- All Implemented Interfaces:
- Cloneable,- CRLSelector
CRLSelector that selects X509CRLs that
 match all specified criteria. This class is particularly useful when
 selecting CRLs from a CertStore to check revocation status
 of a particular certificate.
 
 When first constructed, an X509CRLSelector has no criteria
 enabled and each of the get methods return a default
 value (null). Therefore, the match method
 would return true for any X509CRL. Typically,
 several criteria are enabled (by calling setIssuers
 or setDateAndTime, for instance) and then the
 X509CRLSelector is passed to
 CertStore.getCRLs or some similar
 method.
 
Please refer to RFC 5280: Internet X.509 Public Key Infrastructure Certificate and CRL Profile for definitions of the X.509 CRL fields and extensions mentioned below.
Concurrent Access
Unless otherwise specified, the methods defined in this class are not thread-safe. Multiple threads that need to access a single object concurrently should synchronize amongst themselves and provide the necessary locking. Multiple threads each manipulating separate objects need not synchronize.
- Since:
- 1.4
- See Also:
- 
Constructor SummaryConstructors
- 
Method SummaryModifier and TypeMethodDescriptionvoidaddIssuer(X500Principal issuer) Adds a name to the issuerNames criterion.voidaddIssuerName(byte[] name) Adds a name to the issuerNames criterion.voidaddIssuerName(String name) Deprecated.clone()Returns a copy of this object.Returns the certificate being checked.Returns the dateAndTime criterion.Returns a copy of the issuerNames criterion.Returns the issuerNames criterion.Returns the maxCRLNumber criterion.Returns the minCRLNumber criterion.booleanDecides whether aCRLshould be selected.voidSets the certificate being checked.voidsetDateAndTime(Date dateAndTime) Sets the dateAndTime criterion.voidsetIssuerNames(Collection<?> names) Note: use setIssuers(Collection) instead or only specify the byte array form of distinguished names when using this method.voidsetIssuers(Collection<X500Principal> issuers) Sets the issuerNames criterion.voidsetMaxCRLNumber(BigInteger maxCRL) Sets the maxCRLNumber criterion.voidsetMinCRLNumber(BigInteger minCRL) Sets the minCRLNumber criterion.toString()Returns a printable representation of theX509CRLSelector.
- 
Constructor Details- 
X509CRLSelectorpublic X509CRLSelector()Creates anX509CRLSelector. Initially, no criteria are set so anyX509CRLwill match.
 
- 
- 
Method Details- 
setIssuersSets the issuerNames criterion. The issuer distinguished name in theX509CRLmust match at least one of the specified distinguished names. Ifnull, any issuer distinguished name will do.This method allows the caller to specify, with a single method call, the complete set of issuer names which X509CRLsmay contain. The specified value replaces the previous value for the issuerNames criterion.The namesparameter (if notnull) is aCollectionofX500Principals.Note that the namesparameter can contain duplicate distinguished names, but they may be removed from theCollectionof names returned by thegetIssuersmethod.Note that a copy is performed on the Collectionto protect against subsequent modifications.- Parameters:
- issuers- a- Collectionof X500Principals (or- null)
- Since:
- 1.5
- See Also:
 
- 
setIssuerNamesNote: use setIssuers(Collection) instead or only specify the byte array form of distinguished names when using this method. SeeaddIssuerName(String)for more information.Sets the issuerNames criterion. The issuer distinguished name in the X509CRLmust match at least one of the specified distinguished names. Ifnull, any issuer distinguished name will do.This method allows the caller to specify, with a single method call, the complete set of issuer names which X509CRLsmay contain. The specified value replaces the previous value for the issuerNames criterion.The namesparameter (if notnull) is aCollectionof names. Each name is aStringor a byte array representing a distinguished name (in RFC 2253 or ASN.1 DER encoded form, respectively). Ifnullis supplied as the value for this argument, no issuerNames check will be performed.Note that the namesparameter can contain duplicate distinguished names, but they may be removed from theCollectionof names returned by thegetIssuerNamesmethod.If a name is specified as a byte array, it should contain a single DER encoded distinguished name, as defined in X.501. The ASN.1 notation for this structure is as follows. Name ::= CHOICE { RDNSequence } RDNSequence ::= SEQUENCE OF RelativeDistinguishedName RelativeDistinguishedName ::= SET SIZE (1 .. MAX) OF AttributeTypeAndValue AttributeTypeAndValue ::= SEQUENCE { type AttributeType, value AttributeValue } AttributeType ::= OBJECT IDENTIFIER AttributeValue ::= ANY DEFINED BY AttributeType .... DirectoryString ::= CHOICE { teletexString TeletexString (SIZE (1..MAX)), printableString PrintableString (SIZE (1..MAX)), universalString UniversalString (SIZE (1..MAX)), utf8String UTF8String (SIZE (1.. MAX)), bmpString BMPString (SIZE (1..MAX)) }Note that a deep copy is performed on the Collectionto protect against subsequent modifications.- Parameters:
- names- a- Collectionof names (or- null)
- Throws:
- IOException- if a parsing error occurs
- See Also:
 
- 
addIssuerAdds a name to the issuerNames criterion. The issuer distinguished name in theX509CRLmust match at least one of the specified distinguished names.This method allows the caller to add a name to the set of issuer names which X509CRLsmay contain. The specified name is added to any previous value for the issuerNames criterion. If the specified name is a duplicate, it may be ignored.- Parameters:
- issuer- the issuer as X500Principal
- Since:
- 1.5
 
