public class X509CRLImpl
extends java.security.cert.X509CRL
An implmentation for X509 CRL (Certificate Revocation List).
The X.509 v2 CRL format is described below in ASN.1:
CertificateList ::= SEQUENCE { tbsCertList TBSCertList, signatureAlgorithm AlgorithmIdentifier, signature BIT STRING }
A good description and profiling is provided in the IETF PKIX WG draft, Part I: X.509 Certificate and CRL Profile, <draft-ietf-pkix-ipki-part1-06.txt>.
The ASN.1 definition of tbsCertList
is:
TBSCertList ::= SEQUENCE { version Version OPTIONAL, -- if present, must be v2 signature AlgorithmIdentifier, issuer Name, thisUpdate ChoiceOfTime, nextUpdate ChoiceOfTime OPTIONAL, revokedCertificates SEQUENCE OF SEQUENCE { userCertificate CertificateSerialNumber, revocationDate ChoiceOfTime, crlEntryExtensions Extensions OPTIONAL -- if present, must be v2 } OPTIONAL, crlExtensions [0] EXPLICIT Extensions OPTIONAL -- if present, must be v2 }
X509CRL
Constructor and Description |
---|
X509CRLImpl(byte[] crlData)
Unmarshals an X.509 CRL from its encoded form, parsing the encoded
bytes.
|
X509CRLImpl(byte[] crlData,
boolean includeEntries) |
X509CRLImpl(java.io.InputStream inStrm)
Unmarshals an X.509 CRL from an input stream.
|
X509CRLImpl(X500Name issuer,
AlgorithmId algId,
java.util.Date thisDate,
java.util.Date nextDate,
java.util.Hashtable<java.math.BigInteger,RevokedCertificate> badCerts,
CRLExtensions crlExts)
CRL constructor, revoked certs and extensions.
|
X509CRLImpl(X500Name issuer,
AlgorithmId algId,
java.util.Date thisDate,
java.util.Date nextDate,
RevokedCertificate[] badCerts,
CRLExtensions crlExts)
CRL constructor, revoked certs and extensions.
|
X509CRLImpl(X500Name issuer,
java.util.Date thisDate,
java.util.Date nextDate)
Initial CRL constructor, no revoked certs, and no extensions.
|
X509CRLImpl(X500Name issuer,
java.util.Date thisDate,
java.util.Date nextDate,
RevokedCertificate[] badCerts)
CRL constructor, revoked certs, no extensions.
|
X509CRLImpl(X500Name issuer,
java.util.Date thisDate,
java.util.Date nextDate,
RevokedCertificate[] badCerts,
CRLExtensions crlExts)
CRL constructor, revoked certs and extensions.
|
Modifier and Type | Method and Description |
---|---|
boolean |
areEntriesIncluded() |
void |
encodeInfo(java.io.OutputStream out)
Encodes the "to-be-signed" CRL to the OutputStream.
|
java.util.Set<java.lang.String> |
getCriticalExtensionOIDs()
Gets a Set of the extension(s) marked CRITICAL in the
CRL by OID strings.
|
java.math.BigInteger |
getCRLNumber() |
java.math.BigInteger |
getDeltaBaseCRLNumber() |
byte[] |
getEncoded()
Returns the ASN.1 DER encoded form of this CRL.
|
CRLExtensions |
getExtensions()
Returns extensions for this impl.
|
byte[] |
getExtensionValue(java.lang.String oid)
Gets the DER encoded OCTET string for the extension value
(
extnValue ) identified by the passed in oid String. |
java.security.Principal |
getIssuerDN()
Gets the issuer distinguished name from this CRL.
|
java.util.Hashtable<java.math.BigInteger,RevokedCertificate> |
getListOfRevokedCertificates() |
java.util.Date |
getNextUpdate()
Gets the nextUpdate date from the CRL.
|
java.util.Set<java.lang.String> |
getNonCriticalExtensionOIDs()
Gets a Set of the extension(s) marked NON-CRITICAL in the
CRL by OID strings.
