KickJava   Java API By Example, From Geeks To Geeks.

Java > Open Source Codes > java > security > cert > X509CRLSelector


1 /*
2  * @(#)X509CRLSelector.java 1.16 04/07/16
3  *
4  * Copyright 2004 Sun Microsystems, Inc. All rights reserved.
5  * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
6  */
7
8 package java.security.cert;
9
10 import java.io.IOException JavaDoc;
11 import java.math.BigInteger JavaDoc;
12 import java.util.*;
13
14 import javax.security.auth.x500.X500Principal JavaDoc;
15
16 import sun.security.util.Debug;
17 import sun.security.util.DerInputStream;
18 import sun.security.x509.CRLNumberExtension;
19 import sun.security.x509.X500Name;
20
21 /**
22  * A <code>CRLSelector</code> that selects <code>X509CRLs</code> that
23  * match all specified criteria. This class is particularly useful when
24  * selecting CRLs from a <code>CertStore</code> to check revocation status
25  * of a particular certificate.
26  * <p>
27  * When first constructed, an <code>X509CRLSelector</code> has no criteria
28  * enabled and each of the <code>get</code> methods return a default
29  * value (<code>null</code>). Therefore, the {@link #match match} method
30  * would return <code>true</code> for any <code>X509CRL</code>. Typically,
31  * several criteria are enabled (by calling {@link #setIssuers setIssuers}
32  * or {@link #setDateAndTime setDateAndTime}, for instance) and then the
33  * <code>X509CRLSelector</code> is passed to
34  * {@link CertStore#getCRLs CertStore.getCRLs} or some similar
35  * method.
36  * <p>
37  * Please refer to RFC 2459 for definitions of the X.509 CRL fields and
38  * extensions mentioned below.
39  * <p>
40  * <b>Concurrent Access</b>
41  * <p>
42  * Unless otherwise specified, the methods defined in this class are not
43  * thread-safe. Multiple threads that need to access a single
44  * object concurrently should synchronize amongst themselves and
45  * provide the necessary locking. Multiple threads each manipulating
46  * separate objects need not synchronize.
47  *
48  * @see CRLSelector
49  * @see X509CRL
50  *
51  * @version 1.16 07/16/04
52  * @since 1.4
53  * @author Steve Hanna
54  */
55 public class X509CRLSelector implements CRLSelector JavaDoc {
56
57     static {
58     CertPathHelperImpl.initialize();
59     }
60
61     private static final Debug debug = Debug.getInstance("certpath");
62     private HashSet<Object JavaDoc> issuerNames;
63     private HashSet<X500Principal JavaDoc> issuerX500Principals;
64     private BigInteger JavaDoc minCRL;
65     private BigInteger JavaDoc maxCRL;
66     private Date dateAndTime;
67     private X509Certificate JavaDoc certChecking;
68
69     /**
70      * Creates an <code>X509CRLSelector</code>. Initially, no criteria are set
71      * so any <code>X509CRL</code> will match.
72      */
73     public X509CRLSelector() {}
74
75     /**
76      * Sets the issuerNames criterion. The issuer distinguished name in the
77      * <code>X509CRL</code> must match at least one of the specified
78      * distinguished names. If <code>null</code>, any issuer distinguished name
79      * will do.
80      * <p>
81      * This method allows the caller to specify, with a single method call,
82      * the complete set of issuer names which <code>X509CRLs</code> may contain.
83      * The specified value replaces the previous value for the issuerNames
84      * criterion.
85      * <p>
86      * The <code>names</code> parameter (if not <code>null</code>) is a
87      * <code>Collection</code> of <code>X500Principal</code>s.
88      * <p>
89      * Note that the <code>names</code> parameter can contain duplicate
90      * distinguished names, but they may be removed from the
91      * <code>Collection</code> of names returned by the
92      * {@link #getIssuers getIssuers} method.
93      * <p>
94      * Note that a copy is performed on the <code>Collection</code> to
95      * protect against subsequent modifications.
96      *
97      * @param issuers a <code>Collection</code> of X500Principals
98      * (or <code>null</code>)
99      * @see #getIssuers
100      * @since 1.5
101      */
102     public void setIssuers(Collection<X500Principal JavaDoc> issuers) {
103         if ((issuers == null) || issuers.isEmpty()) {
104             issuerNames = null;
105             issuerX500Principals = null;
106         } else {
107         // clone
108 issuerX500Principals = new HashSet(issuers);
109         issuerNames = new HashSet<Object JavaDoc>();
110         for (X500Principal JavaDoc p : issuerX500Principals) {
111         issuerNames.add(p.getEncoded());
112         }
113         }
114     }
115
116     /**
117      * <strong>Note:</strong> use {@linkplain #setIssuers(Collection)} instead
118      * or only specify the byte array form of distinguished names when using
119      * this method. See {@link #addIssuerName(String)} for more information.
