com.rsa.certj.cert.extensions

Class CRLDistributionPoints

java.lang.Object
  |
  +--com.rsa.certj.cert.extensions.X509V3Extension
        |
        +--com.rsa.certj.cert.extensions.CRLDistributionPoints

All Implemented Interfaces:

CertExtension, Cloneable, Serializable

public class CRLDistributionPoints

extends X509V3Extension

implements Cloneable, Serializable, CertExtension

This class holds the CRL distribution points extension. Use CRL distribution points extension only as a certificate extension, in both CA certificates and end-entity certificates. This field identifies the CRL distribution point or points to which a certificate user should refer to ascertain if the certificate has been revoked. A certificate user can obtain a CRL from an applicable distribution point or it can obtain a current complete CRL from the CA directory entry.

The ASN.1 definition is as follows:

 cRLDistributionPoints EXTENSION ::= {
	SYNTAX	CRLDistPointsSyntax
	IDENTIFIED BY 	id-ce-cRLDistributionPoints }

 CRLDistPointsSyntax ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint 
 
 DistributionPoint ::= SEQUENCE {
	distributionPoint	[0]	DistributionPointName OPTIONAL,
	reasons		        [1]	ReasonFlags OPTIONAL,
	crlIssuer	    	[2]	GeneralNames OPTIONAL }
 
 DistributionPointName ::= CHOICE {
 	fullName		[0]	GeneralNames,
	nameRelativeToCRLIssuer	[1]	RelativeDistinguishedName }

 ReasonFlags ::= BIT STRING {
	unused 			(0),
	keyCompromise 		(1), 
	cACompromise		(2), 
	affiliationChanged	(3), 
	superseded	      	(4),
	cessationOfOperation	(5),
	certificateHold 	(6) }

The distributionPoint component identifies the location from which the CRL can be obtained. If this component is absent, the distribution point name defaults to the CRL issuer name.

The reasons component indicates the revocation reasons covered by this CRL. If the reasons component is absent, the corresponding CRL distribution point distributes a CRL which will contain an entry for this certificate (if revoked) regardless of revocation reason. Otherwise, the reasons value indicates which revocation reasons are covered by the corresponding CRL distribution point.

The crlIssuer component identifies the authority that issues and signs the CRL. If this component is absent, the CRL issuer name defaults to the certificate issuer name.

The CRL distribution point extension can, at the option of the certificate issuer, be either critical or non-critical. RSA Security recommendeds that you flag it non-critical.

Copyright © RSA Security Inc., 1999-2001. All rights reserved.

See Also

Serialized Form

Field Summary

static int	AFFILIATION_CHANGED Indicates that the subject's name or other information in the certificate has been modified but there is no cause to suspect that the private key has been compromised.
static int	CA_COMPROMISE Indicates that it is known or suspected that the subject's private key, or other aspects of the subject validated in the certificate, have been compromised.
static int	CERTIFICATE_HOLD Indicates that the certificate is on hold.
static int	CESSATION_OF_OPERATION Indicates that the certificate is no longer needed for the purpose for which it was issued but there is no cause to suspect that the private key has been compromised.
static int	KEY_COMPROMISE Indicates that it is known or suspected that the subject's private key, or other aspects of the subject validated in the certificate, have been compromised.
static int	REASON_FLAGS_BITS Indicates the number of reasonFlags bits are there.
static int	REASON_FLAGS_MASK Indicates which reasonFlag bits to check.
static int	SUPERSEDED Indicates that the certificate has been superseded but there is no cause to suspect that the private key has been compromised.
static int	UNUSED Indicates that reasonFlags component is not used in this extension.

