Class X509CRLImpl
java.lang.Object
java.security.cert.CRL
java.security.cert.X509CRL
org.mozilla.jss.netscape.security.x509.X509CRLImpl
- All Implemented Interfaces:
X509Extension
An implmentation for X509 CRL (Certificate Revocation List).
The X.509 v2 CRL format is described below in ASN.1:
CertificateList ::= SEQUENCE {
tbsCertList TBSCertList,
signatureAlgorithm AlgorithmIdentifier,
signatureValue BIT STRING }
A good description and profiling is provided in the IETF PKIX WG draft, Part I: X.509 Certificate and CRL Profile, <draft-ietf-pkix-ipki-part1-06.txt>.
The ASN.1 definition of tbsCertList
is:
TBSCertList ::= SEQUENCE { version Version OPTIONAL, -- if present, must be v2 signature AlgorithmIdentifier, issuer Name, thisUpdate ChoiceOfTime, nextUpdate ChoiceOfTime OPTIONAL, revokedCertificates SEQUENCE OF SEQUENCE { userCertificate CertificateSerialNumber, revocationDate ChoiceOfTime, crlEntryExtensions Extensions OPTIONAL -- if present, must be v2 } OPTIONAL, crlExtensions [0] EXPLICIT Extensions OPTIONAL -- if present, must be v2 }
- Version:
- 1.8
- See Also:
-
Field Summary
FieldsModifier and TypeFieldDescriptionprivate boolean
private CRLExtensions
private AlgorithmId
private static final boolean
private X500Name
static org.slf4j.Logger
private Date
private boolean
private Hashtable
<BigInteger, RevokedCertificate> private AlgorithmId
private byte[]
private byte[]
private byte[]
private Date
private int
-
Constructor Summary
ConstructorsConstructorDescriptionX509CRLImpl
(byte[] crlData) Unmarshals an X.509 CRL from its encoded form, parsing the encoded bytes.X509CRLImpl
(byte[] crlData, boolean includeEntries) X509CRLImpl
(InputStream inStrm) Unmarshals an X.509 CRL from an input stream.X509CRLImpl
(X500Name issuer, Date thisDate, Date nextDate) Initial CRL constructor, no revoked certs, and no extensions.X509CRLImpl
(X500Name issuer, Date thisDate, Date nextDate, RevokedCertificate[] badCerts) CRL constructor, revoked certs, no extensions.X509CRLImpl
(X500Name issuer, Date thisDate, Date nextDate, RevokedCertificate[] badCerts, CRLExtensions crlExts) CRL constructor, revoked certs and extensions.X509CRLImpl
(X500Name issuer, AlgorithmId algId, Date thisDate, Date nextDate, Hashtable<BigInteger, RevokedCertificate> badCerts, CRLExtensions crlExts) CRL constructor, revoked certs and extensions.X509CRLImpl
(X500Name issuer, AlgorithmId algId, Date thisDate, Date nextDate, RevokedCertificate[] badCerts, CRLExtensions crlExts) CRL constructor, revoked certs and extensions. -
Method Summary
Modifier and TypeMethodDescriptionboolean
void
encodeInfo
(OutputStream out) Encodes the "to-be-signed" CRL to the OutputStream.Gets a Set of the extension(s) marked CRITICAL in the CRL by OID strings.byte[]
Returns the ASN.1 DER encoded form of this CRL.Returns extensions for this impl.byte[]
getExtensionValue
(String oid) Gets the DER encoded OCTET string for the extension value (extnValue
) identified by the passed in oid String.Gets the issuer distinguished name from this CRL.Gets the nextUpdate date from the CRL.Gets a Set of the extension(s) marked NON-CRITICAL in the CRL by OID strings.int
getRevokedCertificate
(BigInteger serialNumber) Get the revoked certificate from the CRL by the serial number provided.Gets all the revoked certificates from the CRL.Gets the signature algorithm name for the CRL signature algorithm.Gets the signature algorithm OID string from the CRL.byte[]
Gets the DER encoded signature algorithm parameters from this CRL's signature algorithm.byte[]
Gets the raw Signature bits from the CRL.byte[]
Gets the DER encoded CRL information, thetbsCertList
from this CRL.Gets the thisUpdate date from the CRL.int
Gets the version number from the CRL.boolean
boolean
boolean
isRevoked
(BigInteger serialNumber) Checks whether the given serial number is on this CRL.boolean
isRevoked
(Certificate cert) private void
private void
boolean
setSignature
(byte[] crlSignature) Returns true if signature was set.boolean
setSignedCRL
(byte[] crl) Returns true if signedCRL was set.void
sign
(PrivateKey key, String algorithm) Encodes an X.509 CRL, and signs it using the key passed.void
sign
(PrivateKey key, String algorithm, String provider) Encodes an X.509 CRL, and signs it using the key passed.toString()
