iaik.x509

Class X509CRL

java.lang.Object

java.security.cert.CRL

java.security.cert.X509CRL

iaik.x509.X509CRL

All Implemented Interfaces:

ASN1Type, java.security.cert.X509Extension

public class X509CRL
extends java.security.cert.X509CRL
implements ASN1Type

This class represents a X.509v2 CertificateRevocationList (CRL).

A Certificate Revocation List (CRL) denotes a list of certificates that have been revoked for some reason (e.g. the name of the subject has changed, the private key can no more being treated to be only known by the subject, ...) prior to the regular ending of its validity period. A CRL is maintained by a certification authority (CA) making it publicly available and refreshing it in certain time intervals. Each revoked certificate included in a revocation list can be identified by its serial number. The revocation list is signed by the maintaining CA.

A profile for X.509v2 revocation lists is presented together with the X.509v3 certificate format in RFC 3280, where a CRL is defined as an ASN.1 SEQUENCE structure containing the following components:

 CertificateList  ::=  SEQUENCE  {
   tbsCertList          TBSCertList,
   signatureAlgorithm   AlgorithmIdentifier,
   signatureValue            BIT STRING  }
 

where signatureAlgorithm identifies the signature algorithm used by the signing certification authority for computing the digital signature upon the ASN.1 DER encoded TBSCertList structure, which itself is expressed as ASN.1 SEQUENCE structure specifying the (distinguished) name of the issuer, the issue date of the CRL, the date when the next CRL will be issued, and optionally lists of revoked certificates (identified by their serial numbers) and CRL extensions. The list of revoked certificates is classified as being optional since a CA may not have revoked any issued certificate when publishing a CRL.

ASN.1 definition:

 TBSCertList  ::=  SEQUENCE  {
   version                 Version OPTIONAL,
                                -- if present, must be v2
   signature               AlgorithmIdentifier,
   issuer                  Name,
   thisUpdate              Time,
   nextUpdate              Time OPTIONAL,
   revokedCertificates     SEQUENCE OF SEQUENCE  {
      userCertificate         CertificateSerialNumber,
      revocationDate          Time,
      crlEntryExtensions      Extensions OPTIONAL
                                     -- if present, must be v2
   }  OPTIONAL,
   crlExtensions           [0]  EXPLICIT Extensions OPTIONAL
                                     -- if present, must be v2
 }
 

where:

 Version  ::=  INTEGER  {  v1(0), v2(1), v3(2) }
           -- v3 does not apply to CRLs but appears for consistency
           -- with definition of Version for certs
 

 AlgorithmIdentifier  ::=  SEQUENCE  {
   algorithm               OBJECT IDENTIFIER,
   parameters              ANY DEFINED BY algorithm OPTIONAL  }
                              -- contains a value of the type
                              -- registered for use with the
                              -- algorithm object identifier value
 

 Name ::= CHOICE {     RDNSequence }
 

 RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
 

 RelativeDistinguishedName ::=     SET OF AttributeTypeAndValue
 

 AttributeTypeAndValue ::= SEQUENCE {
   type     AttributeType,
   value    AttributeValue }
 

 AttributeType ::= OBJECT IDENTIFIER
 

 AttributeValue ::= ANY   -- Directory string type --
 

 DirectoryString ::= CHOICE {
     teletexString           TeletexString (SIZE (1..MAX)),
     printableString         PrintableString (SIZE (1..MAX)),
     universalString         UniversalString (SIZE (1..MAX)),
     utf8String              UTF8String (SIZE (1..MAX)),
     bmpString               BMPString (SIZE (1..MAX)) }
 }
 

 Time ::= CHOICE {
   utcTime        UTCTime,
   generalTime    GeneralizedTime }
 

 CertificateSerialNumber  ::=  INTEGER
 

 Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension
 

 Extension  ::=  SEQUENCE  {
   extnID      OBJECT IDENTIFIER,
   critical    BOOLEAN DEFAULT FALSE,
   extnValue   OCTET STRING  }
 
 

For a detail description of the several fields refer to RFC 3280.

For each value exists a setValue() and a getValue() method. After creating a X509CRL, the, for instance, CRL issuing date may be set to the current date by using the setThisUpdate method:

 X509CRL crl = new X509CRL();
 GregorianCalendar date = (GregorianCalendar) Calendar.getInstance();
 crl.setThisUpdate(date.getTime());
 

Manipulating the extensions of a CRL is described in class X509Extensions. A CRL extension (support introduced by the X.509v2 CRL format) may be a defined standard extension (e.g. CRLNumber, ...), or it may be a private extension providing some community-specific information. If an extension is marked as critical, but the CRL handling software cannot parse this extension, the CRL validation must fail. Non-Critical extensions can be ignored, if they cannot be handled (i.e. of unknown state).

For adding some extension to a X509CRL use the addExtension method. The CRL profile presented in RFC 3280 requires confirming CAs to support the CRL number extension conveying a monotonically increasing sequence number for each CRL issued by a given CA through a specific CA X.500 Directory entry or CRL distribution point, e.g.:

 X509CRL crl = new X509CRL();
   ...
 CRLNumber crl_number  = new CRLNumber(BigInteger.valueOf(4234234));
 crl.addExtension(crl_number);
 

A X509Certificate to be revoked may be added by means of the addCertificate(X509Certificate cert, Date revocationDate) method. Alternatively an instance of RevokedCertificate may be added by using the addCertificate(RevokedCertificate revokedCertificate) method. For finally signing the CRL with the CRL issuer's private key, call the sign method.

The X509CRL(byte[]) and X509CRL(InputStream) constructors may be used for parsing an X509CRL from its DER encoding.