|
int |
getNumberOfRevokedCertificates() |
java.security.cert.X509CRLEntry |
getRevokedCertificate(java.math.BigInteger serialNumber)
Get the revoked certificate from the CRL by the serial
number provided.
|
java.util.Set<RevokedCertificate> |
getRevokedCertificates()
Gets all the revoked certificates from the CRL.
|
java.lang.String |
getSigAlgName()
Gets the signature algorithm name for the CRL
signature algorithm.
|
java.lang.String |
getSigAlgOID()
Gets the signature algorithm OID string from the CRL.
|
byte[] |
getSigAlgParams()
Gets the DER encoded signature algorithm parameters from this
CRL's signature algorithm.
|
byte[] |
getSignature()
Gets the raw Signature bits from the CRL.
|
byte[] |
getTBSCertList()
Gets the DER encoded CRL information, the
tbsCertList from this CRL. |
java.util.Date |
getThisUpdate()
Gets the thisUpdate date from the CRL.
|
int |
getVersion()
Gets the version number from the CRL.
|
boolean |
hasUnsupportedCriticalExtension() |
boolean |
isDeltaCRL() |
boolean |
isRevoked(java.math.BigInteger serialNumber)
Checks whether the given serial number is on this CRL.
|
boolean |
isRevoked(java.security.cert.Certificate cert) |
boolean |
setSignature(byte[] crlSignature)
Returns true if signature was set.
|
boolean |
setSignedCRL(byte[] crl)
Returns true if signedCRL was set.
|
void |
sign(java.security.PrivateKey key,
java.lang.String algorithm)
Encodes an X.509 CRL, and signs it using the key
passed.
|
void |
sign(java.security.PrivateKey key,
java.lang.String algorithm,
java.lang.String provider)
Encodes an X.509 CRL, and signs it using the key
passed.
|
java.lang.String |
toString()
Returns a printable string of this CRL.
|
void |
verify(java.security.PublicKey key)
Verifies that this CRL was signed using the
private key that corresponds to the specified public key.
|
void |
verify(java.security.PublicKey key,
java.lang.String sigProvider)
Verifies that this CRL was signed using the
private key that corresponds to the specified public key,
and that the signature verification was computed by
the given provider.
|
public X509CRLImpl(byte[] crlData) throws java.security.cert.CRLException, X509ExtensionException
crlData
- the encoded bytes, with no trailing padding.java.security.cert.CRLException
- on parsing errors.X509ExtensionException
- on extension handling errors.public X509CRLImpl(byte[] crlData, boolean includeEntries) throws java.security.cert.CRLException, X509ExtensionException
java.security.cert.CRLException
X509ExtensionException
public X509CRLImpl(java.io.InputStream inStrm) throws java.security.cert.CRLException, X509ExtensionException
inStrm
- an input stream holding at least one CRLjava.security.cert.CRLException
- on parsing errors.X509ExtensionException
- on extension handling errors.public X509CRLImpl(X500Name issuer, java.util.Date thisDate, java.util.Date nextDate)
issuer
- the name of the CA issuing this CRL.thisDate
- the Date of this issue.nextDate
- the Date of the next CRL.public X509CRLImpl(X500Name issuer, java.util.Date thisDate, java.util.Date nextDate, RevokedCertificate[] badCerts) throws java.security.cert.CRLException, X509ExtensionException
issuer
- the name of the CA issuing this CRL.thisDate
- the Date of this issue.nextDate
- the Date of the next CRL.badCerts
- the array of revoked certificates.java.security.cert.CRLException
- on parsing/construction errors.X509ExtensionException
- on extension handling errors.public X509CRLImpl(X500Name issuer, java.util.Date thisDate, java.util.Date nextDate, RevokedCertificate[] badCerts, CRLExtensions crlExts) throws java.security.cert.CRLException, X509ExtensionException
issuer
- the name of the CA issuing this CRL.thisDate
- the Date of this issue.nextDate
- the Date of the next CRL.badCerts
- the array of revoked certificates.crlExts
- the CRL extensions.java.security.cert.CRLException
- on parsing/construction errors.X509ExtensionException