Fields inherited from class com.rsa.certj.cert.extensions.X509V3Extension

ARCHIVE_CUTOFF, ARCHIVE_CUTOFF_OID, AUTHORITY_INFO_ACCESS, AUTHORITY_INFO_OID, AUTHORITY_KEY_ID, BASIC_CONSTRAINTS, BIO_INFO, BIO_INFO_OID, CERT_POLICIES, CERTIFICATE_ISSUER, CRL_DISTRIBUTION_POINTS, CRL_NUMBER, CRL_REFERENCE, CRL_REFERENCE_OID, DELTA_CRL_INDICATOR, EXTENDED_KEY_USAGE, HOLD_INSTRUCTION_CODE, INHIBIT_ANY_POLICY, INVALIDITY_DATE, ISSUER_ALT_NAME, ISSUING_DISTRIBUTION_POINT, KEY_USAGE, NAME_CONSTRAINTS, NETSCAPE_BASE_URL, NETSCAPE_BASE_URL_OID, NETSCAPE_CA_POLICY_URL, NETSCAPE_CA_POLICY_URL_OID, NETSCAPE_CA_REVOCATION_URL, NETSCAPE_CA_REVOCATION_URL_OID, NETSCAPE_CERT_RENEWAL_URL, NETSCAPE_CERT_RENEWAL_URL_OID, NETSCAPE_CERT_TYPE, NETSCAPE_CERT_TYPE_OID, NETSCAPE_COMMENT, NETSCAPE_COMMENT_OID, NETSCAPE_REVOCATION_URL, NETSCAPE_REVOCATION_URL_OID, NETSCAPE_SSL_SERVER_NAME, NETSCAPE_SSL_SERVER_NAME_OID, NON_STANDARD_EXTENSION, OCSP_ACCEPTABLE_RESPONSES, OCSP_ACCEPTABLE_RESPONSES_OID, OCSP_NOCHECK, OCSP_NOCHECK_OID, OCSP_NONCE, OCSP_NONCE_OID, OCSP_SERVICE_LOCATOR, OCSP_SERVICE_LOCATOR_OID, POLICY_CONSTRAINTS, POLICY_MAPPINGS, PRIVATE_KEY_USAGE_PERIOD, QC_STATEMENTS, QC_STATEMENTS_OID, REASON_CODE, SUBJECT_ALT_NAME, SUBJECT_DIRECTORY_ATTRIBUTES, SUBJECT_KEY_ID, VERISIGN_CZAG, VERISIGN_CZAG_OID, VERISIGN_FIDELITY_ID, VERISIGN_FIDELITY_ID_OID, VERISIGN_JURISDICTION_HASH, VERISIGN_JURISDICTION_HASH_OID, VERISIGN_NETSCAPE_INBOX_V1, VERISIGN_NETSCAPE_INBOX_V1_OID, VERISIGN_NETSCAPE_INBOX_V2, VERISIGN_NETSCAPE_INBOX_V2_OID, VERISIGN_NON_VERIFIED, VERISIGN_NON_VERIFIED_OID, VERISIGN_SERIAL_NUMBER, VERISIGN_SERIAL_NUMBER_OID, VERISIGN_TOKEN_TYPE, VERISIGN_TOKEN_TYPE_OID

Constructor Summary

CRLDistributionPoints()

Constructs an empty CRLDistributionPoints object.

CRLDistributionPoints(GeneralNames distributionPoint, int reason, GeneralNames crlIssuer, boolean criticality)

Constructs a CRLDistributionPoints object and initializes it with the given values and the specified criticality.

CRLDistributionPoints(RDN distributionPoint, int reason, GeneralNames crlIssuer, boolean criticality)

Constructs a CRLDistributionPoints object and initializes it with the given values and the specified criticality.

Method Summary

void	addDistributionPoints(GeneralNames distributionPoint, int reason, GeneralNames crlIssuer) Adds a CRL distribution point.
void	addDistributionPoints(RDN distributionPoint, int reason, GeneralNames crlIssuer) Adds a CRL distribution point.
Object	clone() Overrrides the default clone method to get a deeper clone.
void	decodeValue(byte[] valueBER, int offset) Decode the value.
int	derEncodeValue(byte[] encoding, int offset) Place the encoding of the value into encoding, beginning at offset.
int	derEncodeValueInit() Initialize for encoding the value.
GeneralNames	getCRLIssuer(int index) Gets the value of CrlIssuer at the specified index.
int	getDistributionPointCount() Gets the number of distribution points in this object.
Object	getDistributionPointName(int index) Gets the DistributionPointName value at the specified index.
int	getReasonFlags(int index) Gets the value of reason flags at the specified index.

Methods inherited from class com.rsa.certj.cert.extensions.X509V3Extension

extend, getCriticality, getDEREncoding, getDERLen, getExtensionType, getExtensionTypeString, getInstance, getNextBEROffset, isExtensionType, setCriticality, setEncoding, setSpecialOID, setStandardOID

Methods inherited from class java.lang.Object

equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

REASON_FLAGS_BITS

public static final int REASON_FLAGS_BITS

Indicates the number of reasonFlags bits are there.

REASON_FLAGS_MASK

public static final int REASON_FLAGS_MASK

Indicates which reasonFlag bits to check.

UNUSED

public static final int UNUSED

Indicates that reasonFlags component is not used in this extension.

KEY_COMPROMISE

public static final int KEY_COMPROMISE

Indicates that it is known or suspected that the subject's private key, or other aspects of the subject validated in the certificate, have been compromised.

CA_COMPROMISE

public static final int CA_COMPROMISE

Indicates that it is known or suspected that the subject's private key, or other aspects of the subject validated in the certificate, have been compromised.

AFFILIATION_CHANGED

public static final int AFFILIATION_CHANGED

Indicates that the subject's name or other information in the certificate has been modified but there is no cause to suspect that the private key has been compromised.

SUPERSEDED

public static final int SUPERSEDED

Indicates that the certificate has been superseded but there is no cause to suspect that the private key has been compromised.

CESSATION_OF_OPERATION

public static final int CESSATION_OF_OPERATION

Indicates that the certificate is no longer needed for the purpose for which it was issued but there is no cause to suspect that the private key has been compromised.

CERTIFICATE_HOLD

public static final int CERTIFICATE_HOLD

Indicates that the certificate is on hold.

