PKIXRevocationChecker.Option

public static final enum PKIXRevocationChecker.Option extends Enum<PKIXRevocationChecker.Option>

Various revocation options that can be specified for the revocation checking mechanism.

Inherited Method Summary

Enum Values

public static final PKIXRevocationChecker.Option NO_FALLBACK

Disable the fallback mechanism.

public static final PKIXRevocationChecker.Option ONLY_END_ENTITY

Only check the revocation status of end-entity certificates.

public static final PKIXRevocationChecker.Option PREFER_CRLS

Prefer CRLs to OSCP. The default behavior is to prefer OCSP. Each PKIX implementation should document further details of their specific preference rules and fallback policies.

public static final PKIXRevocationChecker.Option SOFT_FAIL

Allow revocation check to succeed if the revocation status cannot be determined for one of the following reasons:

  • The CRL or OCSP response cannot be obtained because of a network error.
  • The OCSP responder returns one of the following errors specified in section 2.3 of RFC 2560: internalError or tryLater.

Note that these conditions apply to both OCSP and CRLs, and unless the NO_FALLBACK option is set, the revocation check is allowed to succeed only if both mechanisms fail under one of the conditions as stated above. Exceptions that cause the network errors are ignored but can be later retrieved by calling the getSoftFailExceptions method.