PKIXRevocationChecker.Option

  • PKIXRevocationChecker.Option is an enum defining various options for certificate revocation checking mechanisms.

  • Options include disabling fallback (NO_FALLBACK), checking only end-entity certificates (ONLY_END_ENTITY), preferring CRLs over OCSP (PREFER_CRLS), and allowing checks to succeed under specific soft-fail conditions (SOFT_FAIL).

  • Each option influences how the revocation status of certificates is determined during the validation process.

  • SOFT_FAIL allows for network errors or specific OCSP responder errors to be ignored but recorded as exceptions retrievable through getSoftFailExceptions.

public static final enum PKIXRevocationChecker.Option extends Enum<PKIXRevocationChecker.Option>

Various revocation options that can be specified for the revocation checking mechanism.

Inherited Method Summary

Enum Values

public static final PKIXRevocationChecker.Option NO_FALLBACK

Disable the fallback mechanism.

public static final PKIXRevocationChecker.Option ONLY_END_ENTITY

Only check the revocation status of end-entity certificates.

public static final PKIXRevocationChecker.Option PREFER_CRLS

Prefer CRLs to OSCP. The default behavior is to prefer OCSP. Each PKIX implementation should document further details of their specific preference rules and fallback policies.

public static final PKIXRevocationChecker.Option SOFT_FAIL

Allow revocation check to succeed if the revocation status cannot be determined for one of the following reasons:

  • The CRL or OCSP response cannot be obtained because of a network error.
  • The OCSP responder returns one of the following errors specified in section 2.3 of RFC 2560: internalError or tryLater.

Note that these conditions apply to both OCSP and CRLs, and unless the NO_FALLBACK option is set, the revocation check is allowed to succeed only if both mechanisms fail under one of the conditions as stated above. Exceptions that cause the network errors are ignored but can be later retrieved by calling the getSoftFailExceptions method.