Class X509CRLImpl

java.lang.Object
java.security.cert.CRL
java.security.cert.X509CRL
org.mozilla.jss.netscape.security.x509.X509CRLImpl
All Implemented Interfaces:
X509Extension

public class X509CRLImpl extends X509CRL

An implmentation for X509 CRL (Certificate Revocation List).

The X.509 v2 CRL format is described below in ASN.1:


 CertificateList  ::=  SEQUENCE  {
     tbsCertList          TBSCertList,
     signatureAlgorithm   AlgorithmIdentifier,
     signatureValue       BIT STRING  }
 

A good description and profiling is provided in the IETF PKIX WG draft, Part I: X.509 Certificate and CRL Profile, <draft-ietf-pkix-ipki-part1-06.txt>.

The ASN.1 definition of tbsCertList is:

 TBSCertList  ::=  SEQUENCE  {
     version                 Version OPTIONAL,
                             -- if present, must be v2
     signature               AlgorithmIdentifier,
     issuer                  Name,
     thisUpdate              ChoiceOfTime,
     nextUpdate              ChoiceOfTime OPTIONAL,
     revokedCertificates     SEQUENCE OF SEQUENCE  {
         userCertificate         CertificateSerialNumber,
         revocationDate          ChoiceOfTime,
         crlEntryExtensions      Extensions OPTIONAL
                                 -- if present, must be v2
         }  OPTIONAL,
     crlExtensions           [0]  EXPLICIT Extensions OPTIONAL
                                  -- if present, must be v2
     }
 
Version:
1.8
See Also:
  • Field Details

    • logger

      public static org.slf4j.Logger logger
    • signedCRL

      private byte[] signedCRL
    • signature

      private byte[] signature
    • tbsCertList

      private byte[] tbsCertList
    • sigAlgId

      private AlgorithmId sigAlgId
    • version

      private int version
    • infoSigAlgId

      private AlgorithmId infoSigAlgId
    • issuer

      private X500Name issuer
    • thisUpdate

      private Date thisUpdate
    • nextUpdate

      private Date nextUpdate
    • revokedCerts

      private Hashtable<BigInteger,RevokedCertificate> revokedCerts
    • extensions

      private CRLExtensions extensions
    • entriesIncluded

      private boolean entriesIncluded
    • IS_EXPLICIT

      private static final boolean IS_EXPLICIT
      See Also:
    • readOnly

      private boolean readOnly
  • Constructor Details

    • X509CRLImpl

      public X509CRLImpl(byte[] crlData) throws CRLException, X509ExtensionException
      Unmarshals an X.509 CRL from its encoded form, parsing the encoded bytes. This form of constructor is used by agents which need to examine and use CRL contents. Note that the buffer must include only one CRL, and no "garbage" may be left at the end.
      Parameters:
      crlData - the encoded bytes, with no trailing padding.
      Throws:
      CRLException - on parsing errors.
      X509ExtensionException - on extension handling errors.
    • X509CRLImpl

      public X509CRLImpl(byte[] crlData, boolean includeEntries) throws CRLException, X509ExtensionException
      Throws:
      CRLException
      X509ExtensionException
    • X509CRLImpl

      public X509CRLImpl(InputStream inStrm) throws CRLException, X509ExtensionException
      Unmarshals an X.509 CRL from an input stream. Only one CRL is expected at the end of the input stream.
      Parameters:
      inStrm - an input stream holding at least one CRL
      Throws:
      CRLException - on parsing errors.
      X509ExtensionException - on extension handling errors.
    • X509CRLImpl

      public X509CRLImpl(X500Name issuer, Date thisDate, Date nextDate)
      Initial CRL constructor, no revoked certs, and no extensions.
      Parameters:
      issuer - the name of the CA issuing this CRL.
      thisDate - the Date of this issue.
      nextDate - the Date of the next CRL.
    • X509CRLImpl

