All Packages Class Hierarchy This Package Previous Next Index
Class netscape.security.x509.X509CRLImpl
netscape.security.x509.X509CRLImpl
- public class X509CRLImpl
An implmentation for X509 CRL (Certificate Revocation List).
The X.509 v2 CRL format is described below in ASN.1:
CertificateList ::= SEQUENCE {
tbsCertList TBSCertList,
signatureAlgorithm AlgorithmIdentifier,
signature BIT STRING }
A good description and profiling is provided in the IETF PKIX WG
draft, Part I: X.509 Certificate and CRL Profile,
<draft-ietf-pkix-ipki-part1-06.txt>.
The ASN.1 definition of tbsCertList is:
TBSCertList ::= SEQUENCE {
version Version OPTIONAL,
-- if present, must be v2
signature AlgorithmIdentifier,
issuer Name,
thisUpdate ChoiceOfTime,
nextUpdate ChoiceOfTime OPTIONAL,
revokedCertificates SEQUENCE OF SEQUENCE {
userCertificate CertificateSerialNumber,
revocationDate ChoiceOfTime,
crlEntryExtensions Extensions OPTIONAL
-- if present, must be v2
} OPTIONAL,
crlExtensions [0] EXPLICIT Extensions OPTIONAL
-- if present, must be v2
}
- See Also:
- X509CRL
-
X509CRLImpl(byte[])
- Unmarshals an X.509 CRL from its encoded form, parsing the encoded
bytes.
-
X509CRLImpl(InputStream)
- Unmarshals an X.509 CRL from an input stream.
-
X509CRLImpl(X500Name, AlgorithmId, Date, Date, RevokedCertificate[], CRLExtensions)
- CRL constructor, revoked certs and extensions.
-
X509CRLImpl(X500Name, Date, Date)
- Initial CRL constructor, no revoked certs, and no extensions.
-
X509CRLImpl(X500Name, Date, Date, RevokedCertificate[])
- CRL constructor, revoked certs, no extensions.
-
X509CRLImpl(X500Name, Date, Date, RevokedCertificate[], CRLExtensions)
- CRL constructor, revoked certs and extensions.
-
encodeInfo(OutputStream)
- Encodes the "to-be-signed" CRL to the OutputStream.
-
getCriticalExtensionOIDs()
- Gets a Set of the extension(s) marked CRITICAL in the
CRL by OID strings.
-
getEncoded()
- Returns the ASN.1 DER encoded form of this CRL.
-
getExtensions()
- Returns extensions for this impl.
-
getExtensionValue(String)
- Gets the DER encoded OCTET string for the extension value
(
extnValue) identified by the passed in oid String.
-
getIssuerDN()
- Gets the issuer distinguished name from this CRL.
-
getNextUpdate()
- Gets the nextUpdate date from the CRL.
-
getNonCriticalExtensionOIDs()
- Gets a Set of the extension(s) marked NON-CRITICAL in the
CRL by OID strings.
-
getRevokedCertificate(BigInteger)
- Get the revoked certificate from the CRL by the serial
number provided.
-
getRevokedCertificates()
- Gets all the revoked certificates from the CRL.
-
getSigAlgName()
- Gets the signature algorithm name for the CRL
signature algorithm.
-
getSigAlgOID()
- Gets the signature algorithm OID string from the CRL.
-
getSigAlgParams()
- Gets the DER encoded signature algorithm parameters from this
CRL's signature algorithm.
-
getSignature()
- Gets the raw Signature bits from the CRL.
-
getTBSCertList()
- Gets the DER encoded CRL information, the
tbsCertList from this CRL.
-
getThisUpdate()
- Gets the thisUpdate date from the CRL.
-
getVersion()
- Gets the version number from the CRL.
-
isRevoked(BigInteger)
- Checks whether the given serial number is on this CRL.
-
sign(PrivateKey, String)
- Encodes an X.509 CRL, and signs it using the key
passed.
