|
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: INNER | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Object | +--com.rsa.certj.provider.revocation.ocsp.OCSPResponder
This class holds information about a particular OCSP responder. Instances of this class are used to configure the behavior of requests and responses processed by the OCSP service provider.
Copyright © RSA Security Inc., 2001. All rights reserved.
Field Summary |
|
static int |
FLAG_DISABLE_CERT_SEND
Indicates that the service provider should disable sending the signing certificate when the service provider sends signed requests to the responder. |
static int |
FLAG_DISABLE_NONCES
Indicates that the service provider should disable automatic generation and checking of nonces. |
static int |
FLAG_ENABLE_CHAIN_SEND
Indicates that the service provider should enable sending the entire signing certificate chain when the service provider sends signed requests to the responder. |
static int |
FLAG_RESPONDER_NOCHECK
Indicates that the service provider should not check the revocation status of the responder's certificate. |
static int |
PROFILE_GENERIC
Indicates that the responder does not have any vendor-specific behaviors, or that the responder type is unknown. |
static int |
PROFILE_RSAKCA
Indicates that the responder is RSA's KCA (curently v5.7) |
static int |
PROFILE_VALICERT
Indicates that the responder is the ValiCert plug-in for Keon. |
static int |
PROFILE_VERISIGN
Indicates that the responder is VeriSign (OnSite). |
Constructor Summary |
|
OCSPResponder(int profile,
int flags,
String[] destList,
String[] proxyList,
OCSPRequestControl requestControl,
X509Certificate responderCert,
X509Certificate[] responderCACerts,
DatabaseService database,
int tolerance)
Constructs an OCSPResponder object with the full complement of possible initial values. |
|
OCSPResponder(OCSPRequestControl requestControl,
X509Certificate[] responderCACerts)
Constructs an |
|
OCSPResponder(OCSPResponder responder)
Constructs an OCSPResponder object with contents that
are specified by an existing |
Method Summary |
|
clone()
Clones this |
|
getDatabase()
Get the database service that is set to store any additional certificates received. |
|
String[] |
getDestList()
Returns a |
int |
getFlags()
Returns an |
int |
getProfile()
Returns an |
String[] |
getProxyList()
Returns a |
getRequestControl()
Returns an |
|
getResponderCACerts()
Returns an |
|
getResponderCert()
Returns an |
|
int |
getTimeTolerance()
Gets the time tolerance value for handling clock-skew differences between clients and responders. |
void |
setDatabase(DatabaseService database)
Sets a database service to store any additional certificates received from the responder in the response. |
void |
setFlags(int flags)
Sets a specified flag value. |
void |
setProfile(int profile)
Sets an OCSP profile. |
void |
setProxyList(String[] proxyList)
Sets a list of proxies of this responder. |
void |
setRequestControl(OCSPRequestControl requestControl)
Sets request control information for this responder. |
void |
setResponderCACerts(X509Certificate[] responderCACerts)
Sets the certificates of CA that use this responder. |
void |
setTimeTolerance(int timeTolerance)
Sets the time tolerance value for handling clock-skew differences between clients and responders. |
Methods inherited from class java.lang.Object |
equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Field Detail |
public static final int PROFILE_GENERIC
public static final int PROFILE_VALICERT
public static final int PROFILE_RSAKCA
public static final int PROFILE_VERISIGN
public static final int FLAG_DISABLE_NONCES
public static final int FLAG_DISABLE_CERT_SEND
FLAG_ENABLE_CHAIN_SEND
is used, as
these flags are contradictory.public static final int FLAG_ENABLE_CHAIN_SEND
database
field in CertPathCtx
when calling CertJ.checkCertRevocation
.
This flag should not be used when the
FLAG_DISABLE_CERT_SEND
flag is used, as these flags
are contradictory.public static final int FLAG_RESPONDER_NOCHECK
true
, a clone of the path context is used to
validate the response turns off revocation checking for the
certificate. If set to false
, the status check will
be forced to return
CertRevocationInfo.CERT_REVOCATION_UNKNOWN
when the
need arises.
This handling is necessary to prevent an OCSP responder from being
asked about its own status when OCSP response validation occurs.
In particular, when the OCSPResponder.responderCert
is not a member of the set of certificates in the
CertPathCtx
used by checkCertRevocation
,
a check on the responder's certificate's revocation status will
normally be performed. This causes the responder to be asked about
its own certificate status, which causes the second response's signer's
certificate status to be checked, recursively.
It is generally difficult to check the status of an
OCSP responder's certificate without a CRL, or by some other out-of-
band means and then trusting this certificate in the path context.Constructor Detail |
public OCSPResponder(int profile, int flags, String[] destList, String[] proxyList, OCSPRequestControl requestControl, X509Certificate responderCert, X509Certificate[] responderCACerts, DatabaseService database, int tolerance) throws InvalidParameterException
Parameters
profile | An | ||
flags | An FLAG_DISABLE_NONCES FLAG_DISABLE_CERT_SEND FLAG_ENABLE_CHAIN_SEND FLAG_RESPONDER_NOCHECK | ||
destList | A http://ocspresp.mycompany.com:181
To specify a locally configured
OCSP responder, it must contain only one destination. When
the certificate to be checked specifies a responder in
its serviceLocator AIA field, it can be used to
list one or more URLs.
| ||
proxyList | A http://proxy1.mycompany.com:8080 .
| ||
requestControl | An | ||
responderCert | An | ||
responderCACerts | An | ||
database | A | ||
timeTolerance | An |
Throws
InvalidParameterException
- If any argument is invalid.public OCSPResponder(OCSPRequestControl requestControl, X509Certificate[] responderCACerts) throws InvalidParameterException
OCSPResponder
object with contents that
are specified only by the CAs of the certificates to check,
and a OCSPRequestControl
object.