- on extension handling errors.public X509CRLImpl(X500Name issuer, AlgorithmId algId, java.util.Date thisDate, java.util.Date nextDate, RevokedCertificate[] badCerts, CRLExtensions crlExts) throws java.security.cert.CRLException, X509ExtensionException
issuer
- the name of the CA issuing this CRL.algId
- signing algorithm idthisDate
- the Date of this issue.nextDate
- the Date of the next CRL.badCerts
- the array of revoked certificates.crlExts
- the CRL extensions.java.security.cert.CRLException
X509ExtensionException
public X509CRLImpl(X500Name issuer, AlgorithmId algId, java.util.Date thisDate, java.util.Date nextDate, java.util.Hashtable<java.math.BigInteger,RevokedCertificate> badCerts, CRLExtensions crlExts) throws java.security.cert.CRLException, X509ExtensionException
issuer
- the name of the CA issuing this CRL.algId
- signing algorithm idthisDate
- the Date of this issue.nextDate
- the Date of the next CRL.badCerts
- the hashtable of revoked certificates.crlExts
- the CRL extensions.java.security.cert.CRLException
- on parsing/construction errors.X509ExtensionException
- on extension handling errors.public byte[] getEncoded() throws java.security.cert.CRLException
getEncoded
in class java.security.cert.X509CRL
java.security.cert.CRLException
- if an encoding error occurs.public boolean setSignedCRL(byte[] crl)
crl
- byte array of containing signed CRL.public boolean hasUnsupportedCriticalExtension()
public void encodeInfo(java.io.OutputStream out) throws java.security.cert.CRLException, X509ExtensionException
out
- the OutputStream to write to.java.security.cert.CRLException
- on encoding errors.X509ExtensionException
- on extension encoding errors.public void verify(java.security.PublicKey key) throws java.security.cert.CRLException, java.security.NoSuchAlgorithmException, java.security.InvalidKeyException, java.security.NoSuchProviderException, java.security.SignatureException
verify
in class java.security.cert.X509CRL
key
- the PublicKey used to carry out the verification.java.security.NoSuchAlgorithmException
- on unsupported signature
algorithms.java.security.InvalidKeyException
- on incorrect key.java.security.NoSuchProviderException
- if there's no default provider.java.security.SignatureException
- on signature errors.java.security.cert.CRLException
- on encoding errors.public void verify(java.security.PublicKey key, java.lang.String sigProvider) throws java.security.cert.CRLException, java.security.NoSuchAlgorithmException, java.security.InvalidKeyException, java.security.NoSuchProviderException, java.security.SignatureException
verify
in class java.security.cert.X509CRL
key
- the PublicKey used to carry out the verification.sigProvider
- the name of the signature provider.java.security.NoSuchAlgorithmException
- on unsupported signature
algorithms.java.security.InvalidKeyException
- on incorrect key.java.security.NoSuchProviderException
- on incorrect provider.java.security.SignatureException
- on signature errors.java.security.cert.CRLException
- on encoding errors.public void sign(java.security.PrivateKey key, java.lang.String algorithm) throws java.security.cert.CRLException, java.security.NoSuchAlgorithmException, java.security.InvalidKeyException, java.security.NoSuchProviderException, java.security.SignatureException, X509ExtensionException
key
- the private key used for signing.algorithm
- the name of the signature algorithm used.java.security.NoSuchAlgorithmException
- on unsupported signature
algorithms.java.security.InvalidKeyException
- on incorrect key.java.security.NoSuchProviderException
- on incorrect provider.java.security.SignatureException
- on signature errors.java.security.cert.CRLException
- if any mandatory data was omitted.X509ExtensionException
- on any extension errors.public void sign(java.security.PrivateKey key, java.lang.String algorithm, java.lang.String provider) throws java.security.cert.CRLException, java.security.NoSuchAlgorithmException, java.security.InvalidKeyException, java.security.NoSuchProviderException, java.security.SignatureException, X509ExtensionException