-
sign(PrivateKey, String, String)
- Encodes an X.509 CRL, and signs it using the key
passed.
-
toString()
- Returns a printable string of this CRL.
-
verify(PublicKey)
- Verifies that this CRL was signed using the
private key that corresponds to the specified public key.
-
verify(PublicKey, String)
- Verifies that this CRL was signed using the
private key that corresponds to the specified public key,
and that the signature verification was computed by
the given provider.
X509CRLImpl
public X509CRLImpl(byte crlData[]) throws CRLException, X509ExtensionException
- Unmarshals an X.509 CRL from its encoded form, parsing the encoded
bytes. This form of constructor is used by agents which
need to examine and use CRL contents. Note that the buffer
must include only one CRL, and no "garbage" may be left at
the end.
- Parameters:
- crlData - the encoded bytes, with no trailing padding.
- Throws: CRLException
- on parsing errors.
- Throws: X509ExtensionException
- on extension handling errors.
X509CRLImpl
public X509CRLImpl(InputStream inStrm) throws CRLException, X509ExtensionException
- Unmarshals an X.509 CRL from an input stream. Only one CRL
is expected at the end of the input stream.
- Parameters:
- inStrm - an input stream holding at least one CRL
- Throws: CRLException
- on parsing errors.
- Throws: X509ExtensionException
- on extension handling errors.
X509CRLImpl
public X509CRLImpl(X500Name issuer,
Date thisDate,
Date nextDate)
- Initial CRL constructor, no revoked certs, and no extensions.
- Parameters:
- issuer - the name of the CA issuing this CRL.
- thisUpdate - the Date of this issue.
- nextUpdate - the Date of the next CRL.
X509CRLImpl
public X509CRLImpl(X500Name issuer,
Date thisDate,
Date nextDate,
RevokedCertificate badCerts[]) throws CRLException, X509ExtensionException
- CRL constructor, revoked certs, no extensions.
- Parameters:
- issuer - the name of the CA issuing this CRL.
- thisUpdate - the Date of this issue.
- nextUpdate - the Date of the next CRL.
- badCerts - the array of revoked certificates.
- Throws: CRLException
- on parsing/construction errors.
- Throws: X509ExtensionException
- on extension handling errors.
X509CRLImpl
public X509CRLImpl(X500Name issuer,
Date thisDate,
Date nextDate,
RevokedCertificate badCerts[],
CRLExtensions crlExts) throws CRLException, X509ExtensionException
- CRL constructor, revoked certs and extensions.
- Parameters:
- issuer - the name of the CA issuing this CRL.
- thisUpdate - the Date of this issue.
- nextUpdate - the Date of the next CRL.
- badCerts - the array of revoked certificates.
- crlExts - the CRL extensions.
- Throws: CRLException
- on parsing/construction errors.
- Throws: X509ExtensionException
- on extension handling errors.
X509CRLImpl
public X509CRLImpl(X500Name issuer,
AlgorithmId algId,
Date thisDate,
Date nextDate,
RevokedCertificate badCerts[],
CRLExtensions crlExts) throws CRLException, X509ExtensionException
- CRL constructor, revoked certs and extensions.
This will be used by code that constructs CRL and uses
encodeInfo() in order to sign it using external means
(other than sign() method)
- Parameters:
- issuer - the name of the CA issuing this CRL.
- sigAlg - signing algorithm id
- thisUpdate - the Date of this issue.
- nextUpdate - the Date of the next CRL.
- badCerts - the array of revoked certificates.
- crlExts - the CRL extensions.
getEncoded
public byte[] getEncoded() throws CRLException
- Returns the ASN.1 DER encoded form of this CRL.
- Throws: CRLException
- if an encoding error occurs.
encodeInfo
public void encodeInfo(OutputStream out) throws CRLException, X509ExtensionException
- Encodes the "to-be-signed" CRL to the OutputStream.
- Parameters:
- out - the OutputStream to write to.