120      * <p>
121      * Sets the issuerNames criterion. The issuer distinguished name in the
122      * <code>X509CRL</code> must match at least one of the specified
123      * distinguished names. If <code>null</code>, any issuer distinguished name
124      * will do.
125      * <p>
126      * This method allows the caller to specify, with a single method call,
127      * the complete set of issuer names which <code>X509CRLs</code> may contain.
128      * The specified value replaces the previous value for the issuerNames
129      * criterion.
130      * <p>
131      * The <code>names</code> parameter (if not <code>null</code>) is a
132      * <code>Collection</code> of names. Each name is a <code>String</code>
133      * or a byte array representing a distinguished name (in RFC 2253 or
134      * ASN.1 DER encoded form, respectively). If <code>null</code> is supplied
135      * as the value for this argument, no issuerNames check will be performed.
136      * <p>
137      * Note that the <code>names</code> parameter can contain duplicate
138      * distinguished names, but they may be removed from the
139      * <code>Collection</code> of names returned by the
140      * {@link #getIssuerNames getIssuerNames} method.
141      * <p>
142      * If a name is specified as a byte array, it should contain a single DER
143      * encoded distinguished name, as defined in X.501. The ASN.1 notation for
144      * this structure is as follows.
145      * <pre><code>
146      * Name ::= CHOICE {
147      * RDNSequence }
148      *
149      * RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
150      *
151      * RelativeDistinguishedName ::=
152      * SET SIZE (1 .. MAX) OF AttributeTypeAndValue
153      *
154      * AttributeTypeAndValue ::= SEQUENCE {
155      * type AttributeType,
156      * value AttributeValue }
157      *
158      * AttributeType ::= OBJECT IDENTIFIER
159      *
160      * AttributeValue ::= ANY DEFINED BY AttributeType
161      * ....
162      * DirectoryString ::= CHOICE {
163      * teletexString TeletexString (SIZE (1..MAX)),
164      * printableString PrintableString (SIZE (1..MAX)),
165      * universalString UniversalString (SIZE (1..MAX)),
166      * utf8String UTF8String (SIZE (1.. MAX)),
167      * bmpString BMPString (SIZE (1..MAX)) }
168      * </code></pre>
169      * <p>
170      * Note that a deep copy is performed on the <code>Collection</code> to
171      * protect against subsequent modifications.
172      *
173      * @param names a <code>Collection</code> of names (or <code>null</code>)
174      * @throws IOException if a parsing error occurs
175      * @see #getIssuerNames
176      */
177     public void setIssuerNames(Collection<?> names) throws IOException JavaDoc {
178         if (names == null || names.size() == 0) {
179             issuerNames = null;
180             issuerX500Principals = null;
181         } else {
182             HashSet<Object JavaDoc> tempNames = cloneAndCheckIssuerNames(names);
183             // Ensure that we either set both of these or neither
184 issuerX500Principals = parseIssuerNames(tempNames);
185             issuerNames = tempNames;
186         }
187     }
188
189     /**
190      * Adds a name to the issuerNames criterion. The issuer distinguished
191      * name in the <code>X509CRL</code> must match at least one of the specified
192      * distinguished names.
193      * <p>
194      * This method allows the caller to add a name to the set of issuer names
195      * which <code>X509CRLs</code> may contain. The specified name is added to
196      * any previous value for the issuerNames criterion.
197      * If the specified name is a duplicate, it may be ignored.
198      *
199      * @param issuer the issuer as X500Principal
200      * @since 1.5
201      */
202     public void addIssuer(X500Principal JavaDoc issuer) {
203     addIssuerNameInternal(issuer.getEncoded(), issuer);
204     }
205
206     /**
207      * <strong>Denigrated</strong>, use
208      * {@linkplain #addIssuer(X500Principal)} or
209      * {@linkplain #addIssuerName(byte[])} instead. This method should not be
210      * relied on as it can fail to match some CRLs because of a loss of
211      * encoding information in the RFC 2253 String form of some distinguished
212      * names.
213      * <p>
214      * Adds a name to the issuerNames criterion. The issuer distinguished
215      * name in the <code>X509CRL</code> must match at least one of the specified
216      * distinguished names.