This class supports indirect CRLs, i.e. revocation of certificates where certificate issuer is different than the CRL issuer. Some caveats apply though. Firstly, the methods isRevoked(BigInteger) containsCertificate(BigInteger) implicitly assume the CRL issuer as the certificate issuer. Secondly, when encoding an indirect CRL the certificate issuer CRL entry extension is automatically added to entries where needed. However, the issuing distribution point CRL extension also required for indirect CRLs has to be added manually.

Certificate objects used with this class shall be instances of iaik.x509.X509Certificate and Principal objects shall be instances of iaik.asn1.structures.Name. If not, this class tries to internally to iaik.x509.X509Certificate iaik.asn1.structures.Name Being extended from java.security.cert.X509CRL this class also works with general java

Version:

File Revision 76

See Also:

X509Extensions, V3Extension, UnknownExtension, X509Certificate, RevokedCertificate, X509CRL

Constructor Summary

Constructors

Constructor and Description
X509CRL() Default constructor for creating a new empty X509CRL.
X509CRL(ASN1Object asn1CRL) Creates a X509CRL form a ASN1Object.
X509CRL(byte[] crl) Creates a CRL form a PEM or DER byte array.
X509CRL(java.io.InputStream is) Creates a CRL from an input stream supplying a DER or PEM encoded CRL.

Method Summary

Methods

Modifier and Type	Method and Description
void	addCertificate(RevokedCertificate revokedCert) Adds a revoked certificate to the CRL.
void	addCertificate(X509Certificate cert, java.util.Date revocationDate) Adds a certificate to the CRL to be revoked on the given date.
void	addExtension(V3Extension e) Adds the given X509v2 CRL extension.
RevokedCertificate	containsCertificate(java.math.BigInteger serialNumber) Checks, if the CRL contains a certificate with the given serial number.
RevokedCertificate	containsCertificate(java.security.Principal issuerDN, java.math.BigInteger serialNumber) Checks, if the CRL contains the given certificate, identified by issuer and serial number.
RevokedCertificate	containsCertificate(X509Certificate cert) Checks, if the CRL contains the given certificate.
int	countExtensions() Returns the number of extensions included into this CRL.
void	decode(ASN1Object crl) Creates a CRL from an ASN1Object.
java.util.Set	getCriticalExtensionOIDs() Returns a Set of the OID strings identifying the extension(s) that are marked CRITICAL in this CRL.
byte[]	getEncoded() Returns this CRL as DER encoded ASN.1 data structure.
V3Extension	getExtension(ObjectID oid) Returns a specific extension, identified by its object identifier.
byte[]	getExtensionValue(java.lang.String oid) Returns a byte array representing the DER encoding of the extnValue OCTET STRING field of the extension identified by the given OID string.
byte[]	getFingerprint() Returns the fingerprint of this CRL.
byte[]	getFingerprint(java.lang.String digestAlgorithm) Returns the fingerprint of this crl calculated with the given hash algorithm.
byte[]	getFingerprintSHA() Gets the SHA-1 fingerprint of this CRL.
java.security.Principal	getIssuerDN() Returns the Distinguished Name of the issuer of this CRL, as Principal.
java.util.Enumeration	getIssuerDNs() Return the names of all issuers of this CRL.
java.util.Date	getNextUpdate() Returns the date of nextUpdate.
java.util.Set	getNonCriticalExtensionOIDs() Returns a Set of the OID strings for the extension(s) marked NON-CRITICAL in this CRL.
byte[]	getRawExtensionValue(java.lang.String oid) Returns a byte array representing the DER encoding of the extension value identified by the given OID string.
java.security.cert.X509CRLEntry	getRevokedCertificate(java.math.BigInteger serialNumber) Searches the CRL for the specified serial number and returns the appertaining revoked certificate, if included into this CRL.
java.security.cert.X509CRLEntry	getRevokedCertificate(java.security.cert.X509Certificate certificate) Checks, if the CRL contains the given certificate.
java.util.Set	getRevokedCertificates() Returns a set containing all the revoked certificates included in this CRL.
java.lang.String	getSigAlgName() Returns the (JCA standard) name of the signature algorithm used by the issuer for signing this CRL.
java.lang.String	getSigAlgOID() Returns the OID of the signature algorithm used by the issuer for signing this CRL.
byte[]	getSigAlgParams() Returns the algorithm parameters associated with the signature algorithm used by the issuer for signing this CRL.
byte[]	getSignature() Returns the signature of this CRL.
AlgorithmID	getSignatureAlgorithm() Returns the signature algorithm of this CRL.
byte[]	getTBSCertList() Returns the TBSCertList inherent to this CRL as DER encoded ASN.1 structure.
java.util.Date	getThisUpdate() Returns the date of thisUpdate.
int	getVersion() Returns the version number of this CRL as int.
boolean	hasExtensions() Checks, if there are any extensions included into this CRL.
boolean	hasUnsupportedCriticalExtension() Returns true if there are unsupported critical extensions.
boolean	isIndirectCRL() Return whether this CRL is an indirect CRL.
boolean	isRevoked(java.math.BigInteger serialNumber) Checks if the certificate identified by the given serial number is marked as revoked by this CRL.
boolean	isRevoked(java.security.cert.Certificate cert) Checks whether the given certificate is on this CRL.
java.util.Enumeration	listCertificates() Returns an enumeration of the revoked certificates this CRL contains.
java.util.Enumeration	listExtensions() Returns an enumeration of all extensions included into this CRL.
void	removeAllCertificates() Removes all certificates from the CRL.
void	removeAllExtensions() Removes all extensions from this CRL.
boolean	removeCertificate(java.math.BigInteger serialNumber) Removes the certificate with the given serial number from the CRL.
boolean	removeCertificate(java.security.Principal certIssuer, java.math.BigInteger serialNumber) Removes a certificate, identified by its issuer dn and its serial number, from the crl.
boolean	removeCertificate(X509Certificate cert) Removes the certificate from the CRL.
boolean	removeExtension(ObjectID oid) Removes the extension specified by its object identifier.
void	setIssuerDN(java.security.Principal issuer) Sets the issuer of this CRL.
void	setNextUpdate(java.util.Date nextUpdate) Sets the date of nextUpdate.
void	setSignature(byte[] signatureValue) Sets the signature value of this crl.
void	setSignatureAlgorithm(AlgorithmID signatureAlg) Sets the signature algorithm for signing this CRL.
void	setSignatureAlgorithm(ObjectID signatureAlg) Deprecated. use setSignatureAlgorithm(AlgorithmID);
void	setThisUpdate(java.util.Date thisUpdate) Sets the date of thisUpdate.
void	sign(java.security.PrivateKey privateKey) Signs the CRL with the private key of the issuer.
void	sign(java.security.PrivateKey privateKey, java.security.spec.AlgorithmParameterSpec signatureParams, java.security.Provider provider) Signs the CRL with the private key of the issuer.
void	sign(java.security.PrivateKey privateKey, java.security.spec.AlgorithmParameterSpec signatureParams, java.lang.String providerName) Signs the CRL with the private key of the issuer.
void	sign(java.security.PrivateKey privateKey, java.security.Provider provider) Signs the CRL with the private key of the issuer.
void	sign(java.security.PrivateKey privateKey, java.lang.String providerName) Signs the CRL with the private key of the issuer.
int	size() Gets the size (number of entries) of this crl.
ASN1Object	toASN1Object() Returns the CRL as an ASN1Object.
byte[]	toByteArray() Returns the CRL as a DER encoded ASN.1 data structure.
java.lang.String	toString() Returns a string that represents the contents of the CRL.
java.lang.String	toString(boolean detailed) Returns a string giving some - if requested - detailed information about the contents of the CRL.
void	verify(java.security.PublicKey key) Verifies a signed CRL using the given public key.
void	verify(java.security.PublicKey key, java.security.Provider provider) Uses the given public key to verify this CRL based on a signature algorithm supplied by the given provider.
void	verify(java.security.PublicKey key, java.lang.String providerName) Uses the given public key to verify this CRL based on a signature algorithm supplied by the specified provider.
void	writeTo(java.io.OutputStream os) Writes the CRL DER encoded to the given output stream.