- Throws: CRLException
- on encoding errors.
- Throws: X509ExtensionException
- on extension encoding errors.
verify
public void verify(PublicKey key) throws CRLException, NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException, SignatureException
- Verifies that this CRL was signed using the
private key that corresponds to the specified public key.
- Parameters:
- key - the PublicKey used to carry out the verification.
- Throws: NoSuchAlgorithmException
- on unsupported signature
algorithms.
- Throws: InvalidKeyException
- on incorrect key.
- Throws: NoSuchProviderException
- if there's no default provider.
- Throws: SignatureException
- on signature errors.
- Throws: CRLException
- on encoding errors.
verify
public void verify(PublicKey key,
String sigProvider) throws CRLException, NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException, SignatureException
- Verifies that this CRL was signed using the
private key that corresponds to the specified public key,
and that the signature verification was computed by
the given provider.
- Parameters:
- key - the PublicKey used to carry out the verification.
- sigProvider - the name of the signature provider.
- Throws: NoSuchAlgorithmException
- on unsupported signature
algorithms.
- Throws: InvalidKeyException
- on incorrect key.
- Throws: NoSuchProviderException
- on incorrect provider.
- Throws: SignatureException
- on signature errors.
- Throws: CRLException
- on encoding errors.
sign
public void sign(PrivateKey key,
String algorithm) throws CRLException, NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException, SignatureException, X509ExtensionException
- Encodes an X.509 CRL, and signs it using the key
passed.
- Parameters:
- key - the private key used for signing.
- algorithm - the name of the signature algorithm used.
- Throws: NoSuchAlgorithmException
- on unsupported signature
algorithms.
- Throws: InvalidKeyException
- on incorrect key.
- Throws: NoSuchProviderException
- on incorrect provider.
- Throws: SignatureException
- on signature errors.
- Throws: CRLException
- if any mandatory data was omitted.
- Throws: X509ExtensionException
- on any extension errors.
sign
public void sign(PrivateKey key,
String algorithm,
String provider) throws CRLException, NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException, SignatureException, X509ExtensionException
- Encodes an X.509 CRL, and signs it using the key
passed.
- Parameters:
- key - the private key used for signing.
- algorithm - the name of the signature algorithm used.
- provider - the name of the provider.
- Throws: NoSuchAlgorithmException
- on unsupported signature
algorithms.
- Throws: InvalidKeyException
- on incorrect key.
- Throws: NoSuchProviderException
- on incorrect provider.
- Throws: SignatureException
- on signature errors.
- Throws: CRLException
- if any mandatory data was omitted.
- Throws: X509ExtensionException
- on any extension errors.
toString
public String toString()
- Returns a printable string of this CRL.
- Returns:
- value of this CRL in a printable form.
isRevoked
public boolean isRevoked(BigInteger serialNumber)
- Checks whether the given serial number is on this CRL.
- Parameters:
- serialNumber - the number to check for.
- Returns:
- true if the given serial number is on this CRL,
false otherwise.
getVersion
public int getVersion()
- Gets the version number from the CRL.
The ASN.1 definition for this is:
Version ::= INTEGER { v1(0), v2(1), v3(2) }
-- v3 does not apply to CRLs but appears for consistency
-- with definition of Version for certs
- Returns:
- the version number.
getIssuerDN
public Principal getIssuerDN()
- Gets the issuer distinguished name from this CRL.
The issuer name identifies the entity who has signed (and
issued the CRL). The issuer name field contains an
X.500 distinguished name (DN).
The ASN.1 definition for this is:
issuer Name
Name ::= CHOICE { RDNSequence }
RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
RelativeDistinguishedName ::=
SET OF AttributeValueAssertion
AttributeValueAssertion ::= SEQUENCE {
AttributeType,
AttributeValue }
AttributeType ::= OBJECT IDENTIFIER
AttributeValue ::= ANY
The Name describes a hierarchical name composed of attributes,
such as country name, and corresponding values, such as US.
