LDAPCertStore

Class Overview

A CertStore that retrieves Certificates and CRLs from an LDAP directory, using the PKIX LDAP V2 Schema (RFC 2587): http://www.ietf.org/rfc/rfc2587.txt.

Before calling the engineGetCertificates or engineGetCRLs methods, the LDAPCertStore(CertStoreParameters) constructor is called to create the CertStore and establish the DNS name and port of the LDAP server from which Certificates and CRLs will be retrieved.

Concurrent Access

As described in the javadoc for CertStoreSpi, the engineGetCertificates and engineGetCRLs methods must be thread-safe. That is, multiple threads may concurrently invoke these methods on a single LDAPCertStore object (or more than one) with no ill effects. This allows a CertPathBuilder to search for a CRL while simultaneously searching for further certificates, for instance.

This is achieved by adding the synchronized keyword to the engineGetCertificates and engineGetCRLs methods.

This classes uses caching and requests multiple attributes at once to minimize LDAP round trips. The cache is associated with the CertStore instance. It uses soft references to hold the values to minimize impact on footprint and currently has a maximum size of 750 attributes and a 30 second default lifetime.

We always request CA certificates, cross certificate pairs, and ARLs in a single LDAP request when any one of them is needed. The reason is that we typically need all of them anyway and requesting them in one go can reduce the number of requests to a third. Even if we don't need them, these attributes are typically small enough not to cause a noticeable overhead. In addition, when the prefetchCRLs flag is true, we also request the full CRLs. It is currently false initially but set to true once any request for an ARL to the server returns an null value. The reason is that CRLs could be rather large but are rarely used. This implementation should improve performance in most cases.

Summary

[Expand] Inherited Methods
From class java.security.cert.CertStoreSpi abstract Collection<? extends CRL> engineGetCRLs(CRLSelector selector) Returns a Collection of CRLs that match the specified selector. abstract Collection<? extends Certificate> engineGetCertificates(CertSelector selector) Returns a Collection of Certificates that match the specified selector.
From class java.lang.Object Object clone() Creates and returns a copy of this object. boolean equals(Object obj) Indicates whether some other object is "equal to" this one. void finalize() Called by the garbage collector on an object when garbage collection determines that there are no more references to the object. final Class<?> getClass() Returns the runtime class of this Object. int hashCode() Returns a hash code value for the object. final void notify() Wakes up a single thread that is waiting on this object's monitor. final void notifyAll() Wakes up all threads that are waiting on this object's monitor. String toString() Returns a string representation of the object. final void wait() Causes the current thread to wait until another thread invokes the notify() method or the notifyAll() method for this object. final void wait(long timeout, int nanos) Causes the current thread to wait until another thread invokes the notify() method or the notifyAll() method for this object, or some other thread interrupts the current thread, or a certain amount of real time has elapsed. final void wait(long timeout) Causes the current thread to wait until either another thread invokes the notify() method or the notifyAll() method for this object, or a specified amount of time has elapsed.