Methods inherited from class java.security.cert.X509CRL

equals, getIssuerX500Principal, hashCode

Methods inherited from class java.security.cert.CRL

getType

Methods inherited from class java.lang.Object

clone, finalize, getClass, notify, notifyAll, wait, wait, wait

Constructor Detail

X509CRL

public X509CRL()

Default constructor for creating a new empty X509CRL.

Any value may be set using the corresponding the set<Value> method. The version number per default is set to 1 indicating a Version 1 CRL. When extensions are added, the version field automatically is set to 2.

X509CRL

public X509CRL(java.io.InputStream is)
        throws java.io.IOException,
               java.security.cert.CRLException

Creates a CRL from an input stream supplying a DER or PEM encoded CRL.

This constructor reads a DER or PEM encoded X509CRL that previously may have been written with method writeTo(OutputStream).

For instance:

 InputStream fis = new FileInputStream("crl.der");
 X509CRL crl = new X509CRL(fis);
 fis.close();
 

Parameters:

is - InputStream from which to create the CRL

Throws:

java.io.IOException - if the CRL could not be read

java.security.cert.CRLException - if there is a problem when parsing the CRL

X509CRL

public X509CRL(byte[] crl)
        throws java.security.cert.CRLException

Creates a CRL form a PEM or DER byte array.

This constructor may be used for parsing an already existing X509CRL ASN.1 object, supplied as DER encoded byte array, which may have been created by calling the toByteArray or the getEncoded method.

Parameters:

crl - the byte array which contains the CRL

Throws:

java.security.cert.CRLException - if there is a problem when parsing the CRL

X509CRL

public X509CRL(ASN1Object asn1CRL)
        throws java.security.cert.CRLException

Creates a X509CRL form a ASN1Object.

This constructor may be used for parsing an already existing X509CRL, supplied as ASN.1 object.

Parameters:

asn1CRL - the crl as ASN1Object

Throws:

java.security.cert.CRLException - if the format of the CRL is wrong

Method Detail

decode

public void decode(ASN1Object crl)
            throws CodingException

Creates a CRL from an ASN1Object.

The given ASN1Object represents an already existing X509CRL which may have been created by calling the toASN1Object method.

Specified by:

decode in interface ASN1Type

Parameters:

crl - the ASN1Object which contains the CRL

Throws:

CodingException - if there is a problem when parsing the CRL

isIndirectCRL

public boolean isIndirectCRL()

Return whether this CRL is an indirect CRL.

sign

public void sign(java.security.PrivateKey privateKey)
          throws java.security.cert.CRLException,
                 java.security.InvalidKeyException,
                 java.security.NoSuchAlgorithmException

Signs the CRL with the private key of the issuer.

Parameters:

privateKey - the private key of the issuer

Throws:

java.security.cert.CRLException - if the CRL could not be created

java.security.InvalidKeyException - if the private key is not valid

java.security.NoSuchAlgorithmException - if the signature algorithm is not supported

sign

public void sign(java.security.PrivateKey privateKey,
        java.lang.String providerName)
          throws java.security.cert.CRLException,
                 java.security.InvalidKeyException,
                 java.security.NoSuchAlgorithmException

Signs the CRL with the private key of the issuer.

