsequent modifications.

Parameters:

names - a Collection of names (or null)

Throws:

java.io.IOException - if a parsing error occurs

See Also:

getIssuerNames()

addIssuerName

public void addIssuerName(java.lang.String name)
                   throws java.io.IOException

Adds a name to the issuerNames criterion. The issuer distinguished name in the X509CRL must match at least one of the specified distinguished names.

This method allows the caller to add a name to the set of issuer names which X509CRLs may contain. The specified name is added to any previous value for the issuerNames criterion. If the specified name is a duplicate, it may be ignored.

Uses X509Name for parsing the name

Parameters:

name - the name in RFC 2253 form

Throws:

java.io.IOException - if a parsing error occurs

addIssuerName

public void addIssuerName(byte[] name)
                   throws java.io.IOException

Adds a name to the issuerNames criterion. The issuer distinguished name in the X509CRL must match at least one of the specified distinguished names.

This method allows the caller to add a name to the set of issuer names which X509CRLs may contain. The specified name is added to any previous value for the issuerNames criterion. If the specified name is a duplicate, it may be ignored. If a name is specified as a byte array, it should contain a single DER encoded distinguished name, as defined in X.501. The ASN.1 notation for this structure is as follows.

The name is provided as a byte array. This byte array should contain a single DER encoded distinguished name, as defined in X.501. The ASN.1 notation for this structure appears in the documentation for setIssuerNames(Collection names).

Note that the byte array supplied here is cloned to protect against subsequent modifications.

Uses X509Name for parsing the name, ASN1InputStream, ASN1Object and ASN1Sequence

Parameters:

name - a byte array containing the name in ASN.1 DER encoded form

Throws:

java.io.IOException - if a parsing error occurs

setMinCRLNumber

public void setMinCRLNumber(java.math.BigInteger minCRL)

Sets the minCRLNumber criterion. The X509CRL must have a CRL number extension whose value is greater than or equal to the specified value. If null, no minCRLNumber check will be done.

Parameters:

minCRL - the minimum CRL number accepted (or null)

setMaxCRLNumber

public void setMaxCRLNumber(java.math.BigInteger maxCRL)

Sets the maxCRLNumber criterion. The X509CRL must have a CRL number extension whose value is less than or equal to the specified value. If null, no maxCRLNumber check will be done.

Parameters:

maxCRL - the maximum CRL number accepted (or null)

setDateAndTime

public void setDateAndTime(java.util.Date dateAndTime)

Sets the dateAndTime criterion. The specified date must be equal to or later than the value of the thisUpdate component of the X509CRL and earlier than the value of the nextUpdate component. There is no match if the X509CRL does not contain a nextUpdate component. If null, no dateAndTime check will be done.

Note that the Date supplied here is cloned to protect against subsequent modifications.

Parameters:

dateAndTime - the Date to match against (or null)

See Also:

getDateAndTime()

setCertificateChecking

public void setCertificateChecking(java.security.cert.X509Certificate cert)

Sets the certificate being checked. This is not a criterion. Rather, it is optional information that may help a CertStore find CRLs that would be relevant when checking revocation for the specified certificate. If null is specified, then no such optional information is provided.

Parameters:

cert - the X509Certificate being checked (or null)

See Also:

getCertificateChecking()

getIssuerNames

public java.util.Collection getIssuerNames()

Returns a copy of the issuerNames criterion. The issuer distinguished name in the X509CRL must match at least one of the specified distinguished names. If the value returned is null, any issuer distinguished name will do.

If the value returned is not null, it is a Collection of names. Each name is a String or a byte array representing a distinguished name (in RFC 2253 or ASN.1 DER encoded form, respectively). Note that the Collection returned may contain duplicate names.

If a name is specified as a byte array, it should contain a single DER encoded distinguished name, as defined in X.501. The ASN.1 notation for this structure is given in the documentation for setIssuerNames(Collection names).

Note that a deep copy is performed on the Collection to protect against subsequent modifications.

Returns:

a Collection of names (or null)

See Also:

setIssuerNames(java.util.Collection)

getMinCRL

public java.math.BigInteger getMinCRL()

Returns the minCRLNumber criterion. The X509CRL must have a CRL number extension whose value is greater than or equal to the specified value. If null, no minCRLNumber check will be done.

Returns:

the minimum CRL number accepted (or null)

getMaxCRL

public java.math.BigInteger getMaxCRL()

Returns the maxCRLNumber criterion. The X509CRL must have a CRL number extension whose value is less than or equal to the specified value. If null, no maxCRLNumber check will be done.

Returns:

the maximum CRL number accepted (or null)

getDateAndTime

public java.util.Date getDateAndTime()

Returns the dateAndTime criterion. The specified date must be equal to or later than the value of the thisUpdate component of the X509CRL and earlier than the value of the nextUpdate component. There is no match if the X509CRL does not contain a nextUpdate component. If null, no dateAndTime check will be done.

Note that the Date returned is cloned to protect against subsequent modifications.

Returns:

the Date to match against (or null)

See Also:

setDateAndTime(java.util.Date)

getCertificateChecking

public java.security.cert.X509Certificate getCertificateChecking()

Returns the certificate being checked. This is not a criterion. Rather, it is optional information that may help a CertStore find CRLs that would be relevant when checking revocation for the specified certificate. If the value returned is null, then no such optional information is provided.

Returns:

the certificate being checked (or null)

See Also:

setCertificateChecking(java.security.cert.X509Certificate)

toString

public java.lang.String toString()

Returns a printable representation of the X509CRLSelector.

Uses X509Name.toString to format the output

Overrides:

toString in class java.lang.Object

Returns:

a String describing the contents of the X509CRLSelector.

match

public boolean match(java.security.cert.CRL crl)

Decides whether a CRL should be selected.

Uses X509Name.toString to parse and to compare the crl parameter issuer and CRLNumber to access the CRL number extension.

Specified by:

match in interface CRLSelector

Parameters:

crl - the CRL to be checked

Returns:

true if the CRL should be selected, false otherwise

clone

public java.lang.Object clone()

Returns a copy of this object.

Specified by:

clone in interface CRLSelector

Overrides:

clone in class java.lang.Object

Returns:

the copy

equals

public boolean equals(java.lang.Object obj)

Decides whether a CRL should be selected.

Overrides:

equals in class java.lang.Object

Parameters:

crl - the CRL to be checked

Returns:

true if the CRL should be selected, false otherwise