PKIXRevocationChecker

abstract class PKIXRevocationChecker : PKIXCertPathChecker
kotlin.Any
   ↳ java.security.cert.PKIXCertPathChecker
   ↳ java.security.cert.PKIXRevocationChecker

A PKIXCertPathChecker for checking the revocation status of certificates with the PKIX algorithm.

A PKIXRevocationChecker checks the revocation status of certificates with the Online Certificate Status Protocol (OCSP) or Certificate Revocation Lists (CRLs). OCSP is described in RFC 2560 and is a network protocol for determining the status of a certificate. A CRL is a time-stamped list identifying revoked certificates, and RFC 5280 describes an algorithm for determining the revocation status of certificates using CRLs.

Each PKIXRevocationChecker must be able to check the revocation status of certificates with OCSP and CRLs. By default, OCSP is the preferred mechanism for checking revocation status, with CRLs as the fallback mechanism. However, this preference can be switched to CRLs with the PREFER_CRLS option. In addition, the fallback mechanism can be disabled with the NO_FALLBACK option.

A PKIXRevocationChecker is obtained by calling the getRevocationChecker method of a PKIX CertPathValidator. Additional parameters and options specific to revocation can be set (by calling the setOcspResponder method for instance). The PKIXRevocationChecker is added to a PKIXParameters object using the addCertPathChecker or setCertPathCheckers method, and then the PKIXParameters is passed along with the CertPath to be validated to the validate method of a PKIX CertPathValidator. When supplying a revocation checker in this manner, it will be used to check revocation irrespective of the setting of the RevocationEnabled flag. Similarly, a PKIXRevocationChecker may be added to a PKIXBuilderParameters object for use with a PKIX CertPathBuilder.

Note that when a PKIXRevocationChecker is added to PKIXParameters, it clones the PKIXRevocationChecker; thus any subsequent modifications to the PKIXRevocationChecker have no effect.

Any parameter that is not set (or is set to null) will be set to the default value for that parameter.

Concurrent Access

Unless otherwise specified, the methods defined in this class are not thread-safe. Multiple threads that need to access a single object concurrently should synchronize amongst themselves and provide the necessary locking. Multiple threads each manipulating separate objects need not synchronize.

See RFC 2560: X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP, RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile (Android note: this paragraph was originally in a malformed "see" tag below, moved here for correct construction of the docs).
Requires API level 24 (Android 7.0, Nougat)

Summary

Nested classes

Various revocation options that can be specified for the revocation checking mechanism.

Protected constructors

Default constructor.

Public methods
open Unit

Sets the OCSP responder's certificate.

open MutableList<Extension!>!

Gets the optional OCSP request extensions.

open MutableMap<X509Certificate!, ByteArray!>!

Gets the OCSP responses.

open URI!

Gets the URI that identifies the location of the OCSP responder.

open Unit

Sets the OCSP responses.

open PKIXRevocationChecker

Returns a clone of this object.

open Unit

Sets the revocation options.

open Unit

Sets the URI that identifies the location of the OCSP responder.

open X509Certificate!

Gets the OCSP responder's certificate.

open Unit

Sets the optional OCSP request extensions.

open MutableSet<PKIXRevocationChecker.Option!>!

Gets the revocation options.

abstract MutableList<CertPathValidatorException!>!

Returns a list containing the exceptions that are ignored by the revocation checker when the SOFT_FAIL option is set.

Inherited functions

Protected constructors

<init>

protected PKIXRevocationChecker()

Default constructor.

Public methods

setOcspResponderCert

added in API level 24
open fun setOcspResponderCert(cert: X509Certificate!): Unit

Sets the OCSP responder's certificate. This overrides the ocsp.responderCertSubjectName, ocsp.responderCertIssuerName, and ocsp.responderCertSerialNumber security properties.
Requires API level 24 (Android 7.0, Nougat)

Parameters
cert X509Certificate!: the responder's certificate

getOcspExtensions

added in API level 24
open fun getOcspExtensions(): MutableList<Extension!>!

Gets the optional OCSP request extensions.
Requires API level 24 (Android 7.0, Nougat)

Return
MutableList<Extension!>!: an unmodifiable list of extensions. The list is empty if no extensions have been specified.

getOcspResponses

added in API level 24
open fun getOcspResponses(): MutableMap<X509Certificate!, ByteArray!>!