Parameters:

privateKey - the private key of the issuer

providerName - the name of the provider supplying the Signature engine to be used; if null the first available provider will be used the supports the signature algorithm

Throws:

java.security.cert.CRLException - if the CRL could not be created

java.security.InvalidKeyException - if the private key is not valid

java.security.NoSuchAlgorithmException - if the signature algorithm is not supported

sign

public void sign(java.security.PrivateKey privateKey,
        java.security.spec.AlgorithmParameterSpec signatureParams,
        java.lang.String providerName)
          throws java.security.cert.CRLException,
                 java.security.InvalidKeyException,
                 java.security.NoSuchAlgorithmException,
                 java.security.InvalidAlgorithmParameterException

Signs the CRL with the private key of the issuer.

Parameters:

privateKey - the private key of the issuer

signatureParams - any signature parameters to -- if not null -- be used for initializing the Signature engine; if applicable the parameters are also set for the signatureAlg AlgorithmID (if it does not contain any parameters yet

providerName - the name of the provider supplying the Signature engine to be used; if null the first available provider will be used the supports the signature algorithm

Throws:

java.security.cert.CRLException - if the CRL could not be created

java.security.InvalidKeyException - if the private key is not valid

java.security.NoSuchAlgorithmException - if the signature algorithm is not supported

java.security.InvalidAlgorithmParameterException - if an error occurs when trying to set the signature parameters

sign

public void sign(java.security.PrivateKey privateKey,
        java.security.Provider provider)
          throws java.security.cert.CRLException,
                 java.security.InvalidKeyException,
                 java.security.NoSuchAlgorithmException

Signs the CRL with the private key of the issuer.
This method uses a Signature engine from the given provider for signing the crl.
If Provider object based JCA/JCE Signature engine instantiation is not available the Java VM in use (<1.4), this method tries to get an implementation based on the provider name (if the Provider is installed within the Security Provider framework). I.e. if method Signature.getInstance(algorithm,provider) is not available method Signature.getInstance(algorithm,provider.getName()) is tried.

Parameters:

privateKey - the private key of the issuer

provider - the provider supplying the Signature engine to be used; if null the first available provider will be used the supports the signature algorithm

Throws:

java.security.cert.CRLException - if the CRL could not be created

java.security.InvalidKeyException - if the private key is not valid

java.security.NoSuchAlgorithmException - if the signature algorithm is not supported

sign

public void sign(java.security.PrivateKey privateKey,
        java.security.spec.AlgorithmParameterSpec signatureParams,
        java.security.Provider provider)
          throws java.security.cert.CRLException,
                 java.security.InvalidKeyException,
                 java.security.NoSuchAlgorithmException,
                 java.security.InvalidAlgorithmParameterException

Signs the CRL with the private key of the issuer.
This method uses a Signature engine from the given provider for signing the crl.
If Provider object based JCA/JCE Signature engine instantiation is not available the Java VM in use (<1.4), this method tries to get an implementation based on the provider name (if the Provider is installed within the Security Provider framework). I.e. if method Signature.getInstance(algorithm,provider) is not available method Signature.getInstance(algorithm,provider.getName()) is tried.

Parameters:

privateKey - the private key of the issuer

signatureParams - any signature parameters to -- if not null -- be used for initializing the Signature engine; if applicable the parameters are also set for the signatureAlg AlgorithmID (if it does not contain any parameters yet)

provider - the provider supplying the Signature engine to be used; if null the first available provider will be used the supports the signature algorithm

Throws:

java.security.cert.CRLException - if the CRL could not be created

java.security.InvalidKeyException - if the private key is not valid

java.security.NoSuchAlgorithmException - if the signature algorithm is not supported

java.security.InvalidAlgorithmParameterException - if an error occurs when trying to set the signature parameters

setSignature

public void setSignature(byte[] signatureValue)
                  throws java.security.cert.CRLException

Sets the signature value of this crl.

This method provides an alternative to method sign when it is required to set the signature value from outside (e.g. calculated by means of a smartcard):

 X509CRL crl = ...;
 ...
 // set issuer, revoked certificates, ...
 ...
 // set the signature algorithm to be used for signing
 crl.setSignatureAlgorithm(AlgorithmID.sha1WithRSAEncryption);
 // get the to-be-signed value
 byte[] tbs = crl.getTBSCertList();
 // now calculate the signature over the tbs cert list
 byte[] signatureValue = calculateSignature(tbs);
 // and set the signatureValue
 crl.setSignature(signatureValue);
 // encode the crl
 byte[] encodedCrl = crl.getEncoded();
 

Parameters:

signatureValue - the signature calculated outside

Throws:

java.security.cert.CRLException - if the CRL could not be created

verify

public void verify(java.security.PublicKey key,
          java.lang.String providerName)
            throws java.security.cert.CRLException,
                   java.security.NoSuchAlgorithmException,
                   java.security.InvalidKeyException,
                   java.security.NoSuchProviderException,
                   java.security.SignatureException

Uses the given public key to verify this CRL based on a signature algorithm supplied by the specified provider.

Specified by:

verify in class java.security.cert.X509CRL

Parameters:

key - the public key of the CRL issuer

providerName - the name of the provider supplying the Signature engine to be used; if null the first available provider will be used the supports the signature algorithm

Throws:

java.security.cert.CRLException - if an encoding error occurs

java.security.NoSuchAlgorithmException - if there is no implementation for the algorithm used to sign this CRL

java.security.InvalidKeyException - if the format of the public key is wrong

java.security.NoSuchProviderException - if there is no default provider

java.security.SignatureException - if the signature does not verify

verify

public void verify(java.security.PublicKey key,
          java.security.Provider provider)
            throws java.security.cert.CRLException,
                   java.security.NoSuchAlgorithmException,
                   java.security.InvalidKeyException,
                   java.security.SignatureException

Uses the given public key to verify this CRL based on a signature algorithm supplied by the given provider.