217      * <p>
218      * This method allows the caller to add a name to the set of issuer names
219      * which <code>X509CRLs</code> may contain. The specified name is added to
220      * any previous value for the issuerNames criterion.
221      * If the specified name is a duplicate, it may be ignored.
222      *
223      * @param name the name in RFC 2253 form
224      * @throws IOException if a parsing error occurs
225      */
226     public void addIssuerName(String JavaDoc name) throws IOException JavaDoc {
227         addIssuerNameInternal(name, new X500Name(name).asX500Principal());
228     }
229
230     /**
231      * Adds a name to the issuerNames criterion. The issuer distinguished
232      * name in the <code>X509CRL</code> must match at least one of the specified
233      * distinguished names.
234      * <p>
235      * This method allows the caller to add a name to the set of issuer names
236      * which <code>X509CRLs</code> may contain. The specified name is added to
237      * any previous value for the issuerNames criterion. If the specified name
238      * is a duplicate, it may be ignored.
239      * If a name is specified as a byte array, it should contain a single DER
240      * encoded distinguished name, as defined in X.501. The ASN.1 notation for
241      * this structure is as follows.
242      * <p>
243      * The name is provided as a byte array. This byte array should contain
244      * a single DER encoded distinguished name, as defined in X.501. The ASN.1
245      * notation for this structure appears in the documentation for
246      * {@link #setIssuerNames setIssuerNames(Collection names)}.
247      * <p>
248      * Note that the byte array supplied here is cloned to protect against
249      * subsequent modifications.
250      *
251      * @param name a byte array containing the name in ASN.1 DER encoded form
252      * @throws IOException if a parsing error occurs
253      */
254     public void addIssuerName(byte[] name) throws IOException JavaDoc {
255         // clone because byte arrays are modifiable
256 addIssuerNameInternal(name.clone(), new X500Name(name).asX500Principal());
257     }
258     
259     /**
260      * A private method that adds a name (String or byte array) to the
261      * issuerNames criterion. The issuer distinguished
262      * name in the <code>X509CRL</code> must match at least one of the specified
263      * distinguished names.
264      *
265      * @param name the name in string or byte array form
266      * @param principal the name in X500Principal form
267      * @throws IOException if a parsing error occurs
268      */
269     private void addIssuerNameInternal(Object JavaDoc name, X500Principal JavaDoc principal) {
270         if (issuerNames == null) {
271             issuerNames = new HashSet<Object JavaDoc>();
272     }
273         if (issuerX500Principals == null) {
274             issuerX500Principals = new HashSet<X500Principal JavaDoc>();
275     }
276         issuerNames.add(name);
277         issuerX500Principals.add(principal);
278     }
279
280     /**
281      * Clone and check an argument of the form passed to
282      * setIssuerNames. Throw an IOException if the argument is malformed.
283      *
284      * @param names a <code>Collection</code> of names. Each entry is a
285      * String or a byte array (the name, in string or ASN.1
286      * DER encoded form, respectively). <code>null</code> is
287      * not an acceptable value.
288      * @return a deep copy of the specified <code>Collection</code>
289      * @throws IOException if a parsing error occurs
290      */
291     private static HashSet<Object JavaDoc> cloneAndCheckIssuerNames(Collection<?> names)
292         throws IOException JavaDoc
293     {
294         HashSet<Object JavaDoc> namesCopy = new HashSet<Object JavaDoc>();
295         Iterator i = names.iterator();
296         while (i.hasNext()) {
297             Object JavaDoc nameObject = i.next();
298             if (!(nameObject instanceof byte []) &&
299             !(nameObject instanceof String JavaDoc))
300             throw new IOException JavaDoc("name not byte array or String");
301             if (nameObject instanceof byte [])
302             namesCopy.add(((byte []) nameObject).clone());
303             else
304             namesCopy.add(nameObject);
305         }
306         return(namesCopy);
307     }
308
309     /**
310      * Clone an argument of the form passed to setIssuerNames.
311      * Throw a RuntimeException if the argument is malformed.
312      * <p>
313      * This method wraps cloneAndCheckIssuerNames, changing any IOException
314      * into a RuntimeException. This method should be used when the object being
315      * cloned has already been checked, so there should never be any exceptions.
316      *
317      * @param names a <code>Collection</code> of names. Each entry is a
318      * String or a byte array (the name, in string or ASN.1
319      * DER encoded form, respectively). <code>null</code> is
320      * not an acceptable value.
