iaik.x509

Class X509CRL

java.lang.Object

java.security.cert.CRL

java.security.cert.X509CRL

iaik.x509.X509CRL

All Implemented Interfaces:

ASN1Type, java.security.cert.X509Extension

public class X509CRL
extends java.security.cert.X509CRL
implements ASN1Type

This class represents a X.509v2 CertificateRevocationList (CRL).

A Certificate Revocation List (CRL) denotes a list of certificates that have been expired for some reason (e.g. the name of the subject has changed, the private key can no more being treated to be only known by the subject, ...) prior to the regular ending of its validity period. A CRL is maintained by a certification authority (CA) making it publicly available and refreshing it in certain time intervals. Each recoked certificate included in a revocation list can be identified by its serial number. The recvocation list is signed by the maintaining CA.

A profile for X.509v2 revocation lists is presented together with the X.509v3 certificate format in RFC 3280, where a CRL is defined as an ASN.1 SEQUENCE structure containing the following components:

 CertificateList  ::=  SEQUENCE  {
   tbsCertList          TBSCertList,
   signatureAlgorithm   AlgorithmIdentifier,
   signatureValue            BIT STRING  }
 

where signatureAlgorithm identifies the signature algorithm used by the signing certification authority for computing the digital signature upon the ASN.1 DER encoded TBSCertList structure, which itself is expressed as ASN.1 SEQUENCE structure specifying the (distinguished) name of the issuer, the issue date of the CRL, the date when the next CRL will be issued, and optionally lists of revoked certificates (identified by their serial numbers) and CRL extensions. The list of revoked certificates is classified as being optional since a CA may not have revoked any issued certificate when publishing a CRL.

ASN.1 definition:

 TBSCertList  ::=  SEQUENCE  {
   version                 Version OPTIONAL,
                                -- if present, must be v2
   signature               AlgorithmIdentifier,
   issuer                  Name,
   thisUpdate              Time,
   nextUpdate              Time OPTIONAL,
   revokedCertificates     SEQUENCE OF SEQUENCE  {
      userCertificate         CertificateSerialNumber,
      revocationDate          Time,
      crlEntryExtensions      Extensions OPTIONAL
                                     -- if present, must be v2
   }  OPTIONAL,
   crlExtensions           [0]  EXPLICIT Extensions OPTIONAL
                                     -- if present, must be v2
 }
 

where:

 Version  ::=  INTEGER  {  v1(0), v2(1), v3(2) }
           -- v3 does not apply to CRLs but appears for consistency
           -- with definition of Version for certs
 

 AlgorithmIdentifier  ::=  SEQUENCE  {
   algorithm               OBJECT IDENTIFIER,
   parameters              ANY DEFINED BY algorithm OPTIONAL  }
                              -- contains a value of the type
                              -- registered for use with the
                              -- algorithm object identifier value
 

 Name ::= CHOICE {     RDNSequence }
 

 RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
 

 RelativeDistinguishedName ::=     SET OF AttributeTypeAndValue
 

 AttributeTypeAndValue ::= SEQUENCE {
   type     AttributeType,
   value    AttributeValue }
 

 AttributeType ::= OBJECT IDENTIFIER
 

 AttributeValue ::= ANY   -- Directory string type --
 

 DirectoryString ::= CHOICE {
    teletexString           TeletexString (SIZE (1..maxSize),
    printableString         PrintableString (SIZE (1..maxSize)),
    universalString         UniversalString (SIZE (1..maxSize)),
    bmpString               BMPString (SIZE(1..maxSIZE))
 }
 

 Time ::= CHOICE {
   utcTime        UTCTime,
   generalTime    GeneralizedTime }
 

 CertificateSerialNumber  ::=  INTEGER
 

 Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension
 

 Extension  ::=  SEQUENCE  {
   extnID      OBJECT IDENTIFIER,
   critical    BOOLEAN DEFAULT FALSE,
   extnValue   OCTET STRING  }

 

For a detail description of the several fields refer to RFC 3280.

For each value extists a setValue() and a getValue() method. After creating a X509CRL, the, for instance, CRL issuing date may be set to the current date by using the setThisUpdate method:

 X509CRL crl = new X509CRL();
 GregorianCalendar date = (GregorianCalendar)Calendar.getInstance();
 crl.setThisUpdate(date.getTime());
 

Manipulating the extensions of a CRL is described in class X509Extensions. A CRL extension (support introduced by the X.509v2 CRL format) may be a defined standard extension (e.g. CRLNumber, ...), or it may be a private extension providing some community-specific information. If an extension is marked as critical, but the CRL handling software cannot parse this extension, the CRL validation must fail. Non-Critical extensions can be ignored, if they cannot be handled (i.e. of unknown state).

For adding some extension to a X509CRL use the addExtension method. The CRL profile presented in RFC 3280 requires confirming CAs to support the CRL number extension conveying a monotonically increasing sequence number for each CRL issued by a given CA through a specific CA X.500 Directory entry or CRL distribution point, e.g.:

 X509CRL crl = new X509CRL();
   ...
 CRLNumber crl_number  = new CRLNumber(BigInteger.valueOf(4234234));
 crl.addExtension(crl_number);
 

A X509Certificate to be revoked may be added by means of the addCertificate(X509Certificate cert, Date revocationDate) method. Alternatively an instance of RevokedCertificate may be added by using the addCertificate(RevokedCertificate revokedCertificate) method. For finally signing the CRL with the CRL issuer's private key, call the sign method.

The X509CRL(byte[]) and X509CRL(InputStream) constructors may be used for parsing an X509CRL from its DER encoding.