This method uses a Signature engine from the given provider for verifying the crl.
If Provider object based JCA/JCE Signature engine instantiation is not available the Java VM in use (<1.4), this method tries to get an implementation based on the provider name (if the Provider is installed within the Security Provider framework). I.e. if method Signature.getInstance(algorithm,provider) is not available method Signature.getInstance(algorithm,provider.getName()) is tried.

Parameters:

key - the public key of the CRL issuer

provider - the provider supplying the Signature engine to be used; if null the first available provider will be used the supports the signature algorithm

Throws:

java.security.cert.CRLException - if an encoding error occurs

java.security.NoSuchAlgorithmException - if there is no implementation for the algorithm used to sign this CRL

java.security.InvalidKeyException - if the format of the public key is wrong

java.security.SignatureException - if the signature does not verify

verify

public void verify(java.security.PublicKey key)
            throws java.security.cert.CRLException,
                   java.security.NoSuchAlgorithmException,
                   java.security.InvalidKeyException,
                   java.security.NoSuchProviderException,
                   java.security.SignatureException

Verifies a signed CRL using the given public key. This method only calls verify(PublicKey key, String sigProvider) setting the provider name to null for relying on the default provider signature architecture.

Specified by:

verify in class java.security.cert.X509CRL

Parameters:

key - the public key of the CRL issuer

Throws:

java.security.cert.CRLException - if an encoding error occurs

java.security.NoSuchAlgorithmException - if there is no implementation for the algorithm used to sign this CRL

java.security.InvalidKeyException - if the format of the public key is wrong

java.security.NoSuchProviderException - if there is no default provider

java.security.SignatureException - if the signature does not verify

isRevoked

public boolean isRevoked(java.math.BigInteger serialNumber)

Checks if the certificate identified by the given serial number is marked as revoked by this CRL.

Note that the information returned by this method may be only appropriate for direct CRL entries (where the crl issuer is equal to the certificate issuer). Generally you should prefer method isRevoked because it is also able to properly handle indirect crl entries.

Parameters:

serialNumber - the serial number of the certificate which is checked of being revoked

Returns:

true if the certificate identified by the given serial number is marked as revoked by this CRL, false if not

isRevoked

public boolean isRevoked(java.security.cert.Certificate cert)

Checks whether the given certificate is on this CRL.

Specified by:

isRevoked in class java.security.cert.CRL

Parameters:

cert - the certificate to check for, shall be an iaik.x509.X509Certificate (if not, the given cert is tried to converted to an iaik.x509.X509Certificate)

Returns:

true if the given certificate is on this CRL, false otherwise

Throws:

java.lang.IllegalArgumentException - if the certificate is not an iaik.x509.X509Certificate and cannot be converted to an iaik.x509.X509Certificate

containsCertificate

public RevokedCertificate containsCertificate(X509Certificate cert)

Checks, if the CRL contains the given certificate.

The RevokedCertificate object returned by this method may represent an indirect CRL entry (certificate issuer != crl issuer) which may (but must not) contain a CertificateIssuer extension. It will contain a CertificateIssuer extension if it is the first entry in the sequence of entries for the this certificate issuer. It may or may not contain a CertificateIssuer extension if it is not the first entry in the sequence of entries for this certificate issuer. However, the certificate issuerDN is already known when calling this method, thus it is not necessary to include a CertificateIssuer extension into the RevokedCertificate.
Remember the order of entries in an indirect crl: it may start with direct entries which refer to certificates that have been directly issued by the crl issuer. These entries must not contain a CertificateIssuer extension. Each sequence of entries that refer to certificates which have NOT been issued by the crl issuer must start with a RevokedCertificate entry that must contain a CertificateIssuer extension with the name of the certificate issuer. The following entries must not contain a CertificateIssuer extension as long as they have been issued by the same issuer, e.g.:

       1. direct entry
       2. direct entry
          ...
      10. direct entry
      11. indirect entry (with CertificateIssuer extension for CertIssuer 1)
      12. indirect entry
      13. indirect entry
          ...
      18. indirect entry
      19. indirect entry (with CertificateIssuer extension for CertIssuer 2)
      20. indirect entry
      21. indirect entry
          ...
      24. indirect entry
      25. indirect entry (with CertificateIssuer extension for CertIssuer 3)
      26. indirect entry
      27. indirect entry
          ...
      34. indirect entry
 

Entry 1 to 10 of this example crl are direct entries that refer to certificates that have been issued by the crl issuer. Entry 11 to 18 are indirect entries, all referring to certificates that have been issued by CertIssuer1. Entry 19 to 24 refer to certificates that have been issued by CertIssuer2, entry 25 to 34 refer to certificates that have been issued by CertIssuer3. Only the first entry (11., 19., 25.) for each cert issuer must contain the CertificateIssuer extension, any following entry belongs to the same certificate issuer as the preceding entry.

Parameters:

cert - the certificate to check

Returns:

null if the CRL doesn't contain the certificate, the RevokedCertificate from the CRL otherwise

containsCertificate

public RevokedCertificate containsCertificate(java.security.Principal issuerDN,
                                     java.math.BigInteger serialNumber)

Checks, if the CRL contains the given certificate, identified by issuer and serial number.