321      * @return a deep copy of the specified <code>Collection</code>
322      * @throws RuntimeException if a parsing error occurs
323      */
324     private static HashSet<Object JavaDoc> cloneIssuerNames(Collection<Object JavaDoc> names) {
325         try {
326             return cloneAndCheckIssuerNames(names);
327         } catch (IOException JavaDoc ioe) {
328         throw new RuntimeException JavaDoc(ioe);
329         }
330     }
331
332     /**
333      * Parse an argument of the form passed to setIssuerNames,
334      * returning a Collection of issuerX500Principals.
335      * Throw an IOException if the argument is malformed.
336      *
337      * @param names a <code>Collection</code> of names. Each entry is a
338      * String or a byte array (the name, in string or ASN.1
339      * DER encoded form, respectively). <Code>Null</Code> is
340      * not an acceptable value.
341      * @return a HashSet of issuerX500Principals
342      * @throws IOException if a parsing error occurs
343      */
344     private static HashSet<X500Principal JavaDoc> parseIssuerNames(Collection<Object JavaDoc> names)
345     throws IOException JavaDoc {
346         HashSet<X500Principal JavaDoc> x500Principals = new HashSet<X500Principal JavaDoc>();
347     for (Iterator t = names.iterator(); t.hasNext(); ) {
348         Object JavaDoc nameObject = t.next();
349         if (nameObject instanceof String JavaDoc) {
350         x500Principals.add(new X500Name((String JavaDoc)nameObject).asX500Principal());
351         } else {
352         try {
353             x500Principals.add(new X500Principal JavaDoc((byte[])nameObject));
354         } catch (IllegalArgumentException JavaDoc e) {
355             throw (IOException JavaDoc)new IOException JavaDoc("Invalid name").initCause(e);
356         }
357         }
358     }
359         return x500Principals;
360     }
361
362     /**
363      * Sets the minCRLNumber criterion. The <code>X509CRL</code> must have a
364      * CRL number extension whose value is greater than or equal to the
365      * specified value. If <code>null</code>, no minCRLNumber check will be
366      * done.
367      *
368      * @param minCRL the minimum CRL number accepted (or <code>null</code>)
369      */
370     public void setMinCRLNumber(BigInteger JavaDoc minCRL) {
371         this.minCRL = minCRL;
372     }
373
374     /**
375      * Sets the maxCRLNumber criterion. The <code>X509CRL</code> must have a
376      * CRL number extension whose value is less than or equal to the
377      * specified value. If <code>null</code>, no maxCRLNumber check will be
378      * done.
379      *
380      * @param maxCRL the maximum CRL number accepted (or <code>null</code>)
381      */
382     public void setMaxCRLNumber(BigInteger JavaDoc maxCRL) {
383         this.maxCRL = maxCRL;
384     }
385
386     /**
387      * Sets the dateAndTime criterion. The specified date must be
388      * equal to or later than the value of the thisUpdate component
389      * of the <code>X509CRL</code> and earlier than the value of the
390      * nextUpdate component. There is no match if the <code>X509CRL</code>
391      * does not contain a nextUpdate component.
392      * If <code>null</code>, no dateAndTime check will be done.
393      * <p>
394      * Note that the <code>Date</code> supplied here is cloned to protect
395      * against subsequent modifications.
396      *
397      * @param dateAndTime the <code>Date</code> to match against
398      * (or <code>null</code>)
399      * @see #getDateAndTime
400      */
401     public void setDateAndTime(Date dateAndTime) {
402         if (dateAndTime == null)
403             this.dateAndTime = null;
404         else
405             this.dateAndTime = (Date) dateAndTime.clone();
406     }
407
408     /**
409      * Sets the certificate being checked. This is not a criterion. Rather,
410      * it is optional information that may help a <code>CertStore</code>
411      * find CRLs that would be relevant when checking revocation for the
412      * specified certificate. If <code>null</code> is specified, then no
413      * such optional information is provided.
414      *
415      * @param cert the <code>X509Certificate</code> being checked
416      * (or <code>null</code>)
417      * @see #getCertificateChecking
418      */
419     public void setCertificateChecking(X509Certificate JavaDoc cert) {
420         certChecking = cert;
421     }
422
423     /**
424      * Returns the issuerNames criterion. The issuer distinguished
425      * name in the <code>X509CRL</code> must match at least one of the specified
426      * distinguished names. If the value returned is <code>null</code>, any
427      * issuer distinguished name will do.
