iaik.x509
Class X509CRL

java.lang.Object
  |
  +--java.security.cert.CRL
        |
        +--java.security.cert.X509CRL
              |
              +--iaik.x509.X509CRL

All Implemented Interfaces:

ASN1Type, X509Extension

public class X509CRL

extends X509CRL

implements ASN1Type

This class represents a X.509v2 CertificateRevocationList (CRL).

A Certificate Revocation List (CRL) denotes a list of certificates that have been expired for some reason (e.g. the name of the subject has changed, the private key can no more being treated to be only known by the subject, ...) prior to the regular ending of its validity period. A CRL is maintained by a certification authority (CA) making it publicly available and refreshing it in certain time intervals. Each recoked certificate included in a revocation list can be identified by its serial number. The recvocation list is signed by the maintaining CA.

A profile for X.509v2 revocation lists is presented together with the X.509v3 certificate format in RFC 2459, where a CRL is defined as an ASN.1 SEQUENCE structure containing the following components:

 CertificateList  ::=  SEQUENCE  {
   tbsCertList          TBSCertList,
   signatureAlgorithm   AlgorithmIdentifier,
   signatureValue            BIT STRING  }
 

where signatureAlgorithm identifies the signature algorithm used by the signing certification authority for computing the digital signature upon the ASN.1 DER encoded TBSCertList structure, which itself is expressed as ASN.1 SEQUENCE structure specifying the (distinguished) name of the issuer, the issue date of the CRL, the date when the next CRL will be issued, and optionally lists of revoked certificates (identified by their serial numbers) and CRL extensions. The list of revoked certificates is classified as being optional since a CA may not have revoked any issued certificate when publishing a CRL.

ASN.1 definition:

 TBSCertList  ::=  SEQUENCE  {
   version                 Version OPTIONAL,
                                -- if present, must be v2
   signature               AlgorithmIdentifier,
   issuer                  Name,
   thisUpdate              Time,
   nextUpdate              Time OPTIONAL,
   revokedCertificates     SEQUENCE OF SEQUENCE  {
      userCertificate         CertificateSerialNumber,
      revocationDate          Time,
      crlEntryExtensions      Extensions OPTIONAL
                                     -- if present, must be v2
   }  OPTIONAL,
   crlExtensions           [0]  EXPLICIT Extensions OPTIONAL
                                     -- if present, must be v2
 }
 

where:

 Version  ::=  INTEGER  {  v1(0), v2(1), v3(2) }
           -- v3 does not apply to CRLs but appears for consistency
           -- with definition of Version for certs
 

 AlgorithmIdentifier  ::=  SEQUENCE  {
   algorithm               OBJECT IDENTIFIER,
   parameters              ANY DEFINED BY algorithm OPTIONAL  }
                              -- contains a value of the type
                              -- registered for use with the
                              -- algorithm object identifier value
 

 Name ::= CHOICE {     RDNSequence }
 

 RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
 

 RelativeDistinguishedName ::=     SET OF AttributeTypeAndValue
 

 AttributeTypeAndValue ::= SEQUENCE {
   type     AttributeType,
   value    AttributeValue }
 

 AttributeType ::= OBJECT IDENTIFIER
 

 AttributeValue ::= ANY   -- Directory string type --
 

 DirectoryString ::= CHOICE {
    teletexString           TeletexString (SIZE (1..maxSize),
    printableString         PrintableString (SIZE (1..maxSize)),
    universalString         UniversalString (SIZE (1..maxSize)),
    bmpString               BMPString (SIZE(1..maxSIZE))
 }
 

 Time ::= CHOICE {
   utcTime        UTCTime,
   generalTime    GeneralizedTime }
 

 CertificateSerialNumber  ::=  INTEGER
 

 Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension
 

 Extension  ::=  SEQUENCE  {
   extnID      OBJECT IDENTIFIER,
   critical    BOOLEAN DEFAULT FALSE,
   extnValue   OCTET STRING  }

 

For a detail description of the several fields refer to RFC 2459.

For each value extists a setValue() and a getValue() method. After creating a X509CRL, the, for instance, CRL issuing date may be set to the current date by using the setThisUpdate method:

 X509CRL crl = new X509CRL();
 GregorianCalendar date = (GregorianCalendar)Calendar.getInstance();
 crl.setThisUpdate(date.getTime());
 

Manipulating the extensions of a CRL is described in class X509Extensions. A CRL extension (support introduced by the X.509v2 CRL format) may be a defined standard extension (e.g. CRLNumber, ...), or it may be a private extension providing some community-specific information. If an extension is marked as critical, but the CRL handling software cannot parse this extension, the CRL validation must fail. Non-Critical extensions can be ignored, if they cannot be handled (i.e. of unknown state).

For adding some extension to a X509CRL use the addExtension method. The CRL profile presented in RFC 2459 requires confirming CAs to support the CRL number extension conveying a monotonically increasing sequence number for each CRL issued by a given CA through a specific CA X.500 Directory entry or CRL distribution point, e.g.:

 X509CRL crl = new X509CRL();
   ...
 CRLNumber crl_number  = new CRLNumber(BigInteger.valueOf(4234234));
 crl.addExtension(crl_number);
 

A X509Certificate to be revoked may be added by means of the addCertificate(X509Certificate cert, Date revocationDate) method. Alternatively an instance of RevokedCertificate may be added by using the addCertificate(RevokedCertificate revokedCertificate) method. For finally signing the CRL with the CRL issuer´s private key, call the sign method.

The X509CRL(byte[]) and X509CRL(InputStream) constructors may be used for parsing an X509CRL from its DER encoding.

This class supports indirect CRLs, i.e. revocation of certificates where certificate issuer is different than the CRL issuer. Some caveats apply though. Firstly, the methods isRevoked(BigInteger) containsCertificate(BigInteger) implicitly assume the CRL issuer as the certificate issuer. Secondly, when encoding an indirect CRL the certificate issuer CRL entry extension is automatically added to entries where needed. However, the issuing distribution point CRL extension also required for indirect CRLs has to be added manually.

Version:

File Revision 48

See Also:

X509Extensions, V3Extension, UnknownExtension, X509Certificate, RevokedCertificate, X509CRL

Constructor Summary

X509CRL()
Default constructor for creating a new empty X509CRL.

X509CRL(byte[] crl)
Creates a CRL form a PEM or DER byte array.

X509CRL(InputStream is)
Creates a CRL from an input stream supplying a DER or PEM encoded CRL.

Method Summary

void	addCertificate(RevokedCertificate revokedCert) Adds a revoked certificate to the CRL.
void	addCertificate(X509Certificate cert, Date revocationDate) Adds a certificate to the CRL to be revoked on the given date.
void	addExtension(V3Extension e) Adds the given X509v2 CRL extension.
RevokedCertificate	containsCertificate(BigInteger serialNumber) Checks, if the CRL contains a certificate with the given serial number.
RevokedCertificate	containsCertificate(X509Certificate cert) Checks, if the CRL contains the given certificate.
int	countExtensions() Returns the number of extensions included into this CRL.
void	decode(ASN1Object crl) Creates a CRL from an ASN1Object.
Set	getCriticalExtensionOIDs() Returns a Set of the OID strings identifying the extension(s) that are marked CRITICAL in this CRL.
byte[]	getEncoded() Returns this CRL as DER encoded ASN.1 data structure.
V3Extension	getExtension(ObjectID oid) Returns a specific extension, identified by its object identifier.
byte[]	getExtensionValue(String oid) Returns a byte array representing the DER encoding of the extension value identified by the passed-in OID string.
byte[]	getFingerprint() Returns the fingerprint of this CRL.
byte[]	getFingerprint(String digestAlgorithm) Returns the fingerprint of this crl calculated with the given hash algorithm.
byte[]	getFingerprintSHA() Get the SHA fingerprint of this CRL.
Principal	getIssuerDN() Returns the Distinguished Name of the issuer of this CRL, as Principal.
Enumeration	getIssuerDNs() Return the names of all issuers of this CRL.
Date	getNextUpdate() Returns the date of nextUpdate.
Set	getNonCriticalExtensionOIDs() Returns a Set of the OID strings for the extension(s) marked NON-CRITICAL in this CRL.
X509CRLEntry	getRevokedCertificate(BigInteger serialNumber) Searches the CRL for the specified serial number and returns the appertaining revoked certificate, if included into this CRL.
Set	getRevokedCertificates() Returns a set containing all the revoked certificates included into this CRL.
String	getSigAlgName() Returns the name of the signature algorithm used by the issuer for signing this CRL.
String	getSigAlgOID() Returns the OID of the signature algorithm used by the issuer for signing this CRL.
byte[]	getSigAlgParams() Returns the algorithm parameters associated with the signature algorithm used by the issuer for signing this CRL.
byte[]	getSignature() Returns the signature of this CRL.
AlgorithmID	getSignatureAlgorithm() Returns the signature algorithm of this CRL.
byte[]	getTBSCertList() Returns the TBSCertList inherent to this CRL as DER encoded ASN.1 structure.
Date	getThisUpdate() Returns the date of thisUpdate.
int	getVersion() Returns the version number of this CRL as int.
boolean	hasExtensions() Checks, if there are any extensions included into this CRL.
boolean	hasUnsupportedCriticalExtension() Returns true if there are unsupported critical extensions.
boolean	isIndirectCRL() Return whether this CRL is an indirect CRL.
boolean	isRevoked(BigInteger serialNumber) Checks if the certificate identified by the given serial number is marked as revoked by this CRL.
boolean	isRevoked(Certificate cert) Checks whether the given certificate is on this CRL.
Enumeration	listCertificates() Returns an enumeration of the revoked certificates this CRL contains.
Enumeration	listExtensions() Returns an enumeration of all extensions included into this CRL.
void	removeAllCertificates() Removes all certificates from the CRL.
void	removeAllExtensions() Removes all extensions from this CRL.
boolean	removeCertificate(BigInteger serialNumber) Removes the certificate with the given serial number from the CRL.
boolean	removeCertificate(X509Certificate cert) Removes the certificate from the CRL.
boolean	removeExtension(ObjectID oid) Removes the extension specified by its object identifier.
void	setIssuerDN(Principal issuer) Sets the issuer of this CRL.
void	setNextUpdate(Date nextUpdate) Sets the date of nextUpdate.
void	setSignature(byte[] signatureValue) Sets the signature value of this crl.
void	setSignatureAlgorithm(AlgorithmID signatureAlg) Sets the signature algorithm for signing this CRL.
void	setSignatureAlgorithm(ObjectID signatureAlg) Deprecated. use setSignatureAlgorithm(AlgorithmID);
void	setThisUpdate(Date thisUpdate) Sets the date of thisUpdate.
void	sign(PrivateKey privateKey) Signs the CRL with the private key of the issuer.
void	sign(PrivateKey privateKey, String provider) Signs the CRL with the private key of the issuer.
ASN1Object	toASN1Object() Returns the CRL as an ASN1Object.
byte[]	toByteArray() Returns the CRL as a DER encoded ASN.1 data structure.
String	toString() Returns a string that represents the contents of the CRL.
String	toString(boolean detailed) Returns a string giving some - if requested - detailed information about the contents of the CRL.
void	verify(PublicKey key) Verifies a signed CRL using the given public key.
void	verify(PublicKey key, String sigProvider) Uses the given public key to verify this CRL based on a signature algorithm supplied by the specified provider.
void	writeTo(OutputStream os) Writes the CRL DER encoded to the given output stream.

Methods inherited from class java.security.cert.X509CRL

equals, hashCode

Methods inherited from class java.security.cert.CRL

getType

Methods inherited from class java.lang.Object

clone, finalize, getClass, notify, notifyAll, wait, wait, wait

Constructor Detail

X509CRL

public X509CRL()

Default constructor for creating a new empty X509CRL.

Any value may be set using the corrseponding the set<Value> method. The version number per default is set to 1 indicating a Version 1 CRL. When extensions are added, the version field automatically is set to 2.

X509CRL

public X509CRL(InputStream is)
        throws IOException,
               CRLException

Creates a CRL from an input stream supplying a DER or PEM encoded CRL.

This constructor reads a DER or PEM encoded X509CRL that previously may have been written with method writeTo(OutputStream).

For instance:

 InputStream fis = new FileInputStream("crl.der");
 X509CRL crl = new X509CRL(fis);
 fis.close();
 

Parameters:

is - InputStream from which to create the CRL

Throws:

IOException - if the CRL could not be read

CRLException - if there is a problem when parsing the CRL

X509CRL

public X509CRL(byte[] crl)
        throws CRLException

Creates a CRL form a PEM or DER byte array.

This constructor may be used for parsing an already exisiting X509CRL ASN.1 object, supplied as DER encoded byte array, which may have been created by calling the toByteArray or the getEncoded method.

Parameters:

crl - the byte array which contains the CRL

Throws:

CRLException - if there is a problem when parsing the CRL

Method Detail

decode

public void decode(ASN1Object crl)
            throws CodingException

Creates a CRL from an ASN1Object.

The given ASN1Object represents an already existing X509CRL which may have been created by calling the toASN1Object method.

Specified by:

decode in interface ASN1Type

Parameters:

crl - the ASN1Object which contains the CRL

Throws:

CodingException - if there is a problem when parsing the CRL

isIndirectCRL

public boolean isIndirectCRL()

Return whether this CRL is an indirect CRL.

sign

public void sign(PrivateKey privateKey)
          throws CRLException,
                 InvalidKeyException,
                 NoSuchAlgorithmException

Signs the CRL with the private key of the issuer.

Parameters:

privateKey - the private key of the issuer

Throws:

CRLException - if the CRL could not be created

InvalidKeyException - if the private key is not valid

sign

public void sign(PrivateKey privateKey,
                 String provider)
          throws CRLException,
                 InvalidKeyException,
                 NoSuchAlgorithmException

Signs the CRL with the private key of the issuer.

Parameters:

privateKey - the private key of the issuer

provider - the name of the provider supplying the Signature engine to be used

Throws:

CRLException - if the CRL could not be created

InvalidKeyException - if the private key is not valid

setSignature

public void setSignature(byte[] signatureValue)
                  throws CRLException

Sets the signature value of this crl.

This method provides an alternative to method sign when it is required to set the signature value from outside (e.g. calculated by means of a smartcard):

 X509CRL crl = ...;
 ...
 // set issuer, revoked certificates, ...
 ...
 // set the signature algorithm to be used for signing
 crl.setSignatureAlgorithm(AlgorithmID.sha1WithRSAEncryption);
 // get the to-be-signed value
 byte[] tbs = crl.getTBSCertList();
 // now calculate the signature over the tbs cert list
 byte[] signatureValue = calculateSignature(tbs);
 // and set the signatureValue
 crl.setSignature(signatureValue);
 // encode the crl
 byte[] encodedCrl = crl.getEncoded();
 

Parameters:

signatureValue - the signature calculated outside

Throws:

CRLException - if the CRL could not be created

verify

public void verify(PublicKey key,
                   String sigProvider)
            throws CRLException,
                   NoSuchAlgorithmException,
                   InvalidKeyException,
                   NoSuchProviderException,
                   SignatureException

Uses the given public key to verify this CRL based on a signature algorithm supplied by the specified provider.

Overrides:

verify in class X509CRL

Parameters:

key - the public key of the CRL issuer

Throws:

CRLException - if an encoding error occurs

NoSuchAlgorithmException - if there is no implementation for the algorithm used to sign this CRL

InvalidKeyException - if the format of the public key is wrong

NoSuchProviderException - if there is no default provider

SignatureException - if the signature does not verify

verify

public void verify(PublicKey key)
            throws CRLException,
                   NoSuchAlgorithmException,
                   InvalidKeyException,
                   NoSuchProviderException,
                   SignatureException

Verifies a signed CRL using the given public key. This method only calls verify(PublicKey key, String sigProvider) setting the provider name to null for relying on the default provider signature architecture.

Overrides:

verify in class X509CRL

Parameters:

key - the public key of the CRL issuer

Throws:

CRLException - if an encoding error occurs

NoSuchAlgorithmException - if there is no implementation for the algorithm used to sign this CRL

InvalidKeyException - if the format of the public key is wrong

NoSuchProviderException - if there is no default provider

SignatureException - if the signature does not verify

isRevoked

public boolean isRevoked(BigInteger serialNumber)

Checks if the certificate identified by the given serial number is marked as revoked by this CRL.

Parameters:

serialNumber - the serial number of the certificate which is checked of being revoked

Returns:

true if the certificate identified by the given serial number is marked as revoked by this CRL, false if not

isRevoked

public boolean isRevoked(Certificate cert)

Checks whether the given certificate is on this CRL.

Overrides:

isRevoked in class CRL

Parameters:

cert - the certificate to check for

Returns:

true if the given certificate is on this CRL, false otherwise

containsCertificate

public RevokedCertificate containsCertificate(X509Certificate cert)

Checks, if the CRL contains the given certificate.

Parameters:

cert - the certificate to check

Returns:

null if the CRL doesn't contain the certificate the RevokedCertificate from the CRL otherwise

containsCertificate

public RevokedCertificate containsCertificate(BigInteger serialNumber)

Checks, if the CRL contains a certificate with the given serial number.

Parameters:

serialNumber - the serial number of the certificate

Returns:

null if the CRL doesn't contain a certificate with this serial number, the RevokedCertificate from the CRL otherwise

toASN1Object

public ASN1Object toASN1Object()

Returns the CRL as an ASN1Object.

Specified by:

toASN1Object in interface ASN1Type

Returns:

the CRL as ASN1Object

toByteArray

public byte[] toByteArray()

Returns the CRL as a DER encoded ASN.1 data structure.

Returns:

the CRL as DER array

writeTo

public void writeTo(OutputStream os)
             throws IOException

Writes the CRL DER encoded to the given output stream.

Parameters:

os - the output stream to which this CRL shall be written

Throws:

IOException - if an I/O error occurs

addCertificate

public void addCertificate(X509Certificate cert,
                           Date revocationDate)

Adds a certificate to the CRL to be revoked on the given date. For instance, add a certificate (read in from a file) to be revoked at the current date:

 GregorianCalendar date = (GregorianCalendar)Calendar.getInstance();
 InputStream fis = new FileInputStream("cert.der");
 X509Certificate cert = new X509Certificate(fis);
 fis.close();
 crl.addCertificate(cert, date.getTime());
 

Parameters:

cert - the X509Certificate which should be revoked

revocationDate - the revocation date

addCertificate

public void addCertificate(RevokedCertificate revokedCert)

Adds a revoked certificate to the CRL. In contrast to addCertificate(X509Certificate cert, Date revocationDate) which adds a X509Certificate, this method adds a RevokedCertificate already including its revocation date, for instance:

 GregorianCalendar date = (GregorianCalendar)Calendar.getInstance();
 InputStream fis = new FileInputStream("cert.der");
 X509Certificate cert = new X509Certificate(fis);
 fis.close();
 RevokedCertificate rev_cert = new RevokedCertificate(cert, date.getTime());
 crl.addCertificate(rev_cert);
 

Parameters:

revokedCert - the RevokedCertificate to add to this CRL

See Also:

RevokedCertificate

listCertificates

public Enumeration listCertificates()

Returns an enumeration of the revoked certificates this CRL contains.

Returns:

a list of revoked certificates

removeCertificate

public boolean removeCertificate(X509Certificate cert)

Removes the certificate from the CRL.

Returns:

true if the certificate successfully has been removed false otherwise

removeCertificate

public boolean removeCertificate(BigInteger serialNumber)

Removes the certificate with the given serial number from the CRL. For instance:

crl.removeCertificate(cert.getSerialNumber());

Parameters:

serialNumber - the serial number of the certificate which should be removed

Returns:

true if the certificate successfully has been removed false otherwise

removeAllCertificates

public void removeAllCertificates()

Removes all certificates from the CRL.

setSignatureAlgorithm

public void setSignatureAlgorithm(AlgorithmID signatureAlg)

Sets the signature algorithm for signing this CRL. The signature algorithm is specified by its AlgorithmID. For instance:

	 crl.setSignatureAlgorithm(AlgorithmID.md5WithRSAEncryption);
 

Parameters:

signatureAlg - the AlgorithmID of the signature algorithm to be used for signing

See Also:

AlgorithmID

setSignatureAlgorithm

public void setSignatureAlgorithm(ObjectID signatureAlg)

Deprecated. use setSignatureAlgorithm(AlgorithmID);

setIssuerDN

public void setIssuerDN(Principal issuer)
                 throws IllegalArgumentException

Sets the issuer of this CRL. The issuer is the identity which signs the CRL. It is specified by its X.500 distinguished name. For instance:

 Name issuer = new Name();
 issuer.addRDN(ObjectID.country, "AT");
 issuer.addRDN(ObjectID.organization ,"TU Graz");
 issuer.addRDN(ObjectID.organizationalUnit ,"IAIK");
 issuer.addRDN(ObjectID.commonName ,"IAIK Test CA");
 crl.setIssuerDN(issuer);
 

Parameters:

issuer - the distinguished name of the issuer of the CRL

Throws:

IllegalArgumentException - if the issuer is not an instance of name

See Also:

getIssuerDN()

setThisUpdate

public void setThisUpdate(Date thisUpdate)

Sets the date of thisUpdate. The thisUpdate time value specifies the date on which the CRL has been issued.

For instance, set ThisUpdate to the current date by writing:

 GregorianCalendar date = (GregorianCalendar)Calendar.getInstance();
 crl.setThisUpdate(date.getTime());
 

The X.509 Certificate and CRL Profile specified in RFC 2459 recommends to encode thisUpdate dates through the year 2049 as UTCTime, and thisUpdate dates in 2050 or later as GeneralizedTime.

Parameters:

thisUpdate - the date when this CRL has been issued

See Also:

getThisUpdate()

setNextUpdate

public void setNextUpdate(Date nextUpdate)

Sets the date of nextUpdate. The nextUpdate time value specifies the date on which the next CRL will be issued.

If the next update will be done, for instance, next month, you may write:

 GregorianCalendar date = (GregorianCalendar)Calendar.getInstance();
 date.add(Calendar.MONTH, 1);
 crl.setNextUpdate(date.getTime());
 

The X.509 Certificate and CRL Profile specified in RFC 2459 recommends to encode nextUpdate dates through the year 2049 as UTCTime, and nextUpdate dates in 2050 or later as GeneralizedTime.

Parameters:

nextUpdate - when the next CRL will be created

See Also:

getNextUpdate()

getEncoded

public byte[] getEncoded()
                  throws CRLException

Returns this CRL as DER encoded ASN.1 data structure.

Overrides:

getEncoded in class X509CRL

Returns:

a byte array representing this CRL as DER encoded ASN.1 data structure

Throws:

CRLException - if an encoding error occurs

getVersion

public int getVersion()

Returns the version number of this CRL as int. The version number may specify a v1 or v2 CRL.

ASN.1 definition:

 Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }

          v3 only appears for consistency reasons
 

Overrides:

getVersion in class X509CRL

Returns:

version number of this CRL, as int

getSignatureAlgorithm

public AlgorithmID getSignatureAlgorithm()

Returns the signature algorithm of this CRL.

Returns:

the AlgorithmID of the signature algorithm used to sign this CRL

See Also:

AlgorithmID

getIssuerDN

public Principal getIssuerDN()

Returns the Distinguished Name of the issuer of this CRL, as Principal. A Distinguished Name is used to specify a path within a X.500 directory information tree. A distinguished name is defined as a sequence of relative distinguished names:

 Name ::= CHOICE {     RDNSequence }
 RDNSequence ::= SEQUENCE OF RelativeDistinguishedName

 RelativeDistinguishedName ::=     SET OF AttributeTypeAndValue

 AttributeTypeAndValue ::= SEQUENCE {
    type     AttributeType,
    value    AttributeValue }

 AttributeType ::= OBJECT IDENTIFIER
 AttributeValue ::= ANY
 

The AttributeType generally will be of ASN.1 type DirectoryString which either may be a PrintableString, TeletexString, BMPString, or an UniversalString. A name may consist of, for instance, the following Attribute Type/Value "pairs" defining a path through a X.500 directory tree:

 country: "AT"
 locality: "Graz"
 organization: "TU Graz"
 organizationalUnit: "IAIK"
 commonName: "IAIK TestCA"
 

CAs conforming to RFC 2459 have to ensure to only issue crls having a non-empty distinguished name (DN) in their issuer field. Additional identities about the issuer may be included in the IssuerAltName extension.

Overrides:

getIssuerDN in class X509CRL

Returns:

the distinguished name of the issuer of the CRL, as Principal

See Also:

setIssuerDN(java.security.Principal)

getIssuerDNs

public Enumeration getIssuerDNs()

Return the names of all issuers of this CRL. This is the CRL issuer plus all issuers of revoked certificates in case of an indirect CRL.

getThisUpdate

public Date getThisUpdate()

Returns the date of thisUpdate. The thisUpdate time value specifies the date on which the CRL has been issued.

ASN.1 definition:

 thisUpdate    Time

 Time ::= CHOICE {
   utcTime        UTCTime,
   generalTime    GeneralizedTime }

 

The X.509 Certificate and CRL Profile specified in RFC 2459 recommends to encode thisUpdate dates through the year 2049 as UTCTime, and thisUpdate dates in 2050 or later as GeneralizedTime.

Overrides:

getThisUpdate in class X509CRL

Returns:

the date when this CRL has been issued

See Also:

setThisUpdate(java.util.Date)

getNextUpdate

public Date getNextUpdate()

Returns the date of nextUpdate. The nextUpdate time value specifies the date on which the next CRL will be issued.

ASN.1 definition:

 nextUpdate    Time OPTIONAL

 Time ::= CHOICE {
   utcTime        UTCTime,
   generalTime    GeneralizedTime }

 

The PKIX CRL (RFC 2459) profile requires the inclusion of the nextUpdate field in CRLs issued by confroming CAs, although it is marked as OPTIONAL in the ASN.1 definition above.

The X.509 Certificate and CRL Profile specified in RFC 2459 recommends to encode nextUpdate dates through the year 2049 as UTCTime, and nextUpdate dates in 2050 or later as GeneralizedTime.

Overrides:

getNextUpdate in class X509CRL

Returns:

the date when the next CRL will be issued

See Also:

setNextUpdate(java.util.Date)

getRevokedCertificate

public X509CRLEntry getRevokedCertificate(BigInteger serialNumber)

Searches the CRL for the specified serial number and returns the appertaining revoked certificate, if included into this CRL.

Overrides:

getRevokedCertificate in class X509CRL

Parameters:

serialNumber - the serial number to be searched for

Returns:

the RevokedCertificate belonging to the given serial number, if included into this CRL; null otherwise

getRevokedCertificates

public Set getRevokedCertificates()

Returns a set containing all the revoked certificates included into this CRL.

Overrides:

getRevokedCertificates in class X509CRL

Returns:

a Set of RevokedCertificate objects representing the certificates revoked by this CRL, or null if there are no certificates revoked by this CRL

getTBSCertList

public byte[] getTBSCertList()
                      throws CRLException

Returns the TBSCertList inherent to this CRL as DER encoded ASN.1 structure. The TBSCertList specifies the (distinguished) name of the issuer, the issue date of the CRL, the date when the next CRL will be issued, and optionally lists of revoked certificates (identified by their serial numbers) and CRL extensions. The list of revoked certificates is classified as being optional, since a CA may not have revoked any issued certificate when publishing a CRL:

 TBSCertList  ::=  SEQUENCE  {
   version                 Version OPTIONAL,
                                -- if present, must be v2
   signature               AlgorithmIdentifier,
   issuer                  Name,
   thisUpdate              Time,
   nextUpdate              Time OPTIONAL,
   revokedCertificates     SEQUENCE OF SEQUENCE  {
      userCertificate         CertificateSerialNumber,
      revocationDate          Time,
      crlEntryExtensions      Extensions OPTIONAL
                                     -- if present, must be v2
   }  OPTIONAL,
   crlExtensions           [0]  EXPLICIT Extensions OPTIONAL
                                     -- if present, must be v2
 }
 

where:

 Version  ::=  INTEGER  {  v1(0), v2(1), v3(2) }
           -- v3 does not apply to CRLs but appears for consistency
           -- with definition of Version for certs
 

 AlgorithmIdentifier  ::=  SEQUENCE  {
   algorithm               OBJECT IDENTIFIER,
   parameters              ANY DEFINED BY algorithm OPTIONAL  }
                              -- contains a value of the type
                              -- registered for use with the
                              -- algorithm object identifier value
 

 Name ::= CHOICE {     RDNSequence }
 

 RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
 

 RelativeDistinguishedName ::=     SET OF AttributeTypeAndValue
 

 AttributeTypeAndValue ::= SEQUENCE {
   type     AttributeType,
   value    AttributeValue }
 

 AttributeType ::= OBJECT IDENTIFIER
 

 AttributeValue ::= ANY   -- Directory string type --
 

 DirectoryString ::= CHOICE {
    teletexString           TeletexString (SIZE (1..maxSize),
    printableString         PrintableString (SIZE (1..maxSize)),
    universalString         UniversalString (SIZE (1..maxSize)),
    bmpString               BMPString (SIZE(1..maxSIZE))
 }
 

 Time ::= CHOICE {
   utcTime        UTCTime,
   generalTime    GeneralizedTime }
 

 CertificateSerialNumber  ::=  INTEGER
 

 Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension
 

 Extension  ::=  SEQUENCE  {
   extnID      OBJECT IDENTIFIER,
   critical    BOOLEAN DEFAULT FALSE,
   extnValue   OCTET STRING  }

 

The CRL issuing CA computes the digital signature upon the ASN.1 DER encoded TBSCertList structure.

Overrides:

getTBSCertList in class X509CRL

Returns:

a byte array representing the DER encoded ASN.1 TBSCertList structure inherent to this CRL

Throws:

CRLException - if an error occurs when parsing the CRL

getSignature

public byte[] getSignature()

Returns the signature of this CRL. The signature is defined as an ASN.1 BIT STRING structure. This method returns the inherent signature value as byte array.

Overrides:

getSignature in class X509CRL

Returns:

the signature value as byte array

getSigAlgName

public String getSigAlgName()

Returns the name of the signature algorithm used by the issuer for signing this CRL.

Overrides:

getSigAlgName in class X509CRL

Returns:

the name of the signature algorithm, e.g. "md5WithRSAEncryption"

getSigAlgOID

public String getSigAlgOID()

Returns the OID of the signature algorithm used by the issuer for signing this CRL. An object identifier consists of a sequence of integer components and is used for identifying, e.g. the signature algorithm used for this certificate. This method returns the OID in String representation, e.g. "1.2.840.113549.1.1.4"

Overrides:

getSigAlgOID in class X509CRL

Returns:

the OID of the signature algorithm as String representation

See Also:

ObjectID, AlgorithmID

getSigAlgParams

public byte[] getSigAlgParams()

Returns the algorithm parameters associated with the signature algorithm used by the issuer for signing this CRL. The parameters are returned as DER encoded ASN.1 data structure.

Overrides:

getSigAlgParams in class X509CRL

Returns:

the signature algorithm parameters as DER encoded ASN.1 data structure, or null if there are no parameters used

getCriticalExtensionOIDs

public Set getCriticalExtensionOIDs()

Returns a Set of the OID strings identifying the extension(s) that are marked CRITICAL in this CRL. Extensions can be marked as being critical. If the CRL handling software cannot parse such an extension, the appertaining certificate has to be rejected. Non-Critical extensions can be ignored, if they cannot be handled (i.e. of unknown state).

Overrides:

getCriticalExtensionOIDs in class X509CRL

Returns:

a Set (or an empty Set if none are marked critical) of the extension OID strings for extensions that are marked critical. If there are no extensions present at all, then this method returns null

See Also:

getNonCriticalExtensionOIDs()

getNonCriticalExtensionOIDs

public Set getNonCriticalExtensionOIDs()

Returns a Set of the OID strings for the extension(s) marked NON-CRITICAL in this CRL.

Overrides:

getNonCriticalExtensionOIDs in class X509CRL

Returns:

a Set (or an empty Set if none are marked non-critical) of the extension OID strings for extensions that are marked non-critical. If there are no extensions present at all, then this method returns null.

See Also:

getCriticalExtensionOIDs()

getExtensionValue

public byte[] getExtensionValue(String oid)

Returns a byte array representing the DER encoding of the extension value identified by the passed-in OID string.

The oid string is represented by a set of positive whole numbers separated by periods, e.g. "2.5.29.20" for the CrlNumber extension.

In ASN.1, the Extensions field is defined as a SEQUENCE of Extension:

 Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension

 Extension  ::=  SEQUENCE  {
   extnID      OBJECT IDENTIFIER,
   critical    BOOLEAN DEFAULT FALSE,
   extnValue   OCTET STRING  }
 

where critical specifies whether an extension has to be treated as being critical or not; the default value is FALSE. An extension can be identified by its object identifier, given in the extnID field. The value of the extension is represented as ASN.1 OCTET STRING data structure in the extnValue field.

The byte value returned by this method represents the DER encoding of the extnValue (OCTET_STRING) from above, and the value of this OCTET STRING represents the DER encoding of the specific extension´s ASN.1 representation itsself.

Attention: For compatibility reasons to the standard JCA certificate API this method has been changed to return the OCTET STRING value as described above. Prior versions of this class have returned the DER encoding of the specific extension´s ASN.1 representation itsself.

Overrides:

getExtensionValue in class X509CRL

Parameters:

oid - the Object Identifier value of the extension to be queried for

Returns:

the DER encoded ASN.1 representation of the extension value or null if it is not present

addExtension

public void addExtension(V3Extension e)
                  throws X509ExtensionException

Adds the given X509v2 CRL extension.

The extension to be added shall be an implemented V3Extension. Extensions are managed by the X509Extensions class which maintaines two hashtables, one for recording critical extensions, and the other for non-critical extensions. This method only calls the addExtension method of the X509Extensions class for putting the given extension into the proper hashtable. Note that only the DER encoded extension value is written to the hashtable using the OID of the extension as key. If an extension with the same object ID already exists, it is replaced.

For instance:

 X509CRL crl = new X509CRL();
   ...
 CRLNumber crl_number  = new CRLNumber(BigInteger.valueOf(4234234));
 crl.addExtension(crl_number);
 

For reading back some extension from one of the hashtables, use the getExtension(ObjectID) method. Only at this time actually the appropriate implementation class is created and initialized through the DER encoded extension value derived from the corresponding hashtable.

Parameters:

e - the X509v2 CRL extension to add to the list of extensions

Throws:

X509ExtensionException - if an error occurs while DER encoding the extension

See Also:

V3Extension

removeExtension

public boolean removeExtension(ObjectID oid)

Removes the extension specified by its object identifier.

Parameters:

objectID - the object ID of the extension to remove

Returns:

true if the extension successfully has been removed false otherwise

removeAllExtensions

public void removeAllExtensions()

Removes all extensions from this CRL.

listExtensions

public Enumeration listExtensions()

Returns an enumeration of all extensions included into this CRL.

The returned enumeration may contain unknown extensions (instances of UnknownExtension if there are any extensions included in this certificate, for which there exists no registered implementation, and it may contain error extensions (instances of ErrorExtension) indicating extensions which cannot be parsed properly because of some kind of error.

Notice that this method only calls the listExtensions method of the X509Extensions class for actually instantiating implementations for the included extensions and initializing them with the appertaining extension values previously written to proper hashtables. If any extension cannot be parsed properly, an ErrorExtension is created from it and written to the enumeration list returned by this method.

Returns:

an enumeration of the extensions, or null if there are no extensions present at all

hasExtensions

public boolean hasExtensions()

Checks, if there are any extensions included into this CRL.

Returns:

true if there are extensions, false if not

hasUnsupportedCriticalExtension

public boolean hasUnsupportedCriticalExtension()

Returns true if there are unsupported critical extensions.

Overrides:

hasUnsupportedCriticalExtension in class X509CRL

Returns:

true, if there are unsupported critical extensions

countExtensions

public int countExtensions()

Returns the number of extensions included into this CRL.

Returns:

the number of extensions

getExtension

public V3Extension getExtension(ObjectID oid)
                         throws X509ExtensionInitException

Returns a specific extension, identified by its object identifier.

This method only calls the getExtension method of the X509Extensions class for actually instantiating an implementation for the requested extension and initializing it with the appertaining extension value previously written to a proper hashtable. If the extension cannot be initialized for some reason, an X509ExtensionInitException is thrown. If the requested extension is an unknown extension, which is not supported by a registered implementation, this method creates and returns an UnknownExtension which may be queried for obtaining as much information as possible about the unknown extension.

Parameters:

objectID - the object ID of the extension

Returns:

the desired extension or null if the requested extension is not present

Throws:

X509ExtensionInitException - if the extension can not be initialized

See Also:

X509Extensions.getExtension(iaik.asn1.ObjectID)

getFingerprint

public byte[] getFingerprint()

Returns the fingerprint of this CRL. This is a MD5 hash of the DER encoded CRL.

Returns:

the fingerprint of the CRL

getFingerprint

public byte[] getFingerprint(String digestAlgorithm)
                      throws NoSuchAlgorithmException

Returns the fingerprint of this crl calculated with the given hash algorithm.

Parameters:

digestAlgorithm - the digest algorithm to be used

Returns:

the fingerprint of the crl

Throws:

NoSuchAlgorithmException - if the requested algorithm is not supported

getFingerprintSHA

public byte[] getFingerprintSHA()

Get the SHA fingerprint of this CRL. The result is cached for subsequent calls.

toString

public String toString()

Returns a string that represents the contents of the CRL.

Overrides:

toString in class CRL

Returns:

the string representation

toString

public String toString(boolean detailed)

Returns a string giving some - if requested - detailed information about the contents of the CRL.

Parameters:

detailed - whether or not to give detailed information about the CRL.

Returns:

the string representation