      public X509CRLImpl(X500Name issuer, Date thisDate, Date nextDate, RevokedCertificate[] badCerts) throws CRLException, X509ExtensionException
      CRL constructor, revoked certs, no extensions.
      Parameters:
      issuer - the name of the CA issuing this CRL.
      thisDate - the Date of this issue.
      nextDate - the Date of the next CRL.
      badCerts - the array of revoked certificates.
      Throws:
      CRLException - on parsing/construction errors.
      X509ExtensionException - on extension handling errors.
    • X509CRLImpl

      public X509CRLImpl(X500Name issuer, Date thisDate, Date nextDate, RevokedCertificate[] badCerts, CRLExtensions crlExts) throws CRLException, X509ExtensionException
      CRL constructor, revoked certs and extensions.
      Parameters:
      issuer - the name of the CA issuing this CRL.
      thisDate - the Date of this issue.
      nextDate - the Date of the next CRL.
      badCerts - the array of revoked certificates.
      crlExts - the CRL extensions.
      Throws:
      CRLException - on parsing/construction errors.
      X509ExtensionException - on extension handling errors.
    • X509CRLImpl

      public X509CRLImpl(X500Name issuer, AlgorithmId algId, Date thisDate, Date nextDate, RevokedCertificate[] badCerts, CRLExtensions crlExts) throws CRLException, X509ExtensionException
      CRL constructor, revoked certs and extensions. This will be used by code that constructs CRL and uses encodeInfo() in order to sign it using external means (other than sign() method)
      Parameters:
      issuer - the name of the CA issuing this CRL.
      algId - signing algorithm id
      thisDate - the Date of this issue.
      nextDate - the Date of the next CRL.
      badCerts - the array of revoked certificates.
      crlExts - the CRL extensions.
      Throws:
      CRLException
      X509ExtensionException
    • X509CRLImpl

      public X509CRLImpl(X500Name issuer, AlgorithmId algId, Date thisDate, Date nextDate, Hashtable<BigInteger,RevokedCertificate> badCerts, CRLExtensions crlExts) throws CRLException, X509ExtensionException
      CRL constructor, revoked certs and extensions.
      Parameters:
      issuer - the name of the CA issuing this CRL.
      algId - signing algorithm id
      thisDate - the Date of this issue.
      nextDate - the Date of the next CRL.
      badCerts - the hashtable of revoked certificates.
      crlExts - the CRL extensions.
      Throws:
      CRLException - on parsing/construction errors.
      X509ExtensionException - on extension handling errors.
  • Method Details

    • getEncoded

      public byte[] getEncoded() throws CRLException
      Returns the ASN.1 DER encoded form of this CRL.
      Specified by:
      getEncoded in class X509CRL
      Throws:
      CRLException - if an encoding error occurs.
    • setSignedCRL

      public boolean setSignedCRL(byte[] crl)
      Returns true if signedCRL was set.
      Parameters:
      crl - byte array of containing signed CRL.
    • hasUnsupportedCriticalExtension

      public boolean hasUnsupportedCriticalExtension()
    • encodeInfo

      public void encodeInfo(OutputStream out) throws CRLException, X509ExtensionException
      Encodes the "to-be-signed" CRL to the OutputStream.
      Parameters:
      out - the OutputStream to write to.
      Throws:
      CRLException - on encoding errors.
      X509ExtensionException - on extension encoding errors.
    • verify

      Verifies that this CRL was signed using the private key that corresponds to the specified public key.
      Specified by:
      verify in class X509CRL
      Parameters:
      key - the PublicKey used to carry out the verification.
      Throws:
      NoSuchAlgorithmException - on unsupported signature algorithms.
      InvalidKeyException - on incorrect key.
      NoSuchProviderException - if there's no default provider.
      SignatureException - on signature errors.
      CRLException - on encoding errors.
    • verify

      Verifies that this CRL was signed using the private key that corresponds to the specified public key, and that the signature verification was computed by the given provider.
      Specified by:
      verify in class X509CRL
      Parameters:
      key - the PublicKey used to carry out the verification.
      sigProvider - the name of the signature provider.
      Throws:
      NoSuchAlgorithmException - on unsupported signature algorithms.
      InvalidKeyException - on incorrect key.
      NoSuchProviderException - on incorrect provider.
      SignatureException - on signature errors.
      CRLException - on encoding errors.
    • sign