428      * <p>
429      * If the value returned is not <code>null</code>, it is a
430      * unmodifiable <code>Collection</code> of <code>X500Principal</code>s.
431      *
432      * @return an unmodifiable <code>Collection</code> of names
433      * (or <code>null</code>)
434      * @see #setIssuers
435      * @since 1.5
436      */
437     public Collection<X500Principal JavaDoc> getIssuers() {
438     if (issuerX500Principals == null) {
439         return null;
440     }
441     return Collections.unmodifiableCollection(issuerX500Principals);
442     }
443
444     /**
445      * Returns a copy of the issuerNames criterion. The issuer distinguished
446      * name in the <code>X509CRL</code> must match at least one of the specified
447      * distinguished names. If the value returned is <code>null</code>, any
448      * issuer distinguished name will do.
449      * <p>
450      * If the value returned is not <code>null</code>, it is a
451      * <code>Collection</code> of names. Each name is a <code>String</code>
452      * or a byte array representing a distinguished name (in RFC 2253 or
453      * ASN.1 DER encoded form, respectively). Note that the
454      * <code>Collection</code> returned may contain duplicate names.
455      * <p>
456      * If a name is specified as a byte array, it should contain a single DER
457      * encoded distinguished name, as defined in X.501. The ASN.1 notation for
458      * this structure is given in the documentation for
459      * {@link #setIssuerNames setIssuerNames(Collection names)}.
460      * <p>
461      * Note that a deep copy is performed on the <code>Collection</code> to
462      * protect against subsequent modifications.
463      *
464      * @return a <code>Collection</code> of names (or <code>null</code>)
465      * @see #setIssuerNames
466      */
467     public Collection<Object JavaDoc> getIssuerNames() {
468         if (issuerNames == null) {
469             return null;
470     }
471         return cloneIssuerNames(issuerNames);
472     }
473
474     /**
475      * Returns the minCRLNumber criterion. The <code>X509CRL</code> must have a
476      * CRL number extension whose value is greater than or equal to the
477      * specified value. If <code>null</code>, no minCRLNumber check will be done.
478      *
479      * @return the minimum CRL number accepted (or <code>null</code>)
480      */
481     public BigInteger JavaDoc getMinCRL() {
482         return minCRL;
483     }
484
485     /**
486      * Returns the maxCRLNumber criterion. The <code>X509CRL</code> must have a
487      * CRL number extension whose value is less than or equal to the
488      * specified value. If <code>null</code>, no maxCRLNumber check will be
489      * done.
490      *
491      * @return the maximum CRL number accepted (or <code>null</code>)
492      */
493     public BigInteger JavaDoc getMaxCRL() {
494         return maxCRL;
495     }
496
497     /**
498      * Returns the dateAndTime criterion. The specified date must be
499      * equal to or later than the value of the thisUpdate component
500      * of the <code>X509CRL</code> and earlier than the value of the
501      * nextUpdate component. There is no match if the
502      * <code>X509CRL</code> does not contain a nextUpdate component.
503      * If <code>null</code>, no dateAndTime check will be done.
504      * <p>
505      * Note that the <code>Date</code> returned is cloned to protect against
506      * subsequent modifications.
507      *
508      * @return the <code>Date</code> to match against (or <code>null</code>)
509      * @see #setDateAndTime
510      */
511     public Date getDateAndTime() {
512         if (dateAndTime == null)
513             return null;
514         return (Date) dateAndTime.clone();
515     }
516
517     /**
518      * Returns the certificate being checked. This is not a criterion. Rather,
519      * it is optional information that may help a <code>CertStore</code>
520      * find CRLs that would be relevant when checking revocation for the
521      * specified certificate. If the value returned is <code>null</code>, then
522      * no such optional information is provided.
523      *
524      * @return the certificate being checked (or <code>null</code>)
525      * @see #setCertificateChecking
526      */
527     public X509Certificate JavaDoc getCertificateChecking() {
528         return certChecking;
529     }
530
531     /**
532      * Returns a printable representation of the <code>X509CRLSelector</code>.
533      *
534      * @return a <code>String</code> describing the contents of the
535      * <code>X509CRLSelector</code>.