The type of the component AttributeValue is determined by the
AttributeType; in general it will be a directoryString.
A directoryString is usually one of PrintableString,
TeletexString or UniversalString.
- Returns:
- the issuer name.
getThisUpdate
public Date getThisUpdate()
- Gets the thisUpdate date from the CRL.
The ASN.1 definition for this is:
- Returns:
- the thisUpdate date from the CRL.
getNextUpdate
public Date getNextUpdate()
- Gets the nextUpdate date from the CRL.
- Returns:
- the nextUpdate date from the CRL, or null if
not present.
getRevokedCertificate
public RevokedCertificate getRevokedCertificate(BigInteger serialNumber)
- Get the revoked certificate from the CRL by the serial
number provided.
- Returns:
- the revoked certificate or null if there is
no entry in the CRL marked with the provided serial number.
- See Also:
- RevokedCertificate
getRevokedCertificates
public Set getRevokedCertificates()
- Gets all the revoked certificates from the CRL.
A Set of RevokedCertificate.
- Returns:
- all the revoked certificates or null if there are
none.
- See Also:
- RevokedCertificate
getTBSCertList
public byte[] getTBSCertList() throws CRLException, X509ExtensionException
- Gets the DER encoded CRL information, the
tbsCertList from this CRL.
This can be used to verify the signature independently.
- Returns:
- the DER encoded CRL information.
- Throws: CRLException
- on parsing errors.
- Throws: X509ExtensionException
- on extension parsing errors.
getSignature
public byte[] getSignature()
- Gets the raw Signature bits from the CRL.
- Returns:
- the signature.
getSigAlgName
public String getSigAlgName()
- Gets the signature algorithm name for the CRL
signature algorithm. For example, the string "SHA1withDSA".
The ASN.1 definition for this is:
AlgorithmIdentifier ::= SEQUENCE {
algorithm OBJECT IDENTIFIER,
parameters ANY DEFINED BY algorithm OPTIONAL }
-- contains a value of the type
-- registered for use with the
-- algorithm object identifier value
- Returns:
- the signature algorithm name.
getSigAlgOID
public String getSigAlgOID()
- Gets the signature algorithm OID string from the CRL.
An OID is represented by a set of positive whole number separated
by ".", that means,
<positive whole number>.<positive whole number>.<...>
For example, the string "1.2.840.10040.4.3" identifies the SHA-1
with DSA signature algorithm, as per the PKIX part I.
- Returns:
- the signature algorithm oid string.
getSigAlgParams
public byte[] getSigAlgParams()
- Gets the DER encoded signature algorithm parameters from this
CRL's signature algorithm. In most cases, the signature
algorithm parameters are null, the parameters are usually
supplied with the Public Key.
- Returns:
- the DER encoded signature algorithm parameters, or
null if no parameters are present.
getCriticalExtensionOIDs
public Set getCriticalExtensionOIDs()
- Gets a Set of the extension(s) marked CRITICAL in the
CRL by OID strings.
- Returns:
- a set of the extension oid strings in the
CRL that are marked critical.
getNonCriticalExtensionOIDs
public Set getNonCriticalExtensionOIDs()
- Gets a Set of the extension(s) marked NON-CRITICAL in the
CRL by OID strings.
- Returns:
- a set of the extension oid strings in the
CRL that are NOT marked critical.
getExtensionValue
public byte[] getExtensionValue(String oid)
- Gets the DER encoded OCTET string for the extension value
(
extnValue) identified by the passed in oid String.
The oid string is
represented by a set of positive whole number separated
by ".", that means,
<positive whole number>.<positive whole number>.<...>
- Parameters:
- oid - the Object Identifier value for the extension.
- Returns:
- the der encoded octet string of the extension value.
getExtensions
public CRLExtensions getExtensions()
- Returns extensions for this impl.
- Parameters:
- extn - CRLExtensions
All Packages Class Hierarchy This Package Previous Next Index