com.dstc.security.ssl
Class OptimisticCRLChecker

java.lang.Object
  |
  +--com.dstc.security.ssl.CertChecker
        |
        +--com.dstc.security.ssl.OptimisticCRLChecker

public class OptimisticCRLChecker
extends CertChecker

A CertChecker that does simple processing of X.509 Certificate Revocation Lists (CRLs).

This class will reject a certificate if it has a CRL entry that lists the certificate as revoked at the specified time; otherwise it will accept the certificate.

Note that, as a consequence, if this class does not know anything about a particular certificate (for example, if it does not have any CRLs from the certificate's issuer, or does not have a sufficiently recent CRL), then it will accept the certificate. In some applications this policy may be too liberal.


Constructor Summary
OptimisticCRLChecker(Collection crls)
          Create an OptimisticCRLChecker from a collection of CRLs.
OptimisticCRLChecker(X509CRL[] crls)
          Create an OptimisticCRLChecker from an array of CRLs.
 
Method Summary
 void checkCert(X509Certificate cert, Date checkDate)
          Check the validity of one certificate at a given point in time.
protected  boolean equalDN(Principal dn1, Principal dn2)
          Compare two X.500 Distinguished Names for equality.
static Collection getCRLs(InputStream in)
          Convenience method to get all X.509 CRLs from an InputStream.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

OptimisticCRLChecker

public OptimisticCRLChecker(Collection crls)
Create an OptimisticCRLChecker from a collection of CRLs. This copies the collection, so subsequent additions or deletions will have no effect.
Parameters:
crls - the Collection of X509CRL values

OptimisticCRLChecker

public OptimisticCRLChecker(X509CRL[] crls)
Create an OptimisticCRLChecker from an array of CRLs. This clones the array, so subsequent modifications to the array will have no effect.
Parameters:
crls - the array of X509CRL values
Method Detail

getCRLs

public static Collection getCRLs(InputStream in)
                          throws CertificateException,
                                 CRLException,
                                 IOException
Convenience method to get all X.509 CRLs from an InputStream. The stream is assumed to be in a format suitable for CertificateFactory.generateCRL(InputStream).

This method reads the input stream up to end-of-file.

Parameters:
in - the InputStream from which the CRL or CRLs will be read
Returns:
a Collection containing all CRLs that were read from the stream
Throws:
CertificateException - an X.509 CertificateFactory could not be instantiated
CRLException - on parsing errors
IOException - on errors reading the input stream
See Also:
CertificateFactory.generateCRL(InputStream)

checkCert

public void checkCert(X509Certificate cert,
                      Date checkDate)
               throws CertificateException
Description copied from class: CertChecker
Check the validity of one certificate at a given point in time. Returns void for success, throws an exception for failure.

This method may be invoked concurrently from multiple threads, so its implementation should be multithread-safe; this is straightforward if it maintains no state, i.e. has no mutable instance variables (or mutable objects reached from those instance variables).

Overrides:
checkCert in class CertChecker
Tags copied from class: CertChecker
Parameters:
cert - the X509Certificate to check
date - the Date at which the certificate's validity should be checked
Throws:
CertificateException - if the certificate is deemed invalid at the specified time

equalDN

protected boolean equalDN(Principal dn1,
                          Principal dn2)
Compare two X.500 Distinguished Names for equality.
Parameters:
dn1 - a Principal representing an X.500 Distinguished Name
dn2 - a Principal representing an X.500 Distinguished Name
Returns:
true if the two values are equivalent