Package com.sun.identity.security.cert

Class AMCRLStore

  • public class AMCRLStore
extends AMCertStore
    The class is used to manage crl store in LDAP server This class does get crl and update crl with CRLDistribution PointsExtension in client certificate or IssuingDistribution PointExtension in CRL. This class should be used in order to manage CRL store in LDAP 
     id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::=  { id-ce 31 }

 RLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint

 DistributionPoint ::= SEQUENCE {
        distributionPoint       [0]     DistributionPointName OPTIONAL,
        reasons                 [1]     ReasonFlags OPTIONAL,
        cRLIssuer               [2]     GeneralNames OPTIONAL }

 DistributionPointName ::= CHOICE {
        fullName                [0]     GeneralNames,
        nameRelativeToCRLIssuer [1]     RelativeDistinguishedName }

 ReasonFlags ::= BIT STRING {
        unused                  (0),
        keyCompromise           (1),
        cACompromise            (2),
        affiliationChanged      (3),
        superseded              (4),
        cessationOfOperation    (5),
        certificateHold         (6),
        privilegeWithdrawn      (7),
        aACompromise            (8) }

    • Constructor Detail

      • AMCRLStore

        public AMCRLStore​(AMLDAPCertStoreParameters param)
        Class AMCRLStore is special cased CRL store for LDAP. A AMCRLStore instance has to have all the information for ldap and all the access information for CRLDistributionPointExtension and CRLIssuingDistributionPoint Extension
        Parameters:
        param -

    • Method Detail

      • getCRLFromCache

        public X509CRL getCRLFromCache​(X509Certificate certificate)
        Checks certificate and returns corresponding stored CRL in cached CRL store.
        Parameters:
        certificate -
        Returns:
        Cached CRL information about the certificate.

      • updateCRLCache

        public void updateCRLCache​(X509Certificate certificate,
                           X509CRL crl)
        Checks certificate and update CRL in cached CRL store.
        Parameters:
        certificate -
        crl -

      • getCRL

        public static X509CRL getCRL​(AMLDAPCertStoreParameters ldapParam,
                             X509Certificate cert,
                             String... attrNames)
        It gets the new CRL from ldap server. If it is ldap URI, the URI has to be a dn that can be accessed with ldap anonymous bind. (example : ldap://server:port/uid=ca,o=company.com) This dn entry has to have CRL in attribute certificaterevocationlist or certificaterevocationlist;binary.

        if attrNames does only contain one value the ldap search filter will be (attrName=Value_of_the_corresponding_Attribute_from_SubjectDN) e.g. SubjectDN of issuer cert 'C=BE, CN=Citizen CA, serialNumber=201007' attrNames is 'CN', search filter used will be (CN=Citizen CA)

        if attrNames does contain serveral values the ldap search filter value will be a comma separated list of name attribute values, the search attribute will be 'cn' (cn="attrNames[0]=Value_of_the_corresponding_Attribute_from_SubjectDN, attrNames[1]=Value_of_the_corresponding_Attribute_from_SubjectDN")

        e.g. SubjectDN of issuer cert 'C=BE, CN=Citizen CA, serialNumber=201007' attrNames is {"CN","serialNumber"}, search filter used will be (cn=CN=Citizen CA,serialNumber=201007)

        The order of the values of attrNames matter as they must match the value of the 'cn' attribute of a crlDistributionPoint entry in the directory server

        Parameters:
        ldapParam -
        cert -
        attrNames - , attributes names from the subjectDN of the issuer cert