Gets the OCSP responses. These responses are used to determine the revocation status of the specified certificates when OCSP is used.
Requires API level 24 (Android 7.0, Nougat)

Return
MutableMap<X509Certificate!, ByteArray!>!: a map of OCSP responses. Each key is an X509Certificate that maps to the corresponding DER-encoded OCSP response for that certificate. A deep copy of the map is returned to protect against subsequent modification. Returns an empty map if no responses have been specified.

getOcspResponder

added in API level 24
open fun getOcspResponder(): URI!

Gets the URI that identifies the location of the OCSP responder. This overrides the ocsp.responderURL security property. If this parameter or the ocsp.responderURL property is not set, the location is determined from the certificate's Authority Information Access Extension, as defined in RFC 5280.
Requires API level 24 (Android 7.0, Nougat)

Return
URI!: the responder URI, or null if not set

setOcspResponses

added in API level 24
open fun setOcspResponses(responses: MutableMap<X509Certificate!, ByteArray!>!): Unit

Sets the OCSP responses. These responses are used to determine the revocation status of the specified certificates when OCSP is used.
Requires API level 24 (Android 7.0, Nougat)

Parameters
responses MutableMap<X509Certificate!, ByteArray!>!: a map of OCSP responses. Each key is an X509Certificate that maps to the corresponding DER-encoded OCSP response for that certificate. A deep copy of the map is performed to protect against subsequent modification.

clone

added in API level 24
open fun clone(): PKIXRevocationChecker

Returns a clone of this object. Calls the Object.clone() method. All subclasses which maintain state must support and override this method, if necessary. Requires API level 24 (Android 7.0, Nougat)

Return
PKIXRevocationChecker: a copy of this PKIXCertPathChecker
Exceptions
CloneNotSupportedException if the object's class does not support the Cloneable interface. Subclasses that override the clone method can also throw this exception to indicate that an instance cannot be cloned.

setOptions

added in API level 24
open fun setOptions(options: MutableSet<PKIXRevocationChecker.Option!>!): Unit

Sets the revocation options.
Requires API level 24 (Android 7.0, Nougat)

Parameters
options MutableSet<PKIXRevocationChecker.Option!>!: a set of revocation options. The set is copied to protect against subsequent modification.

setOcspResponder

added in API level 24
open fun setOcspResponder(uri: URI!): Unit

Sets the URI that identifies the location of the OCSP responder. This overrides the ocsp.responderURL security property and any responder specified in a certificate's Authority Information Access Extension, as defined in RFC 5280.
Requires API level 24 (Android 7.0, Nougat)

Parameters
uri URI!: the responder URI

getOcspResponderCert

added in API level 24
open fun getOcspResponderCert(): X509Certificate!

Gets the OCSP responder's certificate. This overrides the ocsp.responderCertSubjectName, ocsp.responderCertIssuerName, and ocsp.responderCertSerialNumber security properties. If this parameter or the aforementioned properties are not set, then the responder's certificate is determined as specified in RFC 2560.
Requires API level 24 (Android 7.0, Nougat)

Return
X509Certificate!: the responder's certificate, or null if not set

setOcspExtensions

added in API level 24
open fun setOcspExtensions(extensions: MutableList<Extension!>!): Unit

Sets the optional OCSP request extensions.
Requires API level 24 (Android 7.0, Nougat)

Parameters
extensions MutableList<Extension!>!: a list of extensions. The list is copied to protect against subsequent modification.

getOptions

added in API level 24
open fun getOptions(): MutableSet<PKIXRevocationChecker.Option!>!

Gets the revocation options.
Requires API level 24 (Android 7.0, Nougat)

Return
MutableSet<PKIXRevocationChecker.Option!>!: an unmodifiable set of revocation options. The set is empty if no options have been specified.

getSoftFailExceptions

added in API level 24
abstract fun getSoftFailExceptions(): MutableList<CertPathValidatorException!>!

Returns a list containing the exceptions that are ignored by the revocation checker when the SOFT_FAIL option is set. The list is cleared each time init is called. The list is ordered in ascending order according to the certificate index returned by getIndex method of each entry.

An implementation of PKIXRevocationChecker is responsible for adding the ignored exceptions to the list.
Requires API level 24 (Android 7.0, Nougat)

Return
MutableList<CertPathValidatorException!>!: an unmodifiable list containing the ignored exceptions. The list is empty if no exceptions have been ignored.