key
- the private key used for signing.algorithm
- the name of the signature algorithm used.provider
- the name of the provider.java.security.NoSuchAlgorithmException
- on unsupported signature
algorithms.java.security.InvalidKeyException
- on incorrect key.java.security.NoSuchProviderException
- on incorrect provider.java.security.SignatureException
- on signature errors.java.security.cert.CRLException
- if any mandatory data was omitted.X509ExtensionException
- on any extension errors.public java.lang.String toString()
toString
in class java.security.cert.CRL
public boolean isRevoked(java.math.BigInteger serialNumber)
serialNumber
- the number to check for.public boolean isRevoked(java.security.cert.Certificate cert)
isRevoked
in class java.security.cert.CRL
public int getVersion()
Version ::= INTEGER { v1(0), v2(1), v3(2) } -- v3 does not apply to CRLs but appears for consistency -- with definition of Version for certs
getVersion
in class java.security.cert.X509CRL
public java.security.Principal getIssuerDN()
issuer Name Name ::= CHOICE { RDNSequence } RDNSequence ::= SEQUENCE OF RelativeDistinguishedName RelativeDistinguishedName ::= SET OF AttributeValueAssertion AttributeValueAssertion ::= SEQUENCE { AttributeType, AttributeValue } AttributeType ::= OBJECT IDENTIFIER AttributeValue ::= ANYThe Name describes a hierarchical name composed of attributes, such as country name, and corresponding values, such as US. The type of the component AttributeValue is determined by the AttributeType; in general it will be a directoryString. A directoryString is usually one of PrintableString, TeletexString or UniversalString.
getIssuerDN
in class java.security.cert.X509CRL
public java.util.Date getThisUpdate()
getThisUpdate
in class java.security.cert.X509CRL
public java.util.Date getNextUpdate()
getNextUpdate
in class java.security.cert.X509CRL
public java.security.cert.X509CRLEntry getRevokedCertificate(java.math.BigInteger serialNumber)
getRevokedCertificate
in class java.security.cert.X509CRL
RevokedCertificate
public java.util.Set<RevokedCertificate> getRevokedCertificates()
getRevokedCertificates
in class java.security.cert.X509CRL
RevokedCertificate
public java.util.Hashtable<java.math.BigInteger,RevokedCertificate> getListOfRevokedCertificates()
public int getNumberOfRevokedCertificates()
public byte[] getTBSCertList() throws java.security.cert.CRLException
tbsCertList
from this CRL.
This can be used to verify the signature independently.getTBSCertList
in class java.security.cert.X509CRL
java.security.cert.CRLException
- on parsing errors.public byte[] getSignature()
getSignature
in class java.security.cert.X509CRL
public boolean setSignature(byte[] crlSignature)
crlSignature
- byte array of containing CRL signature.public java.lang.String getSigAlgName()
AlgorithmIdentifier ::= SEQUENCE { algorithm OBJECT IDENTIFIER, parameters ANY DEFINED BY algorithm OPTIONAL } -- contains a value of the type -- registered for use with the -- algorithm object identifier value
getSigAlgName
in class java.security.cert.X509CRL
public java.lang.String getSigAlgOID()
getSigAlgOID
in class java.security.cert.X509CRL
public byte[] getSigAlgParams()
getSigAlgParams
in class java.security.cert.X509CRL
public java.util.Set<java.lang.String> getCriticalExtensionOIDs()
public java.util.Set<java.lang.String> getNonCriticalExtensionOIDs()
public byte[] getExtensionValue(java.lang.String oid)
extnValue
) identified by the passed in oid String.
The oid
string is
represented by a set of positive whole number separated
by ".", that means,oid
- the Object Identifier value for the extension.public java.math.BigInteger getCRLNumber()
public java.math.BigInteger getDeltaBaseCRLNumber()
public boolean isDeltaCRL()
public CRLExtensions getExtensions()
public boolean areEntriesIncluded()