The RevokedCertificate object returned by this method may represent an indirect CRL entry (certificate issuer != crl issuer) which may (but must not) contain a CertificateIssuer extension. It will contain a CertificateIssuer extension if it is the first entry in the sequence of entries for the this certificate issuer. It may or may not contain a CertificateIssuer extension if it is not the first entry in the sequence of entries for this certificate issuer. However, the certificate issuerDN is already known when calling this method, thus it is not necessary to include a CertificateIssuer extension into the RevokedCertificate.
Remember the order of entries in an indirect crl: it may start with direct entries which refer to certificates that have been directly issued by the crl issuer. These entries must not contain a CertificateIssuer extension. Each sequence of entries that refer to certificates which have NOT been issued by the crl issuer must start with a RevokedCertificate entry that must contain a CertificateIssuer extension with the name of the certificate issuer. The following entries must not contain a CertificateIssuer extension as long as they have been issued by the same issuer, e.g.:

       1. direct entry
       2. direct entry
          ...
      10. direct entry
      11. indirect entry (with CertificateIssuer extension for CertIssuer 1)
      12. indirect entry
      13. indirect entry
          ...
      18. indirect entry
      19. indirect entry (with CertificateIssuer extension for CertIssuer 2)
      20. indirect entry
      21. indirect entry
          ...
      24. indirect entry
      25. indirect entry (with CertificateIssuer extension for CertIssuer 3)
      26. indirect entry
      27. indirect entry
          ...
      34. indirect entry
 

Entry 1 to 10 of this example crl are direct entries that refer to certificates that have been issued by the crl issuer. Entry 11 to 18 are indirect entries, all referring to certificates that have been issued by CertIssuer1. Entry 19 to 24 refer to certificates that have been issued by CertIssuer2, entry 25 to 34 refer to certificates that have been issued by CertIssuer3. Only the first entry (11., 19., 25.) for each cert issuer must contain the CertificateIssuer extension, any following entry belongs to the same certificate issuer as the preceding entry.

Parameters:

issuerDN - the certificate issuer; shall be an iaik.asn1.structures.Name; if not, the issuerDN is tried to converted to an iaik.asn1.structures.Name object

serialNumber - the certificate serial number

Returns:

null if the CRL doesn't contain the referenced certificate, the RevokedCertificate from the CRL otherwise

Throws:

java.lang.IllegalArgumentException - if the issuerDN cannot be converted to an iaik.asn1.structures.Name object

containsCertificate

public RevokedCertificate containsCertificate(java.math.BigInteger serialNumber)

Checks, if the CRL contains a certificate with the given serial number.

Note that the information returned by this method may be only appropriate for direct CRL entries (where the crl issuer is equal to the certificate issuer). Generally you should prefer method containsCertificate because it is also able to properly handle indirect crl entries.

Parameters:

serialNumber - the serial number of the certificate

Returns:

null if the CRL doesn't contain a certificate with this serial number, the RevokedCertificate from the CRL otherwise

toASN1Object

public ASN1Object toASN1Object()

Returns the CRL as an ASN1Object.

Specified by:

toASN1Object in interface ASN1Type

Returns:

the CRL as ASN1Object

toByteArray

public byte[] toByteArray()

Returns the CRL as a DER encoded ASN.1 data structure.

Returns:

the CRL as DER array

writeTo

public void writeTo(java.io.OutputStream os)
             throws java.io.IOException

Writes the CRL DER encoded to the given output stream.

Parameters:

os - the output stream to which this CRL shall be written

Throws:

java.io.IOException - if an I/O error occurs

addCertificate

public void addCertificate(X509Certificate cert,
                  java.util.Date revocationDate)

Adds a certificate to the CRL to be revoked on the given date. For instance, add a certificate (read in from a file) to be revoked at the current date:

 GregorianCalendar date = (GregorianCalendar) Calendar.getInstance();
 InputStream fis = new FileInputStream("cert.der");
 X509Certificate cert = new X509Certificate(fis);
 fis.close();
 crl.addCertificate(cert, date.getTime());
 

Parameters:

cert - the X509Certificate which should be revoked

revocationDate - the revocation date

addCertificate

public void addCertificate(RevokedCertificate revokedCert)

Adds a revoked certificate to the CRL. In contrast to addCertificate(X509Certificate cert, Date revocationDate) which adds a X509Certificate, this method adds a RevokedCertificate already including its revocation date, for instance:

 GregorianCalendar date = (GregorianCalendar) Calendar.getInstance();
 InputStream fis = new FileInputStream("cert.der");
 X509Certificate cert = new X509Certificate(fis);
 fis.close();
 RevokedCertificate rev_cert = new RevokedCertificate(cert, date.getTime());
 crl.addCertificate(rev_cert);
 

Parameters:

revokedCert - the RevokedCertificate to add to this CRL

See Also:

RevokedCertificate

listCertificates

public java.util.Enumeration listCertificates()

Returns an enumeration of the revoked certificates this CRL contains.

The RevokedCertificate objects returned by this method may represent direct (certificate issuer == crk issuer) or indirect CRL entries (certificate issuer != crl issuer). Indirect entries may (but must not) contain a CertificateIssuer extension. A RevokedCertificate that represents an indirect entry will contain a CertificateIssuer extension if it is the first entry in the sequence of entries for the this certificate issuer. It may or may not contain a CertificateIssuer extension if it is not the first entry in the sequence of entries for this certificate issuer.
In this way the enumeration returned by this method reflects the order of entries in an (direct or indirect) crl: it may start with direct entries which refer to certificates that have been directly issued by the crl issuer. These entries must not contain a CertificateIssuer extension. Each sequence of entries that refer to certificates which have NOT been issued by the crl issuer must start with a RevokedCertificate entry that must contain a CertificateIssuer extension with the name of the certificate issuer. The following entries must not contain a CertificateIssuer extension as long as they have been issued by the same issuer, e.g.:

       1. direct entry
       2. direct entry
          ...
      10. direct entry
      11. indirect entry (with CertificateIssuer extension for CertIssuer 1)
      12. indirect entry
      13. indirect entry
          ...
      18. indirect entry
      19. indirect entry (with CertificateIssuer extension for CertIssuer 2)
      20. indirect entry
      21. indirect entry
          ...
      24. indirect entry
      25. indirect entry (with CertificateIssuer extension for CertIssuer 3)
      26. indirect entry
      27. indirect entry
          ...
      34. indirect entry
 

Entry 1 to 10 of this example crl are direct entries that refer to certificates that have been issued by the crl issuer. Entry 11 to 18 are indirect entries, all referring to certificates that have been issued by CertIssuer1. Entry 19 to 24 refer to certificates that have been issued by CertIssuer2, entry 25 to 34 refer to certificates that have been issued by CertIssuer3. Only the first entry (11., 19., 25.) for each cert issuer must contain the CertificateIssuer extension, any following entry belongs to the same certificate issuer as the preceding entry.

Returns:

a list of revoked certificates

removeCertificate

public boolean removeCertificate(X509Certificate cert)

Removes the certificate from the CRL.

Returns:

true if the certificate successfully has been removed false otherwise

removeCertificate

public boolean removeCertificate(java.math.BigInteger serialNumber)

Removes the certificate with the given serial number from the CRL. For instance:

crl.removeCertificate(cert.getSerialNumber());

Parameters:

serialNumber - the serial number of the certificate which should be removed

Returns:

true if the certificate successfully has been removed false otherwise

removeCertificate

public boolean removeCertificate(java.security.Principal certIssuer,
                        java.math.BigInteger serialNumber)

Removes a certificate, identified by its issuer dn and its serial number, from the crl.

Parameters:

certIssuer - the issuer dn of the certificate; shall be an iaik.asn1.structures.Name; if not, the certIssuer is tried to converted to an iaik.asn1.structures.Name object

serialNumber - the certificate serial number

Returns:

true if the certificate successfully has been removed false otherwise

Throws:

java.lang.IllegalArgumentException - if the certIssuer cannot be converted to an iaik.asn1.structures.Name object

removeAllCertificates

public void removeAllCertificates()

Removes all certificates from the CRL.

size

public int size()

Gets the size (number of entries) of this crl.

Returns:

the number of revocation entries

setSignatureAlgorithm

public void setSignatureAlgorithm(AlgorithmID signatureAlg)

Sets the signature algorithm for signing this CRL. The signature algorithm is specified by its AlgorithmID. For instance:

 crl.setSignatureAlgorithm(AlgorithmID.sha1WithRSAEncryption);
 

Parameters:

signatureAlg - the AlgorithmID of the signature algorithm to be used for signing

See Also:

AlgorithmID

setSignatureAlgorithm

public void setSignatureAlgorithm(ObjectID signatureAlg)

Deprecated. use setSignatureAlgorithm(AlgorithmID);

setIssuerDN

public void setIssuerDN(java.security.Principal issuer)
                 throws java.lang.IllegalArgumentException

Sets the issuer of this CRL. The issuer is the identity which signs the CRL. It is specified by its X.500 distinguished name. For instance:

 Name issuer = new Name();
 issuer.addRDN(ObjectID.country, "AT");
 issuer.addRDN(ObjectID.organization, "TU Graz");
 issuer.addRDN(ObjectID.organizationalUnit, "IAIK");
 issuer.addRDN(ObjectID.commonName, "IAIK Test CA");
 crl.setIssuerDN(issuer);
 

Parameters:

issuer - the distinguished name of the issuer of the CRL; shall be an iaik.asn1.structures.Name; if not, the issuer is tried to converted to an iaik.asn1.structures.Name object

Throws:

java.lang.IllegalArgumentException - if the issuer is not an instance of Name and cannot be converted to a Name

See Also:

getIssuerDN()

setThisUpdate

public void setThisUpdate(java.util.Date thisUpdate)

Sets the date of thisUpdate. The thisUpdate time value specifies the date on which the CRL has been issued.

For instance, set ThisUpdate to the current date by writing:

 GregorianCalendar date = (GregorianCalendar) Calendar.getInstance();
 crl.setThisUpdate(date.getTime());
 

The X.509 Certificate and CRL Profile specified in RFC 3280 recommends to encode thisUpdate dates through the year 2049 as UTCTime, and thisUpdate dates in 2050 or later as GeneralizedTime.

Parameters:

thisUpdate - the date when this CRL has been issued

See Also:

getThisUpdate()

setNextUpdate

public void setNextUpdate(java.util.Date nextUpdate)

Sets the date of nextUpdate. The nextUpdate time value specifies the date on which the next CRL will be issued.

If the next update will be done, for instance, next month, you may write:

 GregorianCalendar date = (GregorianCalendar) Calendar.getInstance();
 date.add(Calendar.MONTH, 1);
 crl.setNextUpdate(date.getTime());
 

The X.509 Certificate and CRL Profile specified in RFC 3280 recommends to encode nextUpdate dates through the year 2049 as UTCTime, and nextUpdate dates in 2050 or later as GeneralizedTime.

Parameters:

nextUpdate - when the next CRL will be created

See Also:

getNextUpdate()

getEncoded

public byte[] getEncoded()
                  throws java.security.cert.CRLException

Returns this CRL as DER encoded ASN.1 data structure.

Specified by:

getEncoded in class java.security.cert.X509CRL

Returns:

a byte array representing this CRL as DER encoded ASN.1 data structure

Throws:

java.security.cert.CRLException - if an encoding error occurs

getVersion

public int getVersion()

Returns the version number of this CRL as int. The version number may specify a v1 or v2 CRL.