Constructor Detail

CRLDistributionPoints

public CRLDistributionPoints()

Constructs an empty CRLDistributionPoints object.

CRLDistributionPoints

public CRLDistributionPoints(RDN distributionPoint,
                             int reason,
                             GeneralNames crlIssuer,
                             boolean criticality)

Constructs a CRLDistributionPoints object and initializes it with the given values and the specified criticality.

Use this constructor if the distributionPoint is an RDN.

Parameters

	distributionPoint		The RDN object that specifies the name. If the RDN name is not set, pass null.
	reason		The revocation reasons, one of the fields previously defined in this class. If reason is not set, pass -1.
	crlIssuer		The authority that issues and signs the CRL. If crlIssuer is not set, pass null.
	criticality		A boolean that specifies whether this extension is critical.

CRLDistributionPoints

public CRLDistributionPoints(GeneralNames distributionPoint,
                             int reason,
                             GeneralNames crlIssuer,
                             boolean criticality)

Constructs a CRLDistributionPoints object and initializes it with the given values and the specified criticality.

Use this constructor if the distributionPoint is a GeneralNames object.

Parameters

	distributionPoint		The GeneralNames object that specifies the name. If distributionPoint is not set, pass null.
	reason		The revocation reasons, one of the fields previously defined in this class. If reason is not set, pass -1.
	crlIssuer		The authority that issues and signs the CRL. If crlIssuer is not set, pass null.
	criticality		A boolean that specifies whether this extension is critical.

Method Detail

decodeValue

public void decodeValue(byte[] valueBER,
                        int offset)
                 throws CertificateException

Decode the value. The input is the BER encoding that was wrapped in the OCTET STRING.

Overrides

decodeValue in class X509V3Extension

Parameters

	valueBER		The BER encoding of the extension's value.
	offset		The offset into valueBER where the encoding actually begins.

Throws

CertificateException - If the encoding is invalid for this extension.

addDistributionPoints

public void addDistributionPoints(RDN distributionPoint,
                                  int reason,
                                  GeneralNames crlIssuer)

Adds a CRL distribution point. Use this method if distributionPoint is an RDN.

Parameters

	distributionPoint		The RDN object that specifies the name. If the RDN name is not set, pass null.
	reason		The revocation reasons, one of the fields previously defined in this class. If reason is not set, pass -1.
	crlIssuer		The authority that issues and signs the CRL. If crlIssuer is not set, pass null.

addDistributionPoints

public void addDistributionPoints(GeneralNames distributionPoint,
                                  int reason,
                                  GeneralNames crlIssuer)

Adds a CRL distribution point. Use this method if distributionPoint is a GeneralNames object.

Parameters

	distributionPoint		The GeneralNames object that specifies the name. If distributionPoint is not set, pass null.
	reason		The revocation reasons, one of the fields previously defined in this class. If reason is not set, pass -1.
	crlIssuer		The authority that issues and signs the CRL. If crlIssuer is not set, pass null.

getDistributionPointName

public Object getDistributionPointName(int index)
                                throws NameException

Gets the DistributionPointName value at the specified index.

Parameters

Index

An int that specifies the DistributionPointName. Since the DistributionPointName value can be RDN or GeneralNames, use 'instanceof' to determine the type and then cast DistributionPointName to the right type. DistributionPointName can also be null, if it was not set up for a specified DistributionPoint.

Throws

NameException - If specified index is invalid.

getReasonFlags

public int getReasonFlags(int index)
                   throws NameException

Gets the value of reason flags at the specified index.

Parameters

An

int that specifies the reason flag.

Returns

The revocation reason flag specified by index. It will be one of the static fields previously defined in this class.

Throws

NameException - If the specified index is invalid.

getCRLIssuer

public GeneralNames getCRLIssuer(int index)
                          throws NameException

Gets the value of CrlIssuer at the specified index.

Parameters

index

The index of the CrlIssuer to find.

Returns

The CRL issuer name at specified index.

Throws

NameException - If specified index is invalid.

getDistributionPointCount

public int getDistributionPointCount()

Gets the number of distribution points in this object.

Returns

The number of distribution points in this extension.

derEncodeValueInit

public int derEncodeValueInit()

Initialize for encoding the value.

Overrides

derEncodeValueInit in class X509V3Extension

Returns

How many bytes the encoding will be.

derEncodeValue

public int derEncodeValue(byte[] encoding,
                          int offset)

Place the encoding of the value into encoding, beginning at offset. This is the actual contents that are wrapped in the OCTET STRING (not the surrounding OCTET STRING tag and length).

Overrides

derEncodeValue in class X509V3Extension

Parameters

	encoding		The byte array into which the result will be placed.
	offset		The offest into encoding where the writing is to begin.

Returns

The number of bytes actually placed into encoding.

clone

public Object clone()
             throws CloneNotSupportedException

Overrrides the default clone method to get a deeper clone.

Overrides

clone in class X509V3Extension

Returns

A new CRLDistributionPoints object, a copy of this object.

Throws

CloneNotSupportedException - If the cloning operation is not successful.