536      */
537     public String JavaDoc toString() {
538         StringBuffer JavaDoc sb = new StringBuffer JavaDoc();
539         sb.append("X509CRLSelector: [\n");
540         if (issuerNames != null) {
541             sb.append(" IssuerNames:\n");
542             Iterator i = issuerNames.iterator();
543             while (i.hasNext())
544             sb.append(" " + i.next() + "\n");
545         }
546         if (minCRL != null)
547             sb.append(" minCRLNumber: " + minCRL + "\n");
548         if (maxCRL != null)
549             sb.append(" maxCRLNumber: " + maxCRL + "\n");
550         if (dateAndTime != null)
551             sb.append(" dateAndTime: " + dateAndTime + "\n");
552         if (certChecking != null)
553             sb.append(" Certificate being checked: " + certChecking + "\n");
554         sb.append("]");
555         return sb.toString();
556     }
557
558     /**
559      * Decides whether a <code>CRL</code> should be selected.
560      *
561      * @param crl the <code>CRL</code> to be checked
562      * @return <code>true</code> if the <code>CRL</code> should be selected,
563      * <code>false</code> otherwise
564      */
565     public boolean match(CRL JavaDoc crl) {
566         if (!(crl instanceof X509CRL JavaDoc)) {
567             return false;
568     }
569         X509CRL JavaDoc xcrl = (X509CRL JavaDoc)crl;
570
571         /* match on issuer name */
572         if (issuerNames != null) {
573             X500Principal JavaDoc issuer = xcrl.getIssuerX500Principal();
574             Iterator i = issuerX500Principals.iterator();
575             boolean found = false;
576             while (!found && i.hasNext()) {
577             if (i.next().equals(issuer)) {
578                 found = true;
579         }
580         }
581             if (!found) {
582             if (debug != null) {
583                 debug.println("X509CRLSelector.match: issuer DNs "
584             + "don't match");
585         }
586             return false;
587             }
588         }
589     
590     if ((minCRL != null) || (maxCRL != null)) {
591         /* Get CRL number extension from CRL */
592         byte[] crlNumExtVal = xcrl.getExtensionValue("2.5.29.20");
593         if (crlNumExtVal == null) {
594         if (debug != null) {
595             debug.println("X509CRLSelector.match: no CRLNumber");
596         }
597         }
598         BigInteger JavaDoc crlNum;
599         try {
600         DerInputStream in = new DerInputStream(crlNumExtVal);
601         byte[] encoded = in.getOctetString();
602         CRLNumberExtension crlNumExt =
603             new CRLNumberExtension(Boolean.FALSE, encoded);
604         crlNum = (BigInteger JavaDoc)crlNumExt.get(CRLNumberExtension.NUMBER);
605         } catch (IOException JavaDoc ex) {
606         if (debug != null) {
607             debug.println("X509CRLSelector.match: exception in "
608             + "decoding CRL number");
609         }
610         return false;
611         }
612     
613         /* match on minCRLNumber */
614         if (minCRL != null) {
615         if (crlNum.compareTo(minCRL) < 0) {
616             if (debug != null) {
617             debug.println("X509CRLSelector.match: CRLNumber too small");
618             }
619             return false;
620         }
621         }
622
623         /* match on maxCRLNumber */
624         if (maxCRL != null) {
625         if (crlNum.compareTo(maxCRL) > 0) {
626             if (debug != null) {
627             debug.println("X509CRLSelector.match: CRLNumber too large");
628             }
629             return false;
630         }
631         }
632     }
633
634
635         /* match on dateAndTime */
636         if (dateAndTime != null) {
637         Date crlThisUpdate = xcrl.getThisUpdate();
638             Date nextUpdate = xcrl.getNextUpdate();
639             if (nextUpdate == null) {
640             if (debug != null) {
641             debug.println("X509CRLSelector.match: nextUpdate null");
642         }
643             return false;
644             }
645             if (crlThisUpdate.after(dateAndTime)
646               || nextUpdate.before(dateAndTime)) {
647             if (debug != null) {
648             debug.println("X509CRLSelector.match: update out of range");
649         }
650             return false;
651             }
652         }
653
654         return true;
655     }
656
657     /**
658      * Returns a copy of this object.
659      *
660      * @return the copy
661      */
662     public Object JavaDoc clone() {
663         try {
664             X509CRLSelector JavaDoc copy = (X509CRLSelector JavaDoc)super.clone();
665             if (issuerNames != null) {
666                 copy.issuerNames =
667             new HashSet<Object JavaDoc>(issuerNames);
668                 copy.issuerX500Principals =
669             new HashSet<X500Principal JavaDoc>(issuerX500Principals);
670             }
671             return copy;
672         } catch (CloneNotSupportedException JavaDoc e) {
673             /* Cannot happen */
674             throw new InternalError JavaDoc(e.toString());
675         }
676     }
677 }
678
Popular Tags