      Encodes an X.509 CRL, and signs it using the key passed.
      Parameters:
      key - the private key used for signing.
      algorithm - the name of the signature algorithm used.
      Throws:
      NoSuchAlgorithmException - on unsupported signature algorithms.
      InvalidKeyException - on incorrect key.
      NoSuchProviderException - on incorrect provider.
      SignatureException - on signature errors.
      CRLException - if any mandatory data was omitted.
      X509ExtensionException - on any extension errors.
    • sign

      Encodes an X.509 CRL, and signs it using the key passed.
      Parameters:
      key - the private key used for signing.
      algorithm - the name of the signature algorithm used.
      provider - the name of the provider.
      Throws:
      NoSuchAlgorithmException - on unsupported signature algorithms.
      InvalidKeyException - on incorrect key.
      NoSuchProviderException - on incorrect provider.
      SignatureException - on signature errors.
      CRLException - if any mandatory data was omitted.
      X509ExtensionException - on any extension errors.
    • toString

      public String toString()
      Returns a printable string of this CRL.
      Specified by:
      toString in class CRL
      Returns:
      value of this CRL in a printable form.
    • isRevoked

      public boolean isRevoked(BigInteger serialNumber)
      Checks whether the given serial number is on this CRL.
      Parameters:
      serialNumber - the number to check for.
      Returns:
      true if the given serial number is on this CRL, false otherwise.
    • isRevoked

      public boolean isRevoked(Certificate cert)
      Specified by:
      isRevoked in class CRL
    • getVersion

      public int getVersion()
      Gets the version number from the CRL. The ASN.1 definition for this is:
       Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
                   -- v3 does not apply to CRLs but appears for consistency
                   -- with definition of Version for certs
       
      Specified by:
      getVersion in class X509CRL
      Returns:
      the version number.
    • getIssuerDN

      public Principal getIssuerDN()
      Gets the issuer distinguished name from this CRL. The issuer name identifies the entity who has signed (and issued the CRL). The issuer name field contains an X.500 distinguished name (DN). The ASN.1 definition for this is:
       issuer    Name
      
       Name ::= CHOICE { RDNSequence }
       RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
       RelativeDistinguishedName ::=
           SET OF AttributeValueAssertion
      
       AttributeValueAssertion ::= SEQUENCE {
                                     AttributeType,
                                     AttributeValue }
       AttributeType ::= OBJECT IDENTIFIER
       AttributeValue ::= ANY
       
      The Name describes a hierarchical name composed of attributes, such as country name, and corresponding values, such as US. The type of the component AttributeValue is determined by the AttributeType; in general it will be a directoryString. A directoryString is usually one of PrintableString, TeletexString or UniversalString.
      Specified by:
      getIssuerDN in class X509CRL
      Returns:
      the issuer name.
    • getThisUpdate

      public Date getThisUpdate()
      Gets the thisUpdate date from the CRL. The ASN.1 definition for this is:
      Specified by:
      getThisUpdate in class X509CRL
      Returns:
      the thisUpdate date from the CRL.
    • getNextUpdate

      public Date getNextUpdate()
      Gets the nextUpdate date from the CRL.
      Specified by:
      getNextUpdate in class X509CRL
      Returns:
      the nextUpdate date from the CRL, or null if not present.
    • getRevokedCertificate

      public X509CRLEntry getRevokedCertificate(BigInteger serialNumber)
      Get the revoked certificate from the CRL by the serial number provided.
      Specified by:
      getRevokedCertificate in class X509CRL
      Returns:
      the revoked certificate or null if there is no entry in the CRL marked with the provided serial number.
      See Also:
    • getRevokedCertificates

      public Set<RevokedCertificate> getRevokedCertificates()
      Gets all the revoked certificates from the CRL. A Set of RevokedCertificate.
      Specified by:
      getRevokedCertificates in class X509CRL
      Returns:
      all the revoked certificates or null if there are none.
      See Also:
    • getListOfRevokedCertificates

