Package eu.europa.esig.dss.pki.x509.revocation.crl

Class PKICRLSource

java.lang.Object

eu.europa.esig.dss.pki.x509.revocation.crl.PKICRLSource

All Implemented Interfaces:

CRLSource, RevocationSource<CRL>, Serializable

public class PKICRLSource
extends Object
implements CRLSource

An implementation of the CRLSource interface that provides methods to obtain Certificate Revocation Lists (CRLs) for certificate revocation checks. The CRLs are retrieved based on the CertEntity (certificate entity) and optionally specified production and next update dates.

See Also:

• Serialized Form

Constructor Summary

Constructors

Constructor	Description
PKICRLSource(CertEntityRepository<? extends CertEntity> certEntityRepository)	Creates a PKICRLSource instance with a CRL issuer being the issuer certificate token provided on the CRL request
PKICRLSource(CertEntityRepository<? extends CertEntity> certEntityRepository, CertEntity crlIssuer)	Creates a PKICRLSource instance with enforced CRL signer CertEntity

Method Summary

Modifier and Type	Method	Description
protected void	addRevocationsToCRL(org.bouncycastle.cert.X509v2CRLBuilder builder, Map<CertEntity,CertEntityRevocation> revocationList)	Adds revocations to the CRL builder based on the provided CertEntity and revocationList.
protected boolean	canGenerate(CertificateToken certificateToken, CertificateToken issuerCertificateToken)	Returns whether the current implementation is able to produce a CRL for the given certificateToken
protected CRLBinary	generateCRL(CertEntity crlIssuer)	Generates a CRL token and returns encoded binaries
protected CertEntity	getCrlIssuer(CertificateToken certificateToken, CertificateToken issuerCertificateToken)	Returns a CertEntity to be used as an CRL issuer.
Date	getNextUpdate()	Gets nextUpdate value
CRLToken	getRevocationToken(CertificateToken certificateToken, CertificateToken issuerCertificateToken)	Retrieves a Certificate Revocation List (CRL) token for the given certificate and its issuer certificate if the CertEntity is not already.
protected SignatureAlgorithm	getSignatureAlgorithm(CertEntity crlIssuer)	Returns a signature algorithm to be used on CRL creation
protected Date	getThisUpdate()	Gets thisUpdate value.
void	setCrlIssuer(CertEntity crlIssuer)	Sets a CertEntity to be used as a CRL issuer.
void	setDigestAlgorithm(DigestAlgorithm digestAlgorithm)	Sets Digest Algorithm to be used on CRL request signature Default: SHA512 (DigestAlgorithm.SHA512)
void	setEncryptionAlgorithm(EncryptionAlgorithm encryptionAlgorithm)	Sets encryption algorithm to be used on CRL signature generation.
void	setMaskGenerationFunction(MaskGenerationFunction maskGenerationFunction)	Deprecated. since DSS 6.1.
void	setNextUpdate(Date nextUpdate)	Set the next update date for the CRL generation.
void	setThisUpdate(Date thisUpdate)	Set the production date for the CRL generation.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

PKICRLSource

public PKICRLSource(CertEntityRepository<? extends CertEntity> certEntityRepository)

Creates a PKICRLSource instance with a CRL issuer being the issuer certificate token provided on the CRL request

Parameters:

certEntityRepository - CertEntityRepository

PKICRLSource

public PKICRLSource(CertEntityRepository<? extends CertEntity> certEntityRepository,
 CertEntity crlIssuer)

Creates a PKICRLSource instance with enforced CRL signer CertEntity

Parameters:

certEntityRepository - CertEntityRepository

crlIssuer - CertEntity to issue CRL

Method Details

getNextUpdate

public Date getNextUpdate()

Gets nextUpdate value

Returns:

Date

setNextUpdate

public void setNextUpdate(Date nextUpdate)

Set the next update date for the CRL generation. If not set, the nextUpdate field will not be added to CRL.

Parameters:

nextUpdate - The next update date to be set.

getThisUpdate

protected Date getThisUpdate()

Gets thisUpdate value. If not defined, returns the current time.

Returns:

Date

setThisUpdate

public void setThisUpdate(Date thisUpdate)

Set the production date for the CRL generation.