Returns a printable string of this CRL.void
Verifies that this CRL was signed using the private key that corresponds to the specified public key.void
Verifies that this CRL was signed using the private key that corresponds to the specified public key, and that the signature verification was computed by the given provider.Methods inherited from class java.security.cert.X509CRL
equals, getIssuerX500Principal, getRevokedCertificate, hashCode, verify
-
Field Details
-
logger
public static org.slf4j.Logger logger -
signedCRL
private byte[] signedCRL -
signature
private byte[] signature -
tbsCertList
private byte[] tbsCertList -
sigAlgId
-
version
private int version -
infoSigAlgId
-
issuer
-
thisUpdate
-
nextUpdate
-
revokedCerts
-
extensions
-
entriesIncluded
private boolean entriesIncluded -
IS_EXPLICIT
private static final boolean IS_EXPLICIT- See Also:
-
readOnly
private boolean readOnly
-
-
Constructor Details
-
X509CRLImpl
Unmarshals an X.509 CRL from its encoded form, parsing the encoded bytes. This form of constructor is used by agents which need to examine and use CRL contents. Note that the buffer must include only one CRL, and no "garbage" may be left at the end.- Parameters:
crlData
- the encoded bytes, with no trailing padding.- Throws:
CRLException
- on parsing errors.X509ExtensionException
- on extension handling errors.
-
X509CRLImpl
public X509CRLImpl(byte[] crlData, boolean includeEntries) throws CRLException, X509ExtensionException - Throws:
CRLException
X509ExtensionException
-
X509CRLImpl
Unmarshals an X.509 CRL from an input stream. Only one CRL is expected at the end of the input stream.- Parameters:
inStrm
- an input stream holding at least one CRL- Throws:
CRLException
- on parsing errors.X509ExtensionException
- on extension handling errors.
-
X509CRLImpl
Initial CRL constructor, no revoked certs, and no extensions.- Parameters:
issuer
- the name of the CA issuing this CRL.thisDate
- the Date of this issue.nextDate
- the Date of the next CRL.
-
X509CRLImpl
public X509CRLImpl(X500Name issuer, Date thisDate, Date nextDate, RevokedCertificate[] badCerts) throws CRLException, X509ExtensionException CRL constructor, revoked certs, no extensions.- Parameters:
issuer
- the name of the CA issuing this CRL.thisDate
- the Date of this issue.nextDate
- the Date of the next CRL.badCerts
- the array of revoked certificates.- Throws:
CRLException
- on parsing/construction errors.X509ExtensionException
- on extension handling errors.
-
X509CRLImpl
public X509CRLImpl(X500Name issuer, Date thisDate, Date nextDate, RevokedCertificate[] badCerts, CRLExtensions crlExts) throws CRLException, X509ExtensionException CRL constructor, revoked certs and extensions.- Parameters:
issuer
- the name of the CA issuing this CRL.thisDate
- the Date of this issue.nextDate
- the Date of the next CRL.badCerts
- the array of revoked certificates.crlExts
- the CRL extensions.- Throws:
CRLException
- on parsing/construction errors.X509ExtensionException
- on extension handling errors.
-
X509CRLImpl
public X509CRLImpl(X500Name issuer, AlgorithmId algId, Date thisDate, Date nextDate, RevokedCertificate[] badCerts, CRLExtensions crlExts) throws CRLException, X509ExtensionException CRL constructor, revoked certs and extensions. This will be used by code that constructs CRL and uses encodeInfo() in order to sign it using external means (other than sign() method)- Parameters:
issuer
- the name of the CA issuing this CRL.algId
- signing algorithm idthisDate
- the Date of this issue.nextDate
- the Date of the next CRL.badCerts
- the array of revoked certificates.crlExts
- the CRL extensions.- Throws:
CRLException
X509ExtensionException
-
X509CRLImpl
public X509CRLImpl(X500Name issuer, AlgorithmId algId, Date thisDate, Date nextDate, Hashtable<BigInteger, RevokedCertificate> badCerts, CRLExtensions crlExts) throws CRLException, X509ExtensionExceptionCRL constructor, revoked certs and extensions.- Parameters:
issuer
- the name of the CA issuing this CRL.algId
- signing algorithm idthisDate
- the Date of this issue.nextDate
- the Date of the next CRL.badCerts
- the hashtable of revoked certificates.crlExts
- the CRL extensions.- Throws:
CRLException
- on parsing/construction errors.X509ExtensionException
- on extension handling errors.
-
-
Method Details
-
getEncoded
Returns the ASN.1 DER encoded form of this CRL.- Specified by:
getEncoded
in classX509CRL
- Throws:
CRLException
- if an encoding error occurs.
-
setSignedCRL
public boolean setSignedCRL(byte[] crl) Returns true if signedCRL was set.- Parameters:
crl
- byte array of containing signed CRL.
-
hasUnsupportedCriticalExtension
public boolean hasUnsupportedCriticalExtension() -
encodeInfo
Encodes the "to-be-signed" CRL to the OutputStream.- Parameters:
out
- the OutputStream to write to.- Throws:
CRLException
- on encoding errors.X509ExtensionException
- on extension encoding errors.
-
verify
public void verify(PublicKey key) throws CRLException, NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException, SignatureException Verifies that this CRL was signed using the private key that corresponds to the specified public key.- Specified by:
verify
in classX509CRL
- Parameters:
key
- the PublicKey used to carry out the verification.- Throws:
NoSuchAlgorithmException
- on unsupported signature algorithms.InvalidKeyException
- on incorrect key.NoSuchProviderException
- if there's no default provider.SignatureException
- on signature errors.CRLException
- on encoding errors.
-
verify
public void verify(PublicKey key, String sigProvider) throws CRLException, NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException, SignatureException Verifies that this CRL was signed using the private key that corresponds to the specified public key, and that the signature verification was computed by the given provider.- Specified by:
verify
in classX509CRL
- Parameters:
key
- the PublicKey used to carry out the verification.sigProvider
- the name of the signature provider.- Throws:
NoSuchAlgorithmException
- on unsupported signature algorithms.InvalidKeyException
- on incorrect key.NoSuchProviderException
- on incorrect provider.SignatureException
- on signature errors.CRLException
- on encoding errors.
-
sign
public void sign(PrivateKey key, String algorithm) throws CRLException, NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException, SignatureException, X509ExtensionException Encodes an X.509 CRL, and signs it using the key passed.- Parameters:
key
- the private key used for signing.algorithm
- the name of the signature algorithm used.- Throws:
NoSuchAlgorithmException
- on unsupported signature algorithms.InvalidKeyException
- on incorrect key.NoSuchProviderException
- on incorrect provider.SignatureException
- on signature errors.CRLException
- if any mandatory data was omitted.X509ExtensionException
- on any extension errors.
-
sign
public void sign(PrivateKey key, String algorithm, String provider) throws CRLException, NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException, SignatureException, X509ExtensionException Encodes an X.509 CRL, and signs it using the key passed.- Parameters:
key
- the private key used for signing.algorithm
- the name of the signature algorithm used.provider
- the name of the provider.- Throws:
NoSuchAlgorithmException
- on unsupported signature algorithms.InvalidKeyException
- on incorrect key.NoSuchProviderException
- on incorrect provider.SignatureException
- on signature errors.CRLException
- if any mandatory data was omitted.X509ExtensionException
- on any extension errors.
-
toString
Returns a printable string of this CRL. -
isRevoked
Checks whether the given serial number is on this CRL.- Parameters:
serialNumber
- the number to check for.- Returns:
- true if the given serial number is on this CRL, false otherwise.
-
isRevoked
-
getVersion
public int getVersion()Gets the version number from the CRL. The ASN.1 definition for this is:Version ::= INTEGER { v1(0), v2(1), v3(2) } -- v3 does not apply to CRLs but appears for consistency -- with definition of Version for certs
- Specified by:
getVersion
in classX509CRL
- Returns:
- the version number.
-
getIssuerDN
Gets the issuer distinguished name from this CRL. The issuer name identifies the entity who has signed (and issued the CRL). The issuer name field contains an X.500 distinguished name (DN). The ASN.1 definition for this is:issuer Name Name ::= CHOICE { RDNSequence } RDNSequence ::= SEQUENCE OF RelativeDistinguishedName RelativeDistinguishedName ::= SET OF AttributeValueAssertion AttributeValueAssertion ::= SEQUENCE { AttributeType, AttributeValue } AttributeType ::= OBJECT IDENTIFIER AttributeValue ::= ANY
The Name describes a hierarchical name composed of attributes, such as country name, and corresponding values, such as US. The type of the component AttributeValue is determined by the AttributeType; in general it will be a directoryString. A directoryString is usually one of PrintableString, TeletexString or UniversalString.- Specified by:
getIssuerDN
in classX509CRL
- Returns:
- the issuer name.