Parameters
requestControl | An | ||
responderCACerts | An |
Throws
InvalidParameterException
- If any
argument is invalid.public OCSPResponder(OCSPResponder responder) throws InvalidParameterException
OCSPResponder
object.
Parameters
responder | An |
Throws
InvalidParameterException
- If any
argument is invalid.Method Detail |
public Object clone() throws CloneNotSupportedException
OCSPResponder
object.Returns
Object
containing the clone.Throws
CloneNotSupportedException
- If
an error occurs during the cloning operation.public int getProfile()
int
value specifying
the type of OCSP responder to which the service provider
will make requests. This distinction is required in cases where
the service must tailor its behavior to the specified responder.
Currently, the possible values are PROFILE_GENERIC
,
PROFILE_VALICERT
, PROFILE_VERISIGN
, and
PROFILE_XCERT
. If the responder type is
unknown or no vendor-specific behaviors are required for
the service provider to operate correctly, then use
PROFILE_GENERIC
.
Returns
int
value specifying the type of OCSP
responder to which the service provider will make requests.public int getFlags()
int
specifying a collection
of bit values used by the service provider to modify
how a request should be created or how a response should
be interpreted. These flags can affect run-time performance
and the size of request data. Set it to zero to
use the service provider's default set of behaviors. The
following is the current set of flags available:
FLAG_DISABLE_NONCES FLAG_DISABLE_CERT_SEND FLAG_ENABLE_CHAIN_SEND
Returns
int
specifying a collection
of bit values used by the service provider to modify
how a request should be created or how a response should
be interpreted.public String[] getDestList()
String
array where each element
specifies the URL of an OCSP responder. For example, specify
a destination URL as follows:
http://ocspresp.mycompany.com:181
To specify a locally configured
OCSP responder, it must contain only one destination. When
the certificate to be checked specifies a responder in
its serviceLocator
AIA field, it can be used to
list one or more URLs.
Returns
String
array where each element
specifies the URL of an OCSP responder.public String[] getProxyList()
String
array specifying the
URLs of non-transparent proxies of the same protocol that exist
between the application and the OCSP responder. If not specified,
this parameter must be set to null
.
For example, a proxy URL can be specified as follows:
http://proxy1.mycompany.com:8080
.
Returns
String
array specifying tje
URLs of non-transparent proxies of the same protocol that exist
between the application and the OCSP responder.public OCSPRequestControl getRequestControl()
OCSPRequestControl
object that controls OCSP request message generation.
Returns
OCSPRequestControl
object that controls OCSP request message generation.public X509Certificate getResponderCert()
X509Certificate
object
containing the responder's certificate. The public key
contained in this certificate is used to validate response
signatures received from the OCSP responder. It can be used
to designate a trusted responder that has no affiliation
with the trusted chain of the CA that issued the certificate
to be validated. This certificate may need to provided in
cases where the responder does not include its own certificate
in the response data. If specified, this certificate
identifies the only entity that is to have signed responses from
this responder. If not specified, this parameter should be set
to null
.
Returns
X509Certificate
object
containing the responder's certificate.public X509Certificate[] getResponderCACerts()
X509Certificate
array
containing a list of certificates for CAs that use
this responder. Responders often service requests on
behalf of multiple CAs. Using an array enables
a single OCSPResponder
to accommodate
multiple CA names. It must contain
CA certificates that have the same subject name as
the issuer name of the certificates to be checked.
This parameter is required because the current (RFC 2560) version of
the OCSP protocol uses the public key of the issuer's certificate
to identify the CA of the certificate being checked, and this
information can only be found in its issuer's
certificate, and must be provided here.
Returns
X509Certificate
array
containing a list of certificates for CAs that use this responder.public void setProfile(int profile) throws InvalidParameterException
Parameters
profile | An |
Throws
InvalidParameterException
- If
the argument is invalid.public void setFlags(int flags) throws InvalidParameterException
Parameters
flags | An FLAG_DISABLE_NONCES FLAG_DISABLE_CERT_SEND FLAG_ENABLE_CHAIN_SEND |
Throws
InvalidParameterException
- If
the argument is invalid.public void setProxyList(String[] proxyList) throws InvalidParameterException
Parameters
proxyList | A http://proxy1.mycompany.com:8080 |
Throws
InvalidParameterException
- If
the argument is invalid.public void setRequestControl(OCSPRequestControl requestControl) throws InvalidParameterException
Parameters
requestControl | An |
Throws
InvalidParameterException
- If
the argument is invalid.public void setResponderCACerts(X509Certificate[] responderCACerts) throws InvalidParameterException
Parameters
responderCACerts | An |
Throws
InvalidParameterException
- If
the argument is invalid.public void setDatabase(DatabaseService database) throws InvalidParameterException
Parameters
database | A null .
|
Throws
InvalidParameterException
- If the
argument is invalid.public DatabaseService getDatabase()
Returns
DatabaseService
into which any
additional certificates received from the responder are stored.public void setTimeTolerance(int timeTolerance)
timeTolerance
, this amount of tolerance is applied
to validity windows that are very narrow and sensitive to clock
differences between the client and the server.
Parameters
timeTolerance | An |
public int getTimeTolerance()
Returns
int
specifying the number of
seconds that the OCSP responder should extend the validity period
of the response, both into the future and into the past.
|
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: INNER | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |