All Packages  Class Hierarchy  This Package  Previous  Next  Index

Class netscape.security.x509.X509CRLImpl

netscape.security.x509.X509CRLImpl

public class X509CRLImpl

An implmentation for X509 CRL (Certificate Revocation List).

The X.509 v2 CRL format is described below in ASN.1:

 

CertificateList ::= SEQUENCE { tbsCertList TBSCertList, signatureAlgorithm AlgorithmIdentifier, signature BIT STRING }

A good description and profiling is provided in the IETF PKIX WG draft, Part I: X.509 Certificate and CRL Profile, <draft-ietf-pkix-ipki-part1-06.txt>.

The ASN.1 definition of tbsCertList is:

 TBSCertList  ::=  SEQUENCE  {
     version                 Version OPTIONAL,
                             -- if present, must be v2
     signature               AlgorithmIdentifier,
     issuer                  Name,
     thisUpdate              ChoiceOfTime,
     nextUpdate              ChoiceOfTime OPTIONAL,
     revokedCertificates     SEQUENCE OF SEQUENCE  {
         userCertificate         CertificateSerialNumber,
         revocationDate          ChoiceOfTime,
         crlEntryExtensions      Extensions OPTIONAL
                                 -- if present, must be v2
         }  OPTIONAL,
     crlExtensions           [0]  EXPLICIT Extensions OPTIONAL
                                  -- if present, must be v2
     }
 

See Also:
X509CRL

Constructor Index

 o X509CRLImpl(byte[])
Unmarshals an X.509 CRL from its encoded form, parsing the encoded bytes.
 o X509CRLImpl(InputStream)
Unmarshals an X.509 CRL from an input stream.
 o X509CRLImpl(X500Name, AlgorithmId, Date, Date, RevokedCertificate[], CRLExtensions)
CRL constructor, revoked certs and extensions.
 o X509CRLImpl(X500Name, Date, Date)
Initial CRL constructor, no revoked certs, and no extensions.
 o X509CRLImpl(X500Name, Date, Date, RevokedCertificate[])
CRL constructor, revoked certs, no extensions.
 o X509CRLImpl(X500Name, Date, Date, RevokedCertificate[], CRLExtensions)
CRL constructor, revoked certs and extensions.

Method Index

 o encodeInfo(OutputStream)
Encodes the "to-be-signed" CRL to the OutputStream.
 o getCriticalExtensionOIDs()
Gets a Set of the extension(s) marked CRITICAL in the CRL by OID strings.
 o getEncoded()
Returns the ASN.1 DER encoded form of this CRL.
 o getExtensions()
Returns extensions for this impl.
 o getExtensionValue(String)
Gets the DER encoded OCTET string for the extension value (extnValue) identified by the passed in oid String.
 o getIssuerDN()
Gets the issuer distinguished name from this CRL.
 o getNextUpdate()
Gets the nextUpdate date from the CRL.
 o getNonCriticalExtensionOIDs()
Gets a Set of the extension(s) marked NON-CRITICAL in the CRL by OID strings.
 o getRevokedCertificate(BigInteger)
Get the revoked certificate from the CRL by the serial number provided.
 o getRevokedCertificates()
Gets all the revoked certificates from the CRL.
 o getSigAlgName()
Gets the signature algorithm name for the CRL signature algorithm.
 o getSigAlgOID()
Gets the signature algorithm OID string from the CRL.
 o getSigAlgParams()
Gets the DER encoded signature algorithm parameters from this CRL's signature algorithm.
 o getSignature()
Gets the raw Signature bits from the CRL.
 o getTBSCertList()
Gets the DER encoded CRL information, the tbsCertList from this CRL.
 o getThisUpdate()
Gets the thisUpdate date from the CRL.
 o getVersion()
Gets the version number from the CRL.
 o isRevoked(BigInteger)
Checks whether the given serial number is on this CRL.
 o sign(PrivateKey, String)
Encodes an X.509 CRL, and signs it using the key passed.
 o sign(PrivateKey, String, String)
Encodes an X.509 CRL, and signs it using the key passed.
 o toString()
Returns a printable string of this CRL.
 o verify(PublicKey)
Verifies that this CRL was signed using the private key that corresponds to the specified public key.
 o verify(PublicKey, String)
Verifies that this CRL was signed using the private key that corresponds to the specified public key, and that the signature verification was computed by the given provider.

Constructors

 o X509CRLImpl
 public X509CRLImpl(byte crlData[]) throws CRLException, X509ExtensionException
Unmarshals an X.509 CRL from its encoded form, parsing the encoded bytes. This form of constructor is used by agents which need to examine and use CRL contents. Note that the buffer must include only one CRL, and no "garbage" may be left at the end.

Parameters:
crlData - the encoded bytes, with no trailing padding.
Throws: CRLException
on parsing errors.
Throws: X509ExtensionException
on extension handling errors.
 o X509CRLImpl
 public X509CRLImpl(InputStream inStrm) throws CRLException, X509ExtensionException
Unmarshals an X.509 CRL from an input stream. Only one CRL is expected at the end of the input stream.

Parameters:
inStrm - an input stream holding at least one CRL
Throws: CRLException
on parsing errors.
Throws: X509ExtensionException
on extension handling errors.
 o X509CRLImpl
 public X509CRLImpl(X500Name issuer,
                    Date thisDate,
                    Date nextDate)
Initial CRL constructor, no revoked certs, and no extensions.

Parameters:
issuer - the name of the CA issuing this CRL.
thisUpdate - the Date of this issue.
nextUpdate - the Date of the next CRL.
 o X509CRLImpl
 public X509CRLImpl(X500Name issuer,
                    Date thisDate,
                    Date nextDate,
                    RevokedCertificate badCerts[]) throws CRLException, X509ExtensionException
CRL constructor, revoked certs, no extensions.

Parameters:
issuer - the name of the CA issuing this CRL.
thisUpdate - the Date of this issue.
nextUpdate - the Date of the next CRL.
badCerts - the array of revoked certificates.
Throws: CRLException
on parsing/construction errors.
Throws: X509ExtensionException
on extension handling errors.
 o X509CRLImpl
 public X509CRLImpl(X500Name issuer,
                    Date thisDate,
                    Date nextDate,
                    RevokedCertificate badCerts[],
                    CRLExtensions crlExts) throws CRLException, X509ExtensionException
CRL constructor, revoked certs and extensions.

Parameters:
issuer - the name of the CA issuing this CRL.
thisUpdate - the Date of this issue.
nextUpdate - the Date of the next CRL.
badCerts - the array of revoked certificates.
crlExts - the CRL extensions.
Throws: CRLException
on parsing/construction errors.
Throws: X509ExtensionException
on extension handling errors.
 o X509CRLImpl
 public X509CRLImpl(X500Name issuer,
                    AlgorithmId algId,
                    Date thisDate,
                    Date nextDate,
                    RevokedCertificate badCerts[],
                    CRLExtensions crlExts) throws CRLException, X509ExtensionException
CRL constructor, revoked certs and extensions. This will be used by code that constructs CRL and uses encodeInfo() in order to sign it using external means (other than sign() method)

Parameters:
issuer - the name of the CA issuing this CRL.
sigAlg - signing algorithm id
thisUpdate - the Date of this issue.
nextUpdate - the Date of the next CRL.
badCerts - the array of revoked certificates.
crlExts - the CRL extensions.

Methods

 o getEncoded
 public byte[] getEncoded() throws CRLException
Returns the ASN.1 DER encoded form of this CRL.

Throws: CRLException
if an encoding error occurs.
 o encodeInfo
 public void encodeInfo(OutputStream out) throws CRLException, X509ExtensionException
Encodes the "to-be-signed" CRL to the OutputStream.

Parameters:
out - the OutputStream to write to.
Throws: CRLException
on encoding errors.
Throws: X509ExtensionException
on extension encoding errors.
 o verify
 public void verify(PublicKey key) throws CRLException, NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException, SignatureException
Verifies that this CRL was signed using the private key that corresponds to the specified public key.

Parameters:
key - the PublicKey used to carry out the verification.
Throws: NoSuchAlgorithmException
on unsupported signature algorithms.
Throws: InvalidKeyException
on incorrect key.
Throws: NoSuchProviderException
if there's no default provider.
Throws: SignatureException
on signature errors.
Throws: CRLException
on encoding errors.
 o verify
 public void verify(PublicKey key,
                    String sigProvider) throws CRLException, NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException, SignatureException
Verifies that this CRL was signed using the private key that corresponds to the specified public key, and that the signature verification was computed by the given provider.

Parameters:
key - the PublicKey used to carry out the verification.
sigProvider - the name of the signature provider.
Throws: NoSuchAlgorithmException
on unsupported signature algorithms.
Throws: InvalidKeyException
on incorrect key.
Throws: NoSuchProviderException
on incorrect provider.
Throws: SignatureException
on signature errors.
Throws: CRLException
on encoding errors.
 o sign
 public void sign(PrivateKey key,
                  String algorithm) throws CRLException, NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException, SignatureException, X509ExtensionException
Encodes an X.509 CRL, and signs it using the key passed.

Parameters:
key - the private key used for signing.
algorithm - the name of the signature algorithm used.
Throws: NoSuchAlgorithmException
on unsupported signature algorithms.
Throws: InvalidKeyException
on incorrect key.
Throws: NoSuchProviderException
on incorrect provider.
Throws: SignatureException
on signature errors.
Throws: CRLException
if any mandatory data was omitted.
Throws: X509ExtensionException
on any extension errors.
 o sign
 public void sign(PrivateKey key,
                  String algorithm,
                  String provider) throws CRLException, NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException, SignatureException, X509ExtensionException
Encodes an X.509 CRL, and signs it using the key passed.

Parameters:
key - the private key used for signing.
algorithm - the name of the signature algorithm used.
provider - the name of the provider.
Throws: NoSuchAlgorithmException
on unsupported signature algorithms.
Throws: InvalidKeyException
on incorrect key.
Throws: NoSuchProviderException
on incorrect provider.
Throws: SignatureException
on signature errors.
Throws: CRLException
if any mandatory data was omitted.
Throws: X509ExtensionException
on any extension errors.
 o toString
 public String toString()
Returns a printable string of this CRL.

Returns:
value of this CRL in a printable form.
 o isRevoked
 public boolean isRevoked(BigInteger serialNumber)
Checks whether the given serial number is on this CRL.

Parameters:
serialNumber - the number to check for.
Returns:
true if the given serial number is on this CRL, false otherwise.
 o getVersion
 public int getVersion()
Gets the version number from the CRL. The ASN.1 definition for this is:
 Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
             -- v3 does not apply to CRLs but appears for consistency
             -- with definition of Version for certs
 

Returns:
the version number.
 o getIssuerDN
 public Principal getIssuerDN()
Gets the issuer distinguished name from this CRL. The issuer name identifies the entity who has signed (and issued the CRL). The issuer name field contains an X.500 distinguished name (DN). The ASN.1 definition for this is:
 issuer    Name
 Name ::= CHOICE { RDNSequence }
 RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
 RelativeDistinguishedName ::=
     SET OF AttributeValueAssertion
 AttributeValueAssertion ::= SEQUENCE {
                               AttributeType,
                               AttributeValue }
 AttributeType ::= OBJECT IDENTIFIER
 AttributeValue ::= ANY
 
The Name describes a hierarchical name composed of attributes, such as country name, and corresponding values, such as US. The type of the component AttributeValue is determined by the AttributeType; in general it will be a directoryString. A directoryString is usually one of PrintableString, TeletexString or UniversalString.

Returns:
the issuer name.
 o getThisUpdate
 public Date getThisUpdate()
Gets the thisUpdate date from the CRL. The ASN.1 definition for this is:

Returns:
the thisUpdate date from the CRL.
 o getNextUpdate
 public Date getNextUpdate()
Gets the nextUpdate date from the CRL.

Returns:
the nextUpdate date from the CRL, or null if not present.
 o getRevokedCertificate
 public RevokedCertificate getRevokedCertificate(BigInteger serialNumber)
Get the revoked certificate from the CRL by the serial number provided.

Returns:
the revoked certificate or null if there is no entry in the CRL marked with the provided serial number.
See Also:
RevokedCertificate
 o getRevokedCertificates
 public Set getRevokedCertificates()
Gets all the revoked certificates from the CRL. A Set of RevokedCertificate.

Returns:
all the revoked certificates or null if there are none.
See Also:
RevokedCertificate
 o getTBSCertList
 public byte[] getTBSCertList() throws CRLException, X509ExtensionException
Gets the DER encoded CRL information, the tbsCertList from this CRL. This can be used to verify the signature independently.

Returns:
the DER encoded CRL information.
Throws: CRLException
on parsing errors.
Throws: X509ExtensionException
on extension parsing errors.
 o getSignature
 public byte[] getSignature()
Gets the raw Signature bits from the CRL.

Returns:
the signature.
 o getSigAlgName
 public String getSigAlgName()
Gets the signature algorithm name for the CRL signature algorithm. For example, the string "SHA1withDSA". The ASN.1 definition for this is:
 AlgorithmIdentifier  ::=  SEQUENCE  {
     algorithm               OBJECT IDENTIFIER,
     parameters              ANY DEFINED BY algorithm OPTIONAL  }
                             -- contains a value of the type
                             -- registered for use with the
                             -- algorithm object identifier value
 

Returns:
the signature algorithm name.
 o getSigAlgOID
 public String getSigAlgOID()
Gets the signature algorithm OID string from the CRL. An OID is represented by a set of positive whole number separated by ".", that means,
<positive whole number>.<positive whole number>.<...> For example, the string "1.2.840.10040.4.3" identifies the SHA-1 with DSA signature algorithm, as per the PKIX part I.

Returns:
the signature algorithm oid string.
 o getSigAlgParams
 public byte[] getSigAlgParams()
Gets the DER encoded signature algorithm parameters from this CRL's signature algorithm. In most cases, the signature algorithm parameters are null, the parameters are usually supplied with the Public Key.

Returns:
the DER encoded signature algorithm parameters, or null if no parameters are present.
 o getCriticalExtensionOIDs
 public Set getCriticalExtensionOIDs()
Gets a Set of the extension(s) marked CRITICAL in the CRL by OID strings.

Returns:
a set of the extension oid strings in the CRL that are marked critical.
 o getNonCriticalExtensionOIDs
 public Set getNonCriticalExtensionOIDs()
Gets a Set of the extension(s) marked NON-CRITICAL in the CRL by OID strings.

Returns:
a set of the extension oid strings in the CRL that are NOT marked critical.
 o getExtensionValue
 public byte[] getExtensionValue(String oid)
Gets the DER encoded OCTET string for the extension value (extnValue) identified by the passed in oid String. The oid string is represented by a set of positive whole number separated by ".", that means,
<positive whole number>.<positive whole number>.<...>

Parameters:
oid - the Object Identifier value for the extension.
Returns:
the der encoded octet string of the extension value.
 o getExtensions
 public CRLExtensions getExtensions()
Returns extensions for this impl.

Parameters:
extn - CRLExtensions

All Packages  Class Hierarchy  This Package  Previous  Next  Index