Parameters:

thisUpdate - The production date to be set.

setDigestAlgorithm

public void setDigestAlgorithm(DigestAlgorithm digestAlgorithm)

Sets Digest Algorithm to be used on CRL request signature Default: SHA512 (DigestAlgorithm.SHA512)

Parameters:

digestAlgorithm - DigestAlgorithm

setEncryptionAlgorithm

public void setEncryptionAlgorithm(EncryptionAlgorithm encryptionAlgorithm)

Sets encryption algorithm to be used on CRL signature generation. If not defined, the encryption algorithm from the given CertEntity CRL issuer will be used. NOTE: It is important to ensure that the defined encryption algorithm is supported by the CRL issuer.

Parameters:

encryptionAlgorithm - EncryptionAlgorithm

setMaskGenerationFunction

@Deprecated
public void setMaskGenerationFunction(MaskGenerationFunction maskGenerationFunction)

Deprecated.

since DSS 6.1. Please use setEncryptionAlgorithm method to specify RSA (none MGF) or RSASSA-PSS (MGF1) algorithm

Sets mask generation function to be used on CRL signature generation NOTE: The used encryption algorithm should support the given parameter.

Parameters:

maskGenerationFunction - MaskGenerationFunction

getCrlIssuer

protected CertEntity getCrlIssuer(CertificateToken certificateToken,
 CertificateToken issuerCertificateToken)

Returns a CertEntity to be used as an CRL issuer.

Parameters:

certificateToken - CertificateToken to request CRL for

issuerCertificateToken - CertificateToken issued the certificateToken

Returns:

CertEntity representing the entry to be used as an issuer of the CRL

setCrlIssuer

public void setCrlIssuer(CertEntity crlIssuer)

Sets a CertEntity to be used as a CRL issuer. If not defined, the certificate issuer will be used as a CRL issuing certificate.

Parameters:

crlIssuer - CertEntity

getRevocationToken

public CRLToken getRevocationToken(CertificateToken certificateToken,
 CertificateToken issuerCertificateToken)

Retrieves a Certificate Revocation List (CRL) token for the given certificate and its issuer certificate if the CertEntity is not already.

Specified by:

getRevocationToken in interface CRLSource

Specified by:

getRevocationToken in interface RevocationSource<CRL>

Parameters:

certificateToken - The CertificateToken representing the certificate to be checked for revocation.

issuerCertificateToken - The CertificateToken representing the issuer certificate of the certificate to be verified.

Returns:

The CRLToken representing the revocation status of the certificate.

canGenerate

protected boolean canGenerate(CertificateToken certificateToken,
 CertificateToken issuerCertificateToken)

Returns whether the current implementation is able to produce a CRL for the given certificateToken

Parameters:

certificateToken - CertificateToken to produce a CRL for

issuerCertificateToken - CertificateToken representing an issuer of the certificateToken

Returns:

TRUE if the current implementation is able to produce a CRL for the given pair, FALSE otherwise

generateCRL

protected CRLBinary generateCRL(CertEntity crlIssuer)
                         throws IOException,
org.bouncycastle.operator.OperatorCreationException

Generates a CRL token and returns encoded binaries

Parameters:

crlIssuer - CertEntity issuer of the CRL

Returns:

CRLBinary representing a DER-encoded CRL token

Throws:

IOException - if an exception occurs on CRL generation

org.bouncycastle.operator.OperatorCreationException - if an exception occurs on CRL signing

getSignatureAlgorithm

protected SignatureAlgorithm getSignatureAlgorithm(CertEntity crlIssuer)

Returns a signature algorithm to be used on CRL creation

Parameters:

crlIssuer - CertEntity to sign the CRL

Returns:

SignatureAlgorithm

addRevocationsToCRL

protected void addRevocationsToCRL(org.bouncycastle.cert.X509v2CRLBuilder builder,
 Map<CertEntity,CertEntityRevocation> revocationList)

Adds revocations to the CRL builder based on the provided CertEntity and revocationList.

Parameters:

builder - The X509v2CRLBuilder instance to which the entries will be added.

revocationList - List of Revocation objects containing the revocation information.