- 
addIssuerNameDeprecated.UseaddIssuer(X500Principal)oraddIssuerName(byte[])instead. This method should not be relied on as it can fail to match some CRLs because of a loss of encoding information in the RFC 2253 String form of some distinguished names.Adds a name to the issuerNames criterion. The issuer distinguished name in theX509CRLmust match at least one of the specified distinguished names.This method allows the caller to add a name to the set of issuer names which X509CRLsmay contain. The specified name is added to any previous value for the issuerNames criterion. If the specified name is a duplicate, it may be ignored.- Parameters:
- name- the name in RFC 2253 form
- Throws:
- IOException- if a parsing error occurs
 
- 
addIssuerNameAdds a name to the issuerNames criterion. The issuer distinguished name in theX509CRLmust match at least one of the specified distinguished names.This method allows the caller to add a name to the set of issuer names which X509CRLsmay contain. The specified name is added to any previous value for the issuerNames criterion. If the specified name is a duplicate, it may be ignored. If a name is specified as a byte array, it should contain a single DER encoded distinguished name, as defined in X.501. The ASN.1 notation for this structure is as follows.The name is provided as a byte array. This byte array should contain a single DER encoded distinguished name, as defined in X.501. The ASN.1 notation for this structure appears in the documentation for setIssuerNames(Collection names).Note that the byte array supplied here is cloned to protect against subsequent modifications. - Parameters:
- name- a byte array containing the name in ASN.1 DER encoded form
- Throws:
- IOException- if a parsing error occurs
 
- 
setMinCRLNumberSets the minCRLNumber criterion. TheX509CRLmust have a CRL number extension whose value is greater than or equal to the specified value. Ifnull, no minCRLNumber check will be done.- Parameters:
- minCRL- the minimum CRL number accepted (or- null)
 
- 
setMaxCRLNumberSets the maxCRLNumber criterion. TheX509CRLmust have a CRL number extension whose value is less than or equal to the specified value. Ifnull, no maxCRLNumber check will be done.- Parameters:
- maxCRL- the maximum CRL number accepted (or- null)
 
- 
setDateAndTimeSets the dateAndTime criterion. The specified date must be equal to or later than the value of the thisUpdate component of theX509CRLand earlier than the value of the nextUpdate component. There is no match if theX509CRLdoes not contain a nextUpdate component. Ifnull, no dateAndTime check will be done.Note that the Datesupplied here is cloned to protect against subsequent modifications.- Parameters:
- dateAndTime- the- Dateto match against (or- null)
- See Also:
 
- 
setCertificateCheckingSets the certificate being checked. This is not a criterion. Rather, it is optional information that may help aCertStorefind CRLs that would be relevant when checking revocation for the specified certificate. Ifnullis specified, then no such optional information is provided.- Parameters:
- cert- the- X509Certificatebeing checked (or- null)
- See Also:
 
- 
getIssuersReturns the issuerNames criterion. The issuer distinguished name in theX509CRLmust match at least one of the specified distinguished names. If the value returned isnull, any issuer distinguished name will do.If the value returned is not null, it is a unmodifiableCollectionofX500Principals.- Returns:
- an unmodifiable Collectionof names (ornull)
- Since:
- 1.5
- See Also:
 
- 
getIssuerNamesReturns a copy of the issuerNames criterion. The issuer distinguished name in theX509CRLmust match at least one of the specified distinguished names. If the value returned isnull, any issuer distinguished name will do.If the value returned is not null, it is aCollectionof names. Each name is aStringor a byte array representing a distinguished name (in RFC 2253 or ASN.1 DER encoded form, respectively). Note that theCollectionreturned may contain duplicate names.If a name is specified as a byte array, it should contain a single DER encoded distinguished name, as defined in X.501. The ASN.1 notation for this structure is given in the documentation for setIssuerNames(Collection names).Note that a deep copy is performed on the Collectionto protect against subsequent modifications.- Returns:
- a Collectionof names (ornull)
- See Also:
 
- 
getMinCRLReturns the minCRLNumber criterion. TheX509CRLmust have a CRL number extension whose value is greater than or equal to the specified value. Ifnull, no minCRLNumber check will be done.- Returns:
- the minimum CRL number accepted (or null)
 
- 
getMaxCRLReturns the maxCRLNumber criterion. TheX509CRLmust have a CRL number extension whose value is less than or equal to the specified value. Ifnull, no maxCRLNumber check will be done.- Returns:
- the maximum CRL number accepted (or null)
 
- 
getDateAndTimeReturns the dateAndTime criterion. The specified date must be equal to or later than the value of the thisUpdate component of theX509CRLand earlier than the value of the nextUpdate component. There is no match if theX509CRLdoes not contain a nextUpdate component. Ifnull, no dateAndTime check will be done.Note that the Datereturned is cloned to protect against subsequent modifications.- Returns:
- the Dateto match against (ornull)
- See Also:
 
- 
getCertificateCheckingReturns the certificate being checked. This is not a criterion. Rather, it is optional information that may help aCertStorefind CRLs that would be relevant when checking revocation for the specified certificate. If the value returned isnull, then no such optional information is provided.- Returns:
- the certificate being checked (or null)
- See Also:
 
- 
toStringReturns a printable representation of theX509CRLSelector.
- 
matchDecides whether aCRLshould be selected.- Specified by:
- matchin interface- CRLSelector
- Parameters:
- crl- the- CRLto be checked
- Returns:
- trueif the- CRLshould be selected,- falseotherwise
 
- 
cloneReturns a copy of this object.- Specified by:
- clonein interface- CRLSelector
- Overrides:
- clonein class- Object
- Returns:
- the copy
- See Also:
 
 
- 
addIssuer(X500Principal)oraddIssuerName(byte[])instead.