Package com.sun.identity.security.cert
Class AMCRLStore
- java.lang.Object
-
- com.sun.identity.security.cert.AMCertStore
-
- com.sun.identity.security.cert.AMCRLStore
-
public class AMCRLStore extends AMCertStore
The class is used to manage crl store in LDAP server This class does get crl and update crl with CRLDistribution PointsExtension in client certificate or IssuingDistribution PointExtension in CRL. This class should be used in order to manage CRL store in LDAPid-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= { id-ce 31 } RLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint DistributionPoint ::= SEQUENCE { distributionPoint [0] DistributionPointName OPTIONAL, reasons [1] ReasonFlags OPTIONAL, cRLIssuer [2] GeneralNames OPTIONAL } DistributionPointName ::= CHOICE { fullName [0] GeneralNames, nameRelativeToCRLIssuer [1] RelativeDistinguishedName } ReasonFlags ::= BIT STRING { unused (0), keyCompromise (1), cACompromise (2), affiliationChanged (3), superseded (4), cessationOfOperation (5), certificateHold (6), privilegeWithdrawn (7), aACompromise (8) }
-
-
Field Summary
Fields Modifier and Type Field Description static String
CERTIFICATE_REVOCATION_LIST
static String
CERTIFICATE_REVOCATION_LIST_BINARY
-
Fields inherited from class com.sun.identity.security.cert.AMCertStore
CACERTIFICATE, CACERTIFICATE_BINARY, certificate, cf, ldapconn, storeParam, USERCERTIFICATE, USERCERTIFICATE_BINARY
-
-
Constructor Summary
Constructors Constructor Description AMCRLStore(AMLDAPCertStoreParameters param)
Class AMCRLStore is special cased CRL store for LDAP.
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description static X509CRL
getCRL(AMLDAPCertStoreParameters ldapParam, X509Certificate cert, String... attrNames)
It gets the new CRL from ldap server.X509CRL
getCRL(X509Certificate certificate)
Checks certificate and returns corresponding stored CRL in ldap storeX509CRL
getCRLFromCache(X509Certificate certificate)
Checks certificate and returns corresponding stored CRL in cached CRL store.void
updateCRLCache(X509Certificate certificate, X509CRL crl)
Checks certificate and update CRL in cached CRL store.-
Methods inherited from class com.sun.identity.security.cert.AMCertStore
getCertificate, getCertificate, getCertificate, getIssuerCertificate, getIssuerDN, getRegisteredCertificate, getSubjectDN, isRootCA, setLdapStoreParam, setSearchFilter
-
-
-
-
Field Detail
-
CERTIFICATE_REVOCATION_LIST
public static final String CERTIFICATE_REVOCATION_LIST
- See Also:
- Constant Field Values
-
CERTIFICATE_REVOCATION_LIST_BINARY
public static final String CERTIFICATE_REVOCATION_LIST_BINARY
- See Also:
- Constant Field Values
-
-
Constructor Detail
-
AMCRLStore
public AMCRLStore(AMLDAPCertStoreParameters param)
Class AMCRLStore is special cased CRL store for LDAP. A AMCRLStore instance has to have all the information for ldap and all the access information for CRLDistributionPointExtension and CRLIssuingDistributionPoint Extension- Parameters:
param
-
-
-
Method Detail
-
getCRL
public X509CRL getCRL(X509Certificate certificate) throws IOException
Checks certificate and returns corresponding stored CRL in ldap store- Parameters:
certificate
-- Throws:
IOException
-
getCRLFromCache
public X509CRL getCRLFromCache(X509Certificate certificate)
Checks certificate and returns corresponding stored CRL in cached CRL store.- Parameters:
certificate
-- Returns:
- Cached CRL information about the certificate.
-
updateCRLCache
public void updateCRLCache(X509Certificate certificate, X509CRL crl)
Checks certificate and update CRL in cached CRL store.- Parameters:
certificate
-crl
-
-
getCRL
public static X509CRL getCRL(AMLDAPCertStoreParameters ldapParam, X509Certificate cert, String... attrNames)
It gets the new CRL from ldap server. If it is ldap URI, the URI has to be a dn that can be accessed with ldap anonymous bind. (example : ldap://server:port/uid=ca,o=company.com) This dn entry has to have CRL in attribute certificaterevocationlist or certificaterevocationlist;binary. if attrNames does only contain one value the ldap search filter will be (attrName=Value_of_the_corresponding_Attribute_from_SubjectDN) e.g. SubjectDN of issuer cert 'C=BE, CN=Citizen CA, serialNumber=201007' attrNames is 'CN', search filter used will be (CN=Citizen CA) if attrNames does contain serveral values the ldap search filter value will be a comma separated list of name attribute values, the search attribute will be 'cn' (cn="attrNames[0]=Value_of_the_corresponding_Attribute_from_SubjectDN, attrNames[1]=Value_of_the_corresponding_Attribute_from_SubjectDN") e.g. SubjectDN of issuer cert 'C=BE, CN=Citizen CA, serialNumber=201007' attrNames is {"CN","serialNumber"}, search filter used will be (cn=CN=Citizen CA,serialNumber=201007) The order of the values of attrNames matter as they must match the value of the 'cn' attribute of a crlDistributionPoint entry in the directory server- Parameters:
ldapParam
-cert
-attrNames
- , attributes names from the subjectDN of the issuer cert
-
-