-
getThisUpdate
Gets the thisUpdate date from the CRL. The ASN.1 definition for this is:- Specified by:
getThisUpdate
in classX509CRL
- Returns:
- the thisUpdate date from the CRL.
-
getNextUpdate
Gets the nextUpdate date from the CRL.- Specified by:
getNextUpdate
in classX509CRL
- Returns:
- the nextUpdate date from the CRL, or null if not present.
-
getRevokedCertificate
Get the revoked certificate from the CRL by the serial number provided.- Specified by:
getRevokedCertificate
in classX509CRL
- Returns:
- the revoked certificate or null if there is no entry in the CRL marked with the provided serial number.
- See Also:
-
getRevokedCertificates
Gets all the revoked certificates from the CRL. A Set of RevokedCertificate.- Specified by:
getRevokedCertificates
in classX509CRL
- Returns:
- all the revoked certificates or null if there are none.
- See Also:
-
getListOfRevokedCertificates
-
getNumberOfRevokedCertificates
public int getNumberOfRevokedCertificates() -
getTBSCertList
Gets the DER encoded CRL information, thetbsCertList
from this CRL. This can be used to verify the signature independently.- Specified by:
getTBSCertList
in classX509CRL
- Returns:
- the DER encoded CRL information.
- Throws:
CRLException
- on parsing errors.
-
getSignature
public byte[] getSignature()Gets the raw Signature bits from the CRL.- Specified by:
getSignature
in classX509CRL
- Returns:
- the signature.
-
setSignature
public boolean setSignature(byte[] crlSignature) Returns true if signature was set.- Parameters:
crlSignature
- byte array of containing CRL signature.
-
getSigAlgName
Gets the signature algorithm name for the CRL signature algorithm. For example, the string "SHA1withDSA". The ASN.1 definition for this is:AlgorithmIdentifier ::= SEQUENCE { algorithm OBJECT IDENTIFIER, parameters ANY DEFINED BY algorithm OPTIONAL } -- contains a value of the type -- registered for use with the -- algorithm object identifier value
- Specified by:
getSigAlgName
in classX509CRL
- Returns:
- the signature algorithm name.
-
getSigAlgOID
Gets the signature algorithm OID string from the CRL. An OID is represented by a set of positive whole number separated by ".", that means,
<positive whole number>.<positive whole number>.<...> For example, the string "1.2.840.10040.4.3" identifies the SHA-1 with DSA signature algorithm, as per the PKIX part I.- Specified by:
getSigAlgOID
in classX509CRL
- Returns:
- the signature algorithm oid string.
-
getSigAlgParams
public byte[] getSigAlgParams()Gets the DER encoded signature algorithm parameters from this CRL's signature algorithm. In most cases, the signature algorithm parameters are null, the parameters are usually supplied with the Public Key.- Specified by:
getSigAlgParams
in classX509CRL
- Returns:
- the DER encoded signature algorithm parameters, or null if no parameters are present.
-
getCriticalExtensionOIDs
Gets a Set of the extension(s) marked CRITICAL in the CRL by OID strings.- Returns:
- a set of the extension oid strings in the CRL that are marked critical.
-
getNonCriticalExtensionOIDs
Gets a Set of the extension(s) marked NON-CRITICAL in the CRL by OID strings.- Returns:
- a set of the extension oid strings in the CRL that are NOT marked critical.
-
getExtensionValue
Gets the DER encoded OCTET string for the extension value (extnValue
) identified by the passed in oid String. Theoid
string is represented by a set of positive whole number separated by ".", that means,
<positive whole number>.<positive whole number>.<...>- Parameters:
oid
- the Object Identifier value for the extension.- Returns:
- the der encoded octet string of the extension value.
-
getCRLNumber
-
getDeltaBaseCRLNumber
-
isDeltaCRL
public boolean isDeltaCRL() -
getExtensions
Returns extensions for this impl. -
areEntriesIncluded
public boolean areEntriesIncluded() -
parse
-
parse
private void parse(DerValue val, boolean includeEntries) throws CRLException, IOException, X509ExtensionException
-