com.sun.identity.security.cert

Class AMCRLStore

java.lang.Object

com.sun.identity.security.cert.AMCertStore

com.sun.identity.security.cert.AMCRLStore

public class AMCRLStore
extends AMCertStore

The class is used to manage crl store in LDAP server This class does get crl and update crl with CRLDistribution PointsExtension in client certificate or IssuingDistribution PointExtension in CRL. This class should be used in order to manage CRL store in LDAP

 id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::=  { id-ce 31 }

 RLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint

 DistributionPoint ::= SEQUENCE {
        distributionPoint       [0]     DistributionPointName OPTIONAL,
        reasons                 [1]     ReasonFlags OPTIONAL,
        cRLIssuer               [2]     GeneralNames OPTIONAL }

 DistributionPointName ::= CHOICE {
        fullName                [0]     GeneralNames,
        nameRelativeToCRLIssuer [1]     RelativeDistinguishedName }

 ReasonFlags ::= BIT STRING {
        unused                  (0),
        keyCompromise           (1),
        cACompromise            (2),
        affiliationChanged      (3),
        superseded              (4),
        cessationOfOperation    (5),
        certificateHold         (6),
        privilegeWithdrawn      (7),
        aACompromise            (8) }
 

Field Summary

Fields

Modifier and Type	Field and Description
static String	CERTIFICATE_REVOCATION_LIST
static String	CERTIFICATE_REVOCATION_LIST_BINARY

Fields inherited from class com.sun.identity.security.cert.AMCertStore

CACERTIFICATE, CACERTIFICATE_BINARY, certificate, cf, ldapconn, storeParam, USERCERTIFICATE, USERCERTIFICATE_BINARY

Constructor Summary

Constructors

Constructor and Description
AMCRLStore(AMLDAPCertStoreParameters param) Class AMCRLStore is special cased CRL store for LDAP.

Method Summary

Modifier and Type	Method and Description
static X509CRL	getCRL(AMLDAPCertStoreParameters ldapParam, X509Certificate cert, String... attrNames) It gets the new CRL from ldap server.
X509CRL	getCRL(X509Certificate certificate) Checks certificate and returns corresponding stored CRL in ldap store
X509CRL	getCRLFromCache(X509Certificate certificate) Checks certificate and returns corresponding stored CRL in cached CRL store.
void	updateCRLCache(X509Certificate certificate, X509CRL crl) Checks certificate and update CRL in cached CRL store.

Methods inherited from class com.sun.identity.security.cert.AMCertStore

getCertificate, getCertificate, getCertificate, getIssuerCertificate, getIssuerDN, getRegisteredCertificate, getSubjectDN, isRootCA, setLdapStoreParam, setSearchFilter

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

CERTIFICATE_REVOCATION_LIST

public static final String CERTIFICATE_REVOCATION_LIST

See Also:

Constant Field Values

CERTIFICATE_REVOCATION_LIST_BINARY

public static final String CERTIFICATE_REVOCATION_LIST_BINARY

See Also:

Constant Field Values

Constructor Detail

AMCRLStore

public AMCRLStore(AMLDAPCertStoreParameters param)

Class AMCRLStore is special cased CRL store for LDAP. A AMCRLStore instance has to have all the information for ldap and all the access information for CRLDistributionPointExtension and CRLIssuingDistributionPoint Extension

Parameters:

param -

Method Detail

getCRL

public X509CRL getCRL(X509Certificate certificate)
               throws IOException

Checks certificate and returns corresponding stored CRL in ldap store

Parameters:

certificate -

Throws:

IOException

getCRLFromCache

public X509CRL getCRLFromCache(X509Certificate certificate)

Checks certificate and returns corresponding stored CRL in cached CRL store.

Parameters:

certificate -

Returns:

Cached CRL information about the certificate.

updateCRLCache

public void updateCRLCache(X509Certificate certificate,
                           X509CRL crl)

Checks certificate and update CRL in cached CRL store.

Parameters:

certificate -

crl -

getCRL

public static X509CRL getCRL(AMLDAPCertStoreParameters ldapParam,
                             X509Certificate cert,
                             String... attrNames)

It gets the new CRL from ldap server. If it is ldap URI, the URI has to be a dn that can be accessed with ldap anonymous bind. (example : ldap://server:port/uid=ca,o=company.com) This dn entry has to have CRL in attribute certificaterevocationlist or certificaterevocationlist;binary.

if attrNames does only contain one value the ldap search filter will be (attrName=Value_of_the_corresponding_Attribute_from_SubjectDN) e.g. SubjectDN of issuer cert 'C=BE, CN=Citizen CA, serialNumber=201007' attrNames is 'CN', search filter used will be (CN=Citizen CA)

if attrNames does contain serveral values the ldap search filter value will be a comma separated list of name attribute values, the search attribute will be 'cn' (cn="attrNames[0]=Value_of_the_corresponding_Attribute_from_SubjectDN, attrNames[1]=Value_of_the_corresponding_Attribute_from_SubjectDN")

e.g. SubjectDN of issuer cert 'C=BE, CN=Citizen CA, serialNumber=201007' attrNames is {"CN","serialNumber"}, search filter used will be (cn=CN=Citizen CA,serialNumber=201007)

The order of the values of attrNames matter as they must match the value of the 'cn' attribute of a crlDistributionPoint entry in the directory server

Parameters:

ldapParam -

cert -

attrNames, - attributes names from the subjectDN of the issuer cert