Package eu.europa.esig.dss.pki.x509.revocation.crl

Class PKICRLSource

java.lang.Object
eu.europa.esig.dss.pki.x509.revocation.crl.PKICRLSource
All Implemented Interfaces:
CRLSource, RevocationSource<CRL>, Serializable
public class PKICRLSource extends Object implements CRLSource
An implementation of the CRLSource interface that provides methods to obtain Certificate Revocation Lists (CRLs) for certificate revocation checks. The CRLs are retrieved based on the CertEntity (certificate entity) and optionally specified production and next update dates.
See Also:

  • Constructor Details

  • Method Details

    • getNextUpdate

      public Date getNextUpdate()
      Gets nextUpdate value
      Returns:
      Date

    • setNextUpdate

      public void setNextUpdate(Date nextUpdate)
      Set the next update date for the CRL generation. If not set, the nextUpdate field will not be added to CRL.
      Parameters:
      nextUpdate - The next update date to be set.

    • getThisUpdate

      protected Date getThisUpdate()
      Gets thisUpdate value. If not defined, returns the current time.
      Returns:
      Date

    • setThisUpdate

      public void setThisUpdate(Date thisUpdate)
      Set the production date for the CRL generation.
      Parameters:
      thisUpdate - The production date to be set.

    • setDigestAlgorithm

      public void setDigestAlgorithm(DigestAlgorithm digestAlgorithm)
      Sets Digest Algorithm to be used on CRL request signature Default: SHA512 (DigestAlgorithm.SHA512)
      Parameters:
      digestAlgorithm - DigestAlgorithm

    • setEncryptionAlgorithm

      public void setEncryptionAlgorithm(EncryptionAlgorithm encryptionAlgorithm)
      Sets encryption algorithm to be used on CRL signature generation. If not defined, the encryption algorithm from the given CertEntity CRL issuer will be used. NOTE: It is important to ensure that the defined encryption algorithm is supported by the CRL issuer.
      Parameters:
      encryptionAlgorithm - EncryptionAlgorithm

    • getCrlIssuer

      protected CertEntity getCrlIssuer(CertificateToken certificateToken, CertificateToken issuerCertificateToken)
      Returns a CertEntity to be used as an CRL issuer.
      Parameters:
      certificateToken - CertificateToken to request CRL for
      issuerCertificateToken - CertificateToken issued the certificateToken
      Returns:
      CertEntity representing the entry to be used as an issuer of the CRL

    • setCrlIssuer

      public void setCrlIssuer(CertEntity crlIssuer)
      Sets a CertEntity to be used as a CRL issuer. If not defined, the certificate issuer will be used as a CRL issuing certificate.
      Parameters:
      crlIssuer - CertEntity

    • getRevocationToken

      public CRLToken getRevocationToken(CertificateToken certificateToken, CertificateToken issuerCertificateToken)
      Retrieves a Certificate Revocation List (CRL) token for the given certificate and its issuer certificate if the CertEntity is not already.
      Specified by:
      getRevocationToken in interface CRLSource
      Specified by:
      getRevocationToken in interface RevocationSource<CRL>
      Parameters:
      certificateToken - The CertificateToken representing the certificate to be checked for revocation.
      issuerCertificateToken - The CertificateToken representing the issuer certificate of the certificate to be verified.
      Returns:
      The CRLToken representing the revocation status of the certificate.

    • canGenerate

      protected boolean canGenerate(CertificateToken certificateToken, CertificateToken issuerCertificateToken)
      Returns whether the current implementation is able to produce a CRL for the given certificateToken
      Parameters:
      certificateToken - CertificateToken to produce a CRL for
      issuerCertificateToken - CertificateToken representing an issuer of the certificateToken
      Returns:
      TRUE if the current implementation is able to produce a CRL for the given pair, FALSE otherwise

    • generateCRL

      protected CRLBinary generateCRL(CertEntity crlIssuer) throws IOException, org.bouncycastle.operator.OperatorCreationException
      Generates a CRL token and returns encoded binaries
      Parameters:
      crlIssuer - CertEntity issuer of the CRL
      Returns:
      CRLBinary representing a DER-encoded CRL token
      Throws:
      IOException - if an exception occurs on CRL generation
      org.bouncycastle.operator.OperatorCreationException - if an exception occurs on CRL signing

    • getSignatureAlgorithm

      protected SignatureAlgorithm getSignatureAlgorithm(CertEntity crlIssuer)
      Returns a signature algorithm to be used on CRL creation
      Parameters:
      crlIssuer - CertEntity to sign the CRL
      Returns:
      SignatureAlgorithm

    • addRevocationsToCRL

      protected void addRevocationsToCRL(org.bouncycastle.cert.X509v2CRLBuilder builder, Map<CertEntity,CertEntityRevocation> revocationList)
      Adds revocations to the CRL builder based on the provided CertEntity and revocationList.
      Parameters:
      builder - The X509v2CRLBuilder instance to which the entries will be added.
      revocationList - List of Revocation objects containing the revocation information.