      public Hashtable<BigInteger,RevokedCertificate> getListOfRevokedCertificates()
    • getNumberOfRevokedCertificates

      public int getNumberOfRevokedCertificates()
    • getTBSCertList

      public byte[] getTBSCertList() throws CRLException
      Gets the DER encoded CRL information, the tbsCertList from this CRL. This can be used to verify the signature independently.
      Specified by:
      getTBSCertList in class X509CRL
      Returns:
      the DER encoded CRL information.
      Throws:
      CRLException - on parsing errors.
    • getSignature

      public byte[] getSignature()
      Gets the raw Signature bits from the CRL.
      Specified by:
      getSignature in class X509CRL
      Returns:
      the signature.
    • setSignature

      public boolean setSignature(byte[] crlSignature)
      Returns true if signature was set.
      Parameters:
      crlSignature - byte array of containing CRL signature.
    • getSigAlgName

      public String getSigAlgName()
      Gets the signature algorithm name for the CRL signature algorithm. For example, the string "SHA1withDSA". The ASN.1 definition for this is:
       AlgorithmIdentifier  ::=  SEQUENCE  {
           algorithm               OBJECT IDENTIFIER,
           parameters              ANY DEFINED BY algorithm OPTIONAL  }
                                   -- contains a value of the type
                                   -- registered for use with the
                                   -- algorithm object identifier value
       
      Specified by:
      getSigAlgName in class X509CRL
      Returns:
      the signature algorithm name.
    • getSigAlgOID

      public String getSigAlgOID()
      Gets the signature algorithm OID string from the CRL. An OID is represented by a set of positive whole number separated by ".", that means,
      <positive whole number>.<positive whole number>.<...> For example, the string "1.2.840.10040.4.3" identifies the SHA-1 with DSA signature algorithm, as per the PKIX part I.
      Specified by:
      getSigAlgOID in class X509CRL
      Returns:
      the signature algorithm oid string.
    • getSigAlgParams

      public byte[] getSigAlgParams()
      Gets the DER encoded signature algorithm parameters from this CRL's signature algorithm. In most cases, the signature algorithm parameters are null, the parameters are usually supplied with the Public Key.
      Specified by:
      getSigAlgParams in class X509CRL
      Returns:
      the DER encoded signature algorithm parameters, or null if no parameters are present.
    • getCriticalExtensionOIDs

      public Set<String> getCriticalExtensionOIDs()
      Gets a Set of the extension(s) marked CRITICAL in the CRL by OID strings.
      Returns:
      a set of the extension oid strings in the CRL that are marked critical.
    • getNonCriticalExtensionOIDs

      public Set<String> getNonCriticalExtensionOIDs()
      Gets a Set of the extension(s) marked NON-CRITICAL in the CRL by OID strings.
      Returns:
      a set of the extension oid strings in the CRL that are NOT marked critical.
    • getExtensionValue

      public byte[] getExtensionValue(String oid)
      Gets the DER encoded OCTET string for the extension value (extnValue) identified by the passed in oid String. The oid string is represented by a set of positive whole number separated by ".", that means,
      <positive whole number>.<positive whole number>.<...>
      Parameters:
      oid - the Object Identifier value for the extension.
      Returns:
      the der encoded octet string of the extension value.
    • getCRLNumber

      public BigInteger getCRLNumber()
    • getDeltaBaseCRLNumber

      public BigInteger getDeltaBaseCRLNumber()
    • isDeltaCRL

      public boolean isDeltaCRL()
    • getExtensions

      public CRLExtensions getExtensions()
      Returns extensions for this impl.
    • areEntriesIncluded

      public boolean areEntriesIncluded()
    • parse

      private void parse(DerValue val) throws CRLException, IOException, X509ExtensionException
      Throws:
      CRLException
      IOException
      X509ExtensionException
    • parse

      private void parse(DerValue val, boolean includeEntries) throws CRLException, IOException, X509ExtensionException
      Throws:
      CRLException
      IOException
      X509ExtensionException