See Also:

X509Extensions, V3Extension, UnknownExtension, X509Certificate, RevokedCertificate, X509CRL

Constructor Summary

Constructors

Modifier	Constructor and Description
	X509CRL() Default constructor for creating a new empty X509CRL.
	X509CRL(ASN1Object crl) Creates a CRL from an ASN1Object
	X509CRL(byte[] crl) Creates a CRL form a PEM or DER byte array.
	X509CRL(java.io.InputStream is) Creates a CRL from an input stream supplying a DER or PEM encoded CRL.
protected	X509CRL(X509CRL crl) The copy constructor.

Method Summary

Methods

Modifier and Type	Method and Description
void	addCertificate(RevokedCertificate revokedCert) Adds a revoked certificate to the CRL.
void	addCertificate(X509Certificate cert, java.util.Date revocationDate) Adds a certificate to the CRL to be revoked on the given date.
void	addExtension(V3Extension e) Adds the given X509v2 CRL extension.
RevokedCertificate	containsCertificate(java.math.BigInteger serialNumber) Deprecated. use containsCertificate(X509Certificate) This method is only useful if a direct CRL is being used, an indirect CRL may contain multiple certificate issuers
RevokedCertificate	containsCertificate(X509Certificate cert) Checks, if the CRL contains revocation information for the given X509Certificate.
int	countExtensions() Returns the number of extensions included into this CRL.
void	decode(ASN1Object crl) Creates a CRL from an ASN1Object.
java.util.Set	getCriticalExtensionOIDs() Returns a Set of the OID strings identifying the extension(s) that are marked CRITICAL in this CRL.
byte[]	getEncoded() Returns this CRL as DER encoded ASN.1 data structure.
V3Extension	getExtension(ObjectID oid) Returns a specific extension, identyfied by its object identifier.
byte[]	getExtensionValue(java.lang.String oid) Returns a byte array representing the DER encoding of the extension value identified by the passed-in OID string.
byte[]	getFingerprint() Returns the fingerprint of this CRL.
byte[]	getFingerprint(java.lang.String digestAlgorithm) Returns the fingerprint of this crl calculated with the given hash algorithm.
java.security.Principal	getIssuerDN() Returns the Distinguished Name of the issuer of this CRL, as Principal.
java.util.Date	getNextUpdate() Returns the date of nextUpdate.
java.util.Set	getNonCriticalExtensionOIDs() Returns a Set of the OID strings for the extension(s) marked NON-CRITICAL in this CRL.
java.security.cert.X509CRLEntry	getRevokedCertificate(java.math.BigInteger serialNumber) Deprecated. use getRevokedCertificate(X509Certificate) instead
java.security.cert.X509CRLEntry	getRevokedCertificate(X509Certificate certificate) Searches the CRL for the specified certificate's serial number.
java.util.Set	getRevokedCertificates() Deprecated. This returns a Set, which does not allow duplicates. Therefore, if an indirect CRL is used, a revoked certificate with duplicate data for a different issuer would get overwritten. Use instead
java.lang.String	getSigAlgName() Returns the name of the signature algorithm used by the issuer for signing this CRL.
java.lang.String	getSigAlgOID() Returns the OID of the signature algorithm used by the issuer for signing this CRL.
byte[]	getSigAlgParams() Returns the algorithm parameters associated with the signature algorithm used by the issuer for signing this CRL.
byte[]	getSignature() Returns the signature of this CRL.
AlgorithmID	getSignatureAlgorithm() Returns the signature algorithm of this CRL.
byte[]	getTBSCertList() Returns the TBSCertList inherent to this CRL as DER encoded ASN.1 structure.
java.util.Date	getThisUpdate() Returns the date of thisUpdate.
int	getVersion() Returns the version number of this CRL as int.
boolean	hasExtensions() Checks, if there are any extensions included into this CRL.
boolean	hasUnsupportedCriticalExtension() Returns true if there are unsupported critical extensions.
boolean	isRevoked(java.math.BigInteger serialNumber) Deprecated. use isRevoked(Certificate)
boolean	isRevoked(java.security.cert.Certificate cert) Checks whether the given certificate is on this CRL.
java.util.Enumeration	listCertificates() Deprecated. use listDerEncodedCertificates() where each element represents a DER encoded byte array.
java.util.Enumeration	listDerEncodedCertificates() Returns an enumeration of the revoked certificates this CRL contains.
java.util.Enumeration	listExtensions() Returns an enumeration of all extensions included into this CRL.
void	removeAllCertificates() Removes all certificates from the CRL.
void	removeAllExtensions() Removes all extensions from this CRL.
boolean	removeCertificate(java.math.BigInteger serialNumber) Deprecated. Use method removeCertificate(X509Certificate) instead
boolean	removeCertificate(X509Certificate certificate) Removes the certificate with the given serial number from the CRL.
boolean	removeExtension(ObjectID oid) Removes the extension specified by its object identifier.
void	setIssuerDN(java.security.Principal issuer) Sets the issuer of this CRL.
void	setNextUpdate(java.util.Date nextUpdate) Sets the date of nextUpdate.
void	setSignatureAlgorithm(AlgorithmID signatureAlg) Sets the signature algorithm for signing this CRL.
void	setSignatureAlgorithm(ObjectID signatureAlg) Sets the signature algorithm for signing this CRL.
void	setThisUpdate(java.util.Date thisUpdate) Sets the date of thisUpdate.
void	sign(java.security.PrivateKey privateKey) Signs the CRL with the private key of the issuer.
ASN1Object	toASN1Object() Returns the CRL as an ASN1Object.
byte[]	toByteArray() Returns the CRL as a DER encoded ASN.1 data structure.
java.lang.String	toString() Returns a string that represents the contents of the CRL.
java.lang.String	toString(boolean detailed) Returns a string giving some - if requested - detailed information about the contents of the CRL.
void	verify(java.security.PublicKey key) Verifies a signed CRL using the given public key.
void	verify(java.security.PublicKey key, java.lang.String sigProvider) Uses the given public key to verify this CRL based on a signature algorithm supplied by the specified provider.
void	writeTo(java.io.OutputStream os) Writes the CRL DER encoded to the given output stream.

Methods inherited from class java.security.cert.X509CRL

equals, getIssuerX500Principal, getRevokedCertificate, hashCode

Methods inherited from class java.security.cert.CRL

getType

Methods inherited from class java.lang.Object

clone, finalize, getClass, notify, notifyAll, wait, wait, wait

Constructor Detail

X509CRL

public X509CRL()

Default constructor for creating a new empty X509CRL.

Any value may be set using the corrseponding the set<Value> method. The version number per default is set to 1 indicating a Version 1 CRL. When extensions are added, the version field automatically is set to 2.

X509CRL

protected X509CRL(X509CRL crl)

The copy constructor.

This makes a shallow copy of the X.509 CRL; all internal members are copied by reference only. Once this constructor is used, further modifications to this X.509 CRL object or the X.509 CRL object that was copied MUST NOT be made. Doing so will have unpredicatable/unsupported behaviour.

Parameters:

crl - an X.509 CRL

X509CRL

public X509CRL(ASN1Object crl)
        throws CodingException

Creates a CRL from an ASN1Object

Parameters:

crl - The CRL is ASN1Object format

Throws:

java.io.IOException - if the CRL could not be read

java.security.cert.CRLException - if there is a problem when parsing the CRL

CodingException

X509CRL

public X509CRL(java.io.InputStream is)
        throws java.io.IOException,
               java.security.cert.CRLException

Creates a CRL from an input stream supplying a DER or PEM encoded CRL.

This constructor reads a DER or PEM encoded X509CRL that previously may have been written with method writeTo(OutputStream).

For instance:

 InputStream fis = new FileInputStream("crl.der");
 X509CRL crl = new X509CRL(fis);
 fis.close();
 

Parameters:

is - InputStream from which to create the CRL

Throws:

java.io.IOException - if the CRL could not be read

java.security.cert.CRLException - if there is a problem when parsing the CRL

X509CRL

public X509CRL(byte[] crl)
        throws java.security.cert.CRLException

Creates a CRL form a PEM or DER byte array.

This constructor may be used for parsing an already existing X509CRL ASN.1 object, supplied as DER encoded byte array, which may have been created by calling the toByteArray or the getEncoded method.

Parameters:

crl - the byte array which contains the CRL

Throws:

java.security.cert.CRLException - if there is a problem when parsing the CRL

Method Detail

decode

public void decode(ASN1Object crl)
            throws CodingException

Creates a CRL from an ASN1Object.

The given ASN1Object represents an already existing X509CRL which may have been created by calling the toASN1Object method.

Specified by:

decode in interface ASN1Type

Parameters:

crl - the ASN1Object which contains the CRL

Throws:

CodingException - if there is a problem when parsing the CRL

sign

public void sign(java.security.PrivateKey privateKey)
          throws java.security.cert.CRLException,
                 java.security.InvalidKeyException

Signs the CRL with the private key of the issuer.

Parameters:

privateKey - the private key of the issuer

Throws:

java.security.cert.CRLException - if the CRL could not be created

java.security.InvalidKeyException - if the private key is not valid

verify

public void verify(java.security.PublicKey key,
          java.lang.String sigProvider)
            throws java.security.cert.CRLException,
                   java.security.NoSuchAlgorithmException,
                   java.security.InvalidKeyException,
                   java.security.NoSuchProviderException,
                   java.security.SignatureException

Uses the given public key to verify this CRL based on a signature algorithm supplied by the specified provider.

Specified by:

verify in class java.security.cert.X509CRL

Parameters:

key - the public key of the CRL issuer

Throws:

java.security.cert.CRLException - if an encoding error occurs

java.security.NoSuchAlgorithmException - if there is no implementation for the algorithm used to sign this CRL

java.security.InvalidKeyException - if the format of the public key is wrong

java.security.NoSuchProviderException - if there is no default provider

java.security.SignatureException - if the signature does not verify

verify

public void verify(java.security.PublicKey key)
            throws java.security.cert.CRLException,
                   java.security.NoSuchAlgorithmException,
                   java.security.InvalidKeyException,
                   java.security.NoSuchProviderException,
                   java.security.SignatureException

Verifies a signed CRL using the given public key. This method only calls verify(PublicKey key, String sigProvider) setting the provider name to null for relying on the default provider signature architecture.

Specified by:

verify in class java.security.cert.X509CRL

Parameters:

key - the public key of the CRL issuer

Throws:

java.security.cert.CRLException - if an encoding error occurs

java.security.NoSuchAlgorithmException - if there is no implementation for the algorithm used to sign this CRL

java.security.InvalidKeyException - if the format of the public key is wrong

java.security.NoSuchProviderException - if there is no default provider

java.security.SignatureException - if the signature does not verify

isRevoked

public boolean isRevoked(java.math.BigInteger serialNumber)

Deprecated. use isRevoked(Certificate)

Checks if the certificate identified by the given serial number is marked as revoked by this CRL. This method will use the issuer of this CRL as the certificate issuer. Warning: This method should only be used with direct CRL's (CRL's that are issued by the same issuer as the certificate). If this CRL is an indirect CRL, it is possible there could be multiple entries with the same serial number issued for different issuers. Use method isRevoked(Certificate) instead, which will return the revoked certificate for indirect CRL's correctly.

Parameters:

serialNumber - the serial number of the certificate which is checked of being revoked

Returns:

true if the certificate identified by the given serial number is marked as revoked by this CRL, false if not

Throws:

java.lang.IllegalStateException - if the revoked certificate for the given serial number has a bad encoding

java.lang.IllegalStateException - if the CRL is not signed

containsCertificate

public RevokedCertificate containsCertificate(X509Certificate cert)

Checks, if the CRL contains revocation information for the given X509Certificate. This method will return a RevokedCertificate using the issuer of this CRL as the issuer.

Parameters:

serialNumber - the serial number of the certificate

Returns:

null if the CRL doesn't contain a certificate with this serial number, the RevokedCertificate from the CRL otherwise

Throws:

java.lang.IllegalStateException - if the CRL is not signed or the issuer of the CRL is null

java.lang.IllegalArgumentException - if the certificate passed in is null

isRevoked

public boolean isRevoked(java.security.cert.Certificate cert)

Checks whether the given certificate is on this CRL.

Specified by:

isRevoked in class java.security.cert.CRL

Parameters:

cert - the certificate to check for

Returns:

true if the given certificate is on this CRL, false otherwise

Throws:

java.lang.IllegalStateException - if the CRL is not signed or the issuer of the CRL is null

java.lang.IllegalArgumentException - if the certificate passed in is null

containsCertificate

public RevokedCertificate containsCertificate(java.math.BigInteger serialNumber)

Deprecated. use containsCertificate(X509Certificate) This method is only useful if a direct CRL is being used, an indirect CRL may contain multiple certificate issuers

Checks, if the CRL contains a certificate with the given serial number. This method will return a RevokedCertificate using the issuer of this CRL as the certificate issuer. Warning: This method should only be used with direct CRL's (CRL's that are issued by the same issuer as the certificate). If this CRL is an indirect CRL, it is possible there could be multiple entries with the same serial number issued for different issuers. Use method containsCertificate(X509Certificate) instead, which will return the revoked certificate for indirect CRL's correctly.

Parameters:

serialNumber - the serial number of the certificate

Returns:

null if the CRL doesn't contain a certificate with this serial number, the RevokedCertificate from the CRL otherwise

Throws:

java.lang.IllegalStateException - if the revoked certificate for the given serial number has a bad encoding

java.lang.IllegalStateException - if the CRL is not signed

toASN1Object

public ASN1Object toASN1Object()

Returns the CRL as an ASN1Object.

Specified by:

toASN1Object in interface ASN1Type

Returns:

the CRL as ASN1Object

Throws:

java.lang.IllegalStateException - if the CRL is not signed.

toByteArray

public byte[] toByteArray()

Returns the CRL as a DER encoded ASN.1 data structure.

Returns:

the CRL as DER array

Throws:

java.lang.IllegalStateException - if the CRL is not signed.

writeTo

public void writeTo(java.io.OutputStream os)
             throws java.io.IOException

Writes the CRL DER encoded to the given output stream.

Parameters:

os - the output stream to which this CRL shall be written

Throws:

java.io.IOException - if an I/O error occurs

java.lang.IllegalStateException - if the CRL is not signed.

addCertificate

public void addCertificate(X509Certificate cert,
                  java.util.Date revocationDate)

Adds a certificate to the CRL to be revoked on the given date. For instance, add a certificate (read in from a file) to be revoked at the current date:

 GregorianCalendar date = (GregorianCalendar)Calendar.getInstance();
 InputStream fis = new FileInputStream("cert.der");
 X509Certificate cert = new X509Certificate(fis);
 fis.close();
 crl.addCertificate(cert, date.getTime());
 

If the certificate is null or if the revocationDate is null, then an IllegalArgumentException is thrown

Parameters:

cert - the X509Certificate which should be revoked

revocationDate - the revocation date

Throws:

java.lang.IllegalArgumentException - if the passed in certificate is null or the Revocation Date is null

EntrustLogicError - if an error occurred when encoding the Revoked Certificate (it should never happen)

addCertificate

public void addCertificate(RevokedCertificate revokedCert)

Adds a revoked certificate to the CRL. In contrast to addCertificate(X509Certificate cert, Date revocationDate) which adds a X509Certificate, this method adds a RevokedCertificate already including its revocation date, for instance:

 GregorianCalendar date = (GregorianCalendar)Calendar.getInstance();
 InputStream fis = new FileInputStream("cert.der");
 X509Certificate cert = new X509Certificate(fis);
 fis.close();
 RevokedCertificate rev_cert = new RevokedCertificate(cert, date.getTime());
 crl.addCertificate(rev_cert);
 

Parameters:

revokedCert - the RevokedCertificate to add to this CRL

Throws:

java.lang.IllegalStateException - if a problem occurred when trying to read the certificate issuer from the revoked certificate

java.lang.IllegalStateException - if the CRL Entry certificate issuer does not exist and the CRL issuer is null

EntrustLogicError - if an error occurred when encoding the Revoked Certificate (it should never happen)

See Also:

RevokedCertificate

listCertificates

public java.util.Enumeration listCertificates()

Deprecated. use listDerEncodedCertificates() where each element represents a DER encoded byte array.

Returns an enumeration of the revoked certificates this CRL contains. To be backwards compatible with existing code, this method decodes all the elements into a Set of RevokedCertificates. This is very inefficient as it will have to decode all the DER encoded certificates and could cause a large memory expansion if the CRL is a large combined CRL.

Returns:

a list of revoked certificates

Throws:

EntrustLogicError - if an error occurred when decoding the Revoked Certificate

See Also:

#listDerEncodedCertificates()}

listDerEncodedCertificates

public java.util.Enumeration listDerEncodedCertificates()

Returns an enumeration of the revoked certificates this CRL contains. Each element is a DER encoded ASN.1 structure of a RevokedCertificate. This method will use the issuer of this CRL as the certificate issuer if it is a direct CRL. If it is an indirect CRL it will iterate through all the revoked certificates and return them in an Enumeration.

Returns:

a list of DER encoded ASN.1 revoked certificates

Throws:

EntrustLogicError - if a problem occurred getting the IDP extension

java.lang.IllegalStateException - if the CRL does not contain an issuer

removeCertificate

public boolean removeCertificate(java.math.BigInteger serialNumber)

Deprecated. Use method removeCertificate(X509Certificate) instead

Removes the certificate with the given serial number from the CRL. For instance:

crl.removeCertificate(cert.getSerialNumber());

This method will use the issuer of this CRL as the certificate issuer. Warning: This method should only be used with direct CRL's (CRL's that are issued by the same issuer as the certificate). If this CRL is an indirect CRL, it is possible there could be multiple entries with the same serial number issued for different CRL issuers. Use method removeCertificate(X509Certificate) instead, which will return the revoked certificate for indirect CRL's correctly.

Parameters:

serialNumber - the serial number of the certificate which should be removed

Returns:

true if the certificate successfully has been removed false otherwise

removeCertificate

public boolean removeCertificate(X509Certificate certificate)

Removes the certificate with the given serial number from the CRL. For instance:

crl.removeCertificate(cert.getSerialNumber());

This method will use the issuer of this CRL as the certificate issuer.

Parameters:

serialNumber - the serial number of the certificate which should be removed

Returns:

true if the certificate successfully has been removed false otherwise

removeAllCertificates

public void removeAllCertificates()

Removes all certificates from the CRL.

setSignatureAlgorithm

public void setSignatureAlgorithm(AlgorithmID signatureAlg)
                           throws java.security.NoSuchAlgorithmException

Sets the signature algorithm for signing this CRL. The signature algorithm is specified by its AlgorithmID. For instance:

 try {
        crl.setSignatureAlgorithm(AlgorithmID.md5WithRSAEncryption);
 } catch (NoSuchAlgorithmException ex) {
    System.out.println("NoSuchAlgorithmException: " + ex.getMessage());
 }
 

Parameters:

signatureAlg - the AlgorithmID of the signature algorithm to be used for signing

Throws:

java.security.NoSuchAlgorithmException - if there is no implementation for the specified algorithm

java.security.NoSuchAlgorithmException - if the specified AlgorithmID is null

See Also:

AlgorithmID

setSignatureAlgorithm

public void setSignatureAlgorithm(ObjectID signatureAlg)
                           throws java.security.NoSuchAlgorithmException

Sets the signature algorithm for signing this CRL. The signature algorithm is specified by its ObjectID. For instance:

 ObjectID sigAlgID = new ObjectID("1.2.840.113549.1.1.5", "sha1WithRSAEncryption");
 try {
    crl.setSignatureAlgorithm(sigAlgID);
 } catch (NoSuchAlgorithmException ex) {
    System.out.println("NoSuchAlgorithmException: " + ex.getMessage());
 }
 

Parameters:

signatureAlg - the ObjectID of the signature algorithm to be used for signing

Throws:

java.security.NoSuchAlgorithmException - if there is no implementation for the specified algorithm

See Also:

ObjectID

setIssuerDN

public void setIssuerDN(java.security.Principal issuer)
                 throws java.lang.IllegalArgumentException

Sets the issuer of this CRL. The issuer is the identity which signs the CRL. It is specified by its X.500 distinguished name. For instance:

 Name issuer = new Name();
 issuer.addRDN(ObjectID.country, "AT");
 issuer.addRDN(ObjectID.organization ,"TU Graz");
 issuer.addRDN(ObjectID.organizationalUnit ,"IAIK");
 issuer.addRDN(ObjectID.commonName ,"IAIK Test CA");
 crl.setIssuerDN(issuer);
 

Parameters:

issuer - the distinguished name of the issuer of the CRL

Throws:

java.lang.IllegalArgumentException - if the issuer is not an instance of name

See Also:

getIssuerDN()

setThisUpdate

public void setThisUpdate(java.util.Date thisUpdate)

Sets the date of thisUpdate. The thisUpdate time value specifies the date on which the CRL has been issued.

For instance, set ThisUpdate to the current date by writing:

 GregorianCalendar date = (GregorianCalendar)Calendar.getInstance();
 crl.setThisUpdate(date.getTime());
 

The X.509 Certificate and CRL Profile specified in RFC 3280 recommends to encode thisUpdate dates through the year 2049 as UTCTime, and thisUpdate dates in 2050 or later as GeneralizedTime.

Parameters:

thisUpdate - the date when this CRL has been issued

See Also:

getThisUpdate()

setNextUpdate

public void setNextUpdate(java.util.Date nextUpdate)

Sets the date of nextUpdate. The nextUpdate time value specifies the date on which the next CRL will be issued.

If the next update will be done, for instance, next month, you may write:

 GregorianCalendar date = (GregorianCalendar)Calendar.getInstance();
 date.add(Calendar.MONTH, 1);
 crl.setNextUpdate(date.getTime());
 

The X.509 Certificate and CRL Profile specified in RFC 3280 recommends to encode nextUpdate dates through the year 2049 as UTCTime, and nextUpdate dates in 2050 or later as GeneralizedTime.

Parameters:

nextUpdate - when the next CRL will be created

See Also:

getNextUpdate()

getEncoded

public byte[] getEncoded()
                  throws java.security.cert.CRLException

Returns this CRL as DER encoded ASN.1 data structure.

Specified by:

getEncoded in class java.security.cert.X509CRL

Returns:

a byte array representing this CRL as DER encoded ASN.1 data structure

Throws:

java.security.cert.CRLException - if an encoding error occurs

java.lang.IllegalStateException - if the CRL is not signed

getVersion

public int getVersion()

Returns the version number of this CRL as int. The version number may specify a v1 or v2 CRL.

ASN.1 definition:

 Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }

          v3 only appears for consistency reasons
 

Specified by:

getVersion in class java.security.cert.X509CRL

Returns:

version number of this CRL, as int

getSignatureAlgorithm

public AlgorithmID getSignatureAlgorithm()

Returns the signature algorithm of this CRL.

Returns:

the AlgorithmID of the signature algorithm used to sign this CRL

See Also:

AlgorithmID

getIssuerDN

public java.security.Principal getIssuerDN()

Returns the Distinguished Name of the issuer of this CRL, as Principal. A Distinguished Name is used to specify a path within a X.500 directory information tree. A distinguished name is defined as a sequence of relative distinguished names:

 Name ::= CHOICE {     RDNSequence }
 RDNSequence ::= SEQUENCE OF RelativeDistinguishedName

 RelativeDistinguishedName ::=     SET OF AttributeTypeAndValue

 AttributeTypeAndValue ::= SEQUENCE {
    type     AttributeType,
    value    AttributeValue }

 AttributeType ::= OBJECT IDENTIFIER
 AttributeValue ::= ANY
 

The AttributeType generally will be of ASN.1 type DirectoryString which either may be a PrintableString, TeletexString, BMPString, or an UniversalString. A name may consist of, for instance, the following Attribute Type/Value "pairs" defining a path through a X.500 directory tree:

 country: "AT"
 locality: "Graz"
 organization: "TU Graz"
 organizationalUnit: "IAIK"
 commonName: "IAIK TestCA"
 

CAs conforming to RFC 3280 have to ensure to only issue crls having a non-empty distinguished name (DN) in their issuer field. Additional identities about the issuer may be included in the IssuerAltName extension.

Specified by:

getIssuerDN in class java.security.cert.X509CRL

Returns:

the distinguished name of the issuer of the CRL, as Principal

See Also:

setIssuerDN(java.security.Principal)

getThisUpdate

public java.util.Date getThisUpdate()

Returns the date of thisUpdate. The thisUpdate time value specifies the date on which the CRL has been issued.

ASN.1 definition:

 thisUpdate    Time

 Time ::= CHOICE {
   utcTime        UTCTime,
   generalTime    GeneralizedTime }

 

The X.509 Certificate and CRL Profile specified in RFC 3280 recommends to encode thisUpdate dates through the year 2049 as UTCTime, and thisUpdate dates in 2050 or later as GeneralizedTime.

Specified by:

getThisUpdate in class java.security.cert.X509CRL

Returns:

the date when this CRL has been issued

See Also:

setThisUpdate(java.util.Date)

getNextUpdate

public java.util.Date getNextUpdate()

Returns the date of nextUpdate. The nextUpdate time value specifies the date on which the next CRL will be issued.

ASN.1 definition:

 nextUpdate    Time OPTIONAL

 Time ::= CHOICE {
   utcTime        UTCTime,
   generalTime    GeneralizedTime }

 

The PKIX CRL (RFC 3280) profile requires the inclusion of the nextUpdate field in CRLs issued by confroming CAs, although it is marked as OPTIONAL in the ASN.1 definition above.

The X.509 Certificate and CRL Profile specified in RFC 3280 recommends to encode nextUpdate dates through the year 2049 as UTCTime, and nextUpdate dates in 2050 or later as GeneralizedTime.

Specified by:

getNextUpdate in class java.security.cert.X509CRL

Returns:

the date when the next CRL will be issued

See Also:

setNextUpdate(java.util.Date)

getRevokedCertificate

public java.security.cert.X509CRLEntry getRevokedCertificate(java.math.BigInteger serialNumber)

Deprecated. use getRevokedCertificate(X509Certificate) instead

Searches the CRL for the specified serial number and returns the appertaining revoked certificate, if included into this CRL. This method will return an X509CRLEntry using the issuer of this CRL as the certificate issuer. Warning: This method should only be used with direct CRL's (CRL's that are issued by the same issuer as the certificate). If this CRL is an indirect CRL, it is possible there could be multiple entries with the same serial number issued for different issuers. Use method X509CRL.getRevokedCertificate(java.security.cert.X509Certificate) instead, which will return the revoked certificate for indirect CRL's correctly.

Specified by:

getRevokedCertificate in class java.security.cert.X509CRL

Parameters:

serialNumber - the serial number to be searched for

Returns:

the RevokedCertificate belonging to the given serial number, if included into this CRL; null otherwise

Throws:

java.lang.IllegalStateException - if the revoked certificate for the given serial number has a bad encoding

java.lang.IllegalStateException - if the CRL is not signed

getRevokedCertificate

public java.security.cert.X509CRLEntry getRevokedCertificate(X509Certificate certificate)
                                                      throws java.security.cert.CRLException

Searches the CRL for the specified certificate's serial number. This implementation support indirect CRLs (Certificates issued by a certificate other than the certificate issuer). It also supports Direct CRLs.

Parameters:

certificate - Will search the CRL using the certificate issuer and serial number of the certificate.

Returns:

the RevokedCertificate belonging to the given certificate, if included into this CRL; null otherwise

Throws:

java.lang.IllegalStateException - if the CRL is not signed or the issuer of the CRL is null

java.lang.IllegalArgumentException - if the certificate passed in is null

java.security.cert.CRLException

getRevokedCertificates

public java.util.Set getRevokedCertificates()

Deprecated. This returns a Set, which does not allow duplicates. Therefore, if an indirect CRL is used, a revoked certificate with duplicate data for a different issuer would get overwritten. Use instead

Returns a set containing all the revoked certificates included into this CRL. Note: When a very large combined CRL is used, this method will cause the Memory usage of the system to grow very large because each RevokedCertificate stored in the CRL is decoded into a RevokedCertificate object and stored in memory.

Specified by:

getRevokedCertificates in class java.security.cert.X509CRL

Returns:

a Set of RevokedCertificate objects representing the certificates revoked by this CRL, or null if there are no certificates revoked by this CRL

Throws:

EntrustLogicError - if an error occurred when decoding the Revoked Certificate

getTBSCertList

public byte[] getTBSCertList()
                      throws java.security.cert.CRLException

Returns the TBSCertList inherent to this CRL as DER encoded ASN.1 structure. The TBSCertList specifies the (distinguished) name of the issuer, the issue date of the CRL, the date when the next CRL will be issued, and optionally lists of revoked certificates (identified by their serial numbers) and CRL extensions. The list of revoked certificates is classified as being optional, since a CA may not have revoked any issued certificate when publishing a CRL:

 TBSCertList  ::=  SEQUENCE  {
   version                 Version OPTIONAL,
                                -- if present, must be v2
   signature               AlgorithmIdentifier,
   issuer                  Name,
   thisUpdate              Time,
   nextUpdate              Time OPTIONAL,
   revokedCertificates     SEQUENCE OF SEQUENCE  {
      userCertificate         CertificateSerialNumber,
      revocationDate          Time,
      crlEntryExtensions      Extensions OPTIONAL
                                     -- if present, must be v2
   }  OPTIONAL,
   crlExtensions           [0]  EXPLICIT Extensions OPTIONAL
                                     -- if present, must be v2
 }
 

where:

 Version  ::=  INTEGER  {  v1(0), v2(1), v3(2) }
           -- v3 does not apply to CRLs but appears for consistency
           -- with definition of Version for certs
 

 AlgorithmIdentifier  ::=  SEQUENCE  {
   algorithm               OBJECT IDENTIFIER,
   parameters              ANY DEFINED BY algorithm OPTIONAL  }
                              -- contains a value of the type
                              -- registered for use with the
                              -- algorithm object identifier value
 

 Name ::= CHOICE {     RDNSequence }
 

 RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
 

 RelativeDistinguishedName ::=     SET OF AttributeTypeAndValue
 

 AttributeTypeAndValue ::= SEQUENCE {
   type     AttributeType,
   value    AttributeValue }
 

 AttributeType ::= OBJECT IDENTIFIER
 

 AttributeValue ::= ANY   -- Directory string type --
 

 DirectoryString ::= CHOICE {
    teletexString           TeletexString (SIZE (1..maxSize),
    printableString         PrintableString (SIZE (1..maxSize)),
    universalString         UniversalString (SIZE (1..maxSize)),
    bmpString               BMPString (SIZE(1..maxSIZE))
 }
 

 Time ::= CHOICE {
   utcTime        UTCTime,
   generalTime    GeneralizedTime }
 

 CertificateSerialNumber  ::=  INTEGER
 

 Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension
 

 Extension  ::=  SEQUENCE  {
   extnID      OBJECT IDENTIFIER,
   critical    BOOLEAN DEFAULT FALSE,
   extnValue   OCTET STRING  }

 

The CRL issuing CA computes the digital signature upon the ASN.1 DER encoded TBSCertList structure.

Specified by:

getTBSCertList in class java.security.cert.X509CRL

Returns:

a byte array representing the DER encoded ASN.1 TBSCertList structure inherent to this CRL

Throws:

java.security.cert.CRLException - if an error occurs when parsing the CRL

getSignature

public byte[] getSignature()

Returns the signature of this CRL. The signature is defined as an ASN.1 BIT STRING structure. This method returns the inherent signature value as byte array.

Specified by:

getSignature in class java.security.cert.X509CRL

Returns:

the signature value as byte array

Throws:

RunTimeExcepton - if a problem occurred when getting the signature value

getSigAlgName

public java.lang.String getSigAlgName()

Returns the name of the signature algorithm used by the issuer for signing this CRL.

Specified by:

getSigAlgName in class java.security.cert.X509CRL

Returns:

the name of the signature algorithm, e.g. "md5WithRSAEncryption"

getSigAlgOID

public java.lang.String getSigAlgOID()

Returns the OID of the signature algorithm used by the issuer for signing this CRL. An object identifier consists of a sequence of integer components and is used for identifying, e.g. the signature algorithm used for this certificate. This method returns the OID in String representation, e.g. "1.2.840.113549.1.1.4"

Specified by:

getSigAlgOID in class java.security.cert.X509CRL

Returns:

the OID of the signature algorithm as String representation

See Also:

ObjectID, AlgorithmID

getSigAlgParams

public byte[] getSigAlgParams()

Returns the algorithm parameters associated with the signature algorithm used by the issuer for signing this CRL. The parameters are returned as DER encoded ASN.1 data structure.

Specified by:

getSigAlgParams in class java.security.cert.X509CRL

Returns:

the signature algorithm parameters as DER encoded ASN.1 data structure, or null if there are no parameters used

Throws:

java.lang.RuntimeException - if a problem occurs when retrieving the algorithm parameters

getCriticalExtensionOIDs

public java.util.Set getCriticalExtensionOIDs()

Returns a Set of the OID strings identifying the extension(s) that are marked CRITICAL in this CRL. Extensions can be marked as being critical. If the CRL handling software cannot parse such an extension, the appertaining certificate has to be rejected. Non-Critical extensions can be ignored, if they cannot be handled (i.e. of unknown state).

Specified by:

getCriticalExtensionOIDs in interface java.security.cert.X509Extension

Returns:

a Set (or an empty Set if none are marked critical) of the extension OID strings for extensions that are marked critical. If there are no extensions present at all, then this method returns null

See Also:

getNonCriticalExtensionOIDs()

getNonCriticalExtensionOIDs

public java.util.Set getNonCriticalExtensionOIDs()

Returns a Set of the OID strings for the extension(s) marked NON-CRITICAL in this CRL.

Specified by:

getNonCriticalExtensionOIDs in interface java.security.cert.X509Extension

Returns:

a Set (or an empty Set if none are marked non-critical) of the extension OID strings for extensions that are marked non-critical. If there are no extensions present at all, then this method returns null.

See Also:

getCriticalExtensionOIDs()

getExtensionValue

public byte[] getExtensionValue(java.lang.String oid)

Returns a byte array representing the DER encoding of the extension value identified by the passed-in OID string.

The oid string is represented by a set of positive whole numbers separated by periods, e.g. "2.5.29.20" for the CrlNumber extension.

In ASN.1, the Extensions field is defined as a SEQUENCE of Extension:

 Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension

 Extension  ::=  SEQUENCE  {
   extnID      OBJECT IDENTIFIER,
   critical    BOOLEAN DEFAULT FALSE,
   extnValue   OCTET STRING  }
 

where critical specifies whether an extension has to be treated as being critical or not; the default value is FALSE. An extension can be identified by its object identifier, given in the extnID field. The value of the extension is represented as ASN.1 OCTET STRING data structure in the extnValue field.

Attention! The byte value returned by this method does not represent the DER encoding of the extnValue (OCTET_STRING) from above; rather it represents the DER encoding of the specific extension's ASN.1 representation itsself. So, for example, when asking for a ReasonCode extension, the DER encoding of the corresponding ASN.1 Enumerated value will be returned:

 CRLReason ::= ENUMERATED {
    unspecified             (0),
    keyCompromise           (1),
    cACompromise            (2),
    affiliationChanged      (3),
    superseded              (4),
    cessationOfOperation    (5),
    certificateHold         (6),
    removeFromCRL           (8) }
 

Specified by:

getExtensionValue in interface java.security.cert.X509Extension

Parameters:

oid - the Object Identifier value of the extension to be queried for

Returns:

the DER encoded ASN.1 representation of the extension value or null if it is not present

addExtension

public void addExtension(V3Extension e)
                  throws X509ExtensionException

Adds the given X509v2 CRL extension.

The extension to be added shall be an implemented V3Extension. Extensions are managed by the X509Extensions class which maintaines two hashtables, one for recording critical extensions, and the other for non-critical extensions. This method only calls the addExtension method of the X509Extensions class for putting the given extension into the proper hashtable. Note that only the DER encoded extension value is written to the hashtable using the OID of the extension as key. If an extension with the same object ID already exists, it is replaced.

For instance:

 X509CRL crl = new X509CRL();
   ...
 CRLNumber crl_number  = new CRLNumber(BigInteger.valueOf(4234234));
 crl.addExtension(crl_number);
 

For reading back some extension from one of the hashtables, use the getExtension(ObjectID) method. Only at this time actually the appropriate implementation class is created and initialized through the DER encoded extension value derived from the corresponding hashtable.

Parameters:

e - the X509v2 CRL extension to add to the list of extensions

Throws:

X509ExtensionException - if an error occurs while DER encoding the extension

See Also:

V3Extension

removeExtension

public boolean removeExtension(ObjectID oid)

Removes the extension specified by its object identifier.

Parameters:

objectID - the object ID of the extension to remove

Returns:

true if the extension successfully has been removed false otherwise

removeAllExtensions

public void removeAllExtensions()

Removes all extensions from this CRL.

listExtensions

public java.util.Enumeration listExtensions()

Returns an enumeration of all extensions included into this CRL.

The returned enumeration may contain unknown extensions (instances of UnknownExtension if there are any extensions included in this certificate, for which there exists no registered implementation, and it may contain error extensions (instances of ErrorExtension) indicating extensions which cannot be parsed properly because of some kind of error.

Notice that this method only calls the listExtensions method of the X509Extensions class for actually instantiating implementations for the included extensions and initializing them with the appertaining extension values previously written to proper hashtables. If any extension cannot be parsed properly, an ErrorExtension is created from it and written to the enumeration list returned by this method.

Returns:

an enumeration of the extensions, or null if there are no extensions present at all

hasExtensions

public boolean hasExtensions()

Checks, if there are any extensions included into this CRL.

Returns:

true if there are extensions, false if not

hasUnsupportedCriticalExtension

public boolean hasUnsupportedCriticalExtension()

Returns true if there are unsupported critical extensions.

Specified by:

hasUnsupportedCriticalExtension in interface java.security.cert.X509Extension

Returns:

true, if there are unsupported critical extensions

countExtensions

public int countExtensions()

Returns the number of extensions included into this CRL.

Returns:

the number of extensions

getExtension

public V3Extension getExtension(ObjectID oid)
                         throws X509ExtensionInitException

Returns a specific extension, identyfied by its object identifier.

This method only calls the getExtension method of the X509Extensions class for actually instantiating an implementation for the requested extension and initializing it with the appertaining extension value previously written to a proper hashtable. If the extension cannot be initialized for some reason, an X509ExtensionInitException is thrown. If the requested extension is an unknown extension, which is not supported by a registered implementation, this method creates and returns an UnknownExtension which may be queried for obtaining as much information as possible about the unknown extension.

Parameters:

objectID - the object ID of the extension

Returns:

the desired extension or null if the requested extension is not present

Throws:

X509ExtensionInitException - if the extension can not be initialized

See Also:

X509Extensions.getExtension(iaik.asn1.ObjectID)

getFingerprint

public byte[] getFingerprint()

Returns the fingerprint of this CRL. This is a MD5 hash of the DER encoded CRL.

Returns:

the fingerprint of the CRL

Throws:

java.lang.IllegalStateException - if the CRL is not signed

getFingerprint

public byte[] getFingerprint(java.lang.String digestAlgorithm)
                      throws java.security.NoSuchAlgorithmException

Returns the fingerprint of this crl calculated with the given hash algorithm.

Parameters:

digestAlgorithm - the digest algorithm to be used

Returns:

the fingerprint of the crl

Throws:

java.security.NoSuchAlgorithmException - if the requested algorithm is not supported

java.lang.IllegalStateException - if the CRL is not signed

toString

public java.lang.String toString()

Returns a string that represents the contents of the CRL.

Specified by:

toString in class java.security.cert.CRL

Returns:

the string representation

toString

public java.lang.String toString(boolean detailed)

Returns a string giving some - if requested - detailed information about the contents of the CRL.

Parameters:

detailed - whether or not to give detailed information about the CRL.

Returns:

the string representation