ASN.1 definition:

 Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
 
          v3 only appears for consistency reasons
 

Specified by:

getVersion in class java.security.cert.X509CRL

Returns:

version number of this CRL, as int

getSignatureAlgorithm

public AlgorithmID getSignatureAlgorithm()

Returns the signature algorithm of this CRL.

Returns:

the AlgorithmID of the signature algorithm used to sign this CRL

See Also:

AlgorithmID

getIssuerDN

public java.security.Principal getIssuerDN()

Returns the Distinguished Name of the issuer of this CRL, as Principal. A Distinguished Name is used to specify a path within a X.500 directory information tree. A distinguished name is defined as a sequence of relative distinguished names:

 Name ::= CHOICE {     RDNSequence }
 RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
 
 RelativeDistinguishedName ::=     SET OF AttributeTypeAndValue
 
 AttributeTypeAndValue ::= SEQUENCE {
    type     AttributeType,
    value    AttributeValue }
 
 AttributeType ::= OBJECT IDENTIFIER
 AttributeValue ::= ANY
 

CAs conforming to RFC 3280 have to ensure to only issue crls having a non-empty distinguished name (DN) in their issuer field. Additional identities about the issuer may be included in the IssuerAltName extension.

Specified by:

getIssuerDN in class java.security.cert.X509CRL

Returns:

the distinguished name of the issuer of the CRL, as Principal (iaik.asn1.structures.Name)

See Also:

setIssuerDN(java.security.Principal)

getIssuerDNs

public java.util.Enumeration getIssuerDNs()

Return the names of all issuers of this CRL. This is the CRL issuer plus all issuers of revoked certificates in case of an indirect CRL.

Returns:

the issuers of all crl entries

getThisUpdate

public java.util.Date getThisUpdate()

Returns the date of thisUpdate. The thisUpdate time value specifies the date on which the CRL has been issued.

ASN.1 definition:

 thisUpdate    Time
 
 Time ::= CHOICE {
   utcTime        UTCTime,
   generalTime    GeneralizedTime }
 
 

The X.509 Certificate and CRL Profile specified in RFC 3280 recommends to encode thisUpdate dates through the year 2049 as UTCTime, and thisUpdate dates in 2050 or later as GeneralizedTime.

Specified by:

getThisUpdate in class java.security.cert.X509CRL

Returns:

the date when this CRL has been issued

See Also:

setThisUpdate(java.util.Date)

getNextUpdate

public java.util.Date getNextUpdate()

Returns the date of nextUpdate. The nextUpdate time value specifies the date on which the next CRL will be issued.

ASN.1 definition:

 nextUpdate    Time OPTIONAL
 
 Time ::= CHOICE {
   utcTime        UTCTime,
   generalTime    GeneralizedTime }
 
 

The PKIX CRL (RFC 3280) profile requires the inclusion of the nextUpdate field in CRLs issued by conforming CAs, although it is marked as OPTIONAL in the ASN.1 definition above.

The X.509 Certificate and CRL Profile specified in RFC 3280 recommends to encode nextUpdate dates through the year 2049 as UTCTime, and nextUpdate dates in 2050 or later as GeneralizedTime.

Specified by:

getNextUpdate in class java.security.cert.X509CRL

Returns:

the date when the next CRL will be issued

See Also:

setNextUpdate(java.util.Date)

getRevokedCertificate

public java.security.cert.X509CRLEntry getRevokedCertificate(java.math.BigInteger serialNumber)

Searches the CRL for the specified serial number and returns the appertaining revoked certificate, if included into this CRL.

Note that the information returned by this method may be only appropriate for direct CRL entries (where the crl issuer is equal to the certificate issuer). Generally you should prefer method containsCertificate because it is also able to properly handle indirect crl entries.

Specified by:

getRevokedCertificate in class java.security.cert.X509CRL

Parameters:

serialNumber - the serial number to be searched for

Returns:

the RevokedCertificate belonging to the given serial number, if included into this CRL; null otherwise

getRevokedCertificate

public java.security.cert.X509CRLEntry getRevokedCertificate(java.security.cert.X509Certificate certificate)

Checks, if the CRL contains the given certificate.

The RevokedCertificate object returned by this method may represent an indirect CRL entry (certificate issuer != crl issuer) which may (but must not) contain a CertificateIssuer extension. It will contain a CertificateIssuer extension if it is the first entry in the sequence of entries for the this certificate issuer. It may or may not contain a CertificateIssuer extension if it is not the first entry in the sequence of entries for this certificate issuer. However, the certificate issuerDN is already known when calling this method, thus it is not necessary to include a CertificateIssuer extension into the RevokedCertificate.
Remember the order of entries in an indirect crl: it may start with direct entries which refer to certificates that have been directly issued by the crl issuer. These entries must not contain a CertificateIssuer extension. Each sequence of entries that refer to certificates which have NOT been issued by the crl issuer must start with a RevokedCertificate entry that must contain a CertificateIssuer extension with the name of the certificate issuer. The following entries must not contain a CertificateIssuer extension as long as they have been issued by the same issuer, e.g.:

       1. direct entry
       2. direct entry
          ...
      10. direct entry
      11. indirect entry (with CertificateIssuer extension for CertIssuer 1)
      12. indirect entry
      13. indirect entry
          ...
      18. indirect entry
      19. indirect entry (with CertificateIssuer extension for CertIssuer 2)
      20. indirect entry
      21. indirect entry
          ...
      24. indirect entry
      25. indirect entry (with CertificateIssuer extension for CertIssuer 3)
      26. indirect entry
      27. indirect entry
          ...
      34. indirect entry
 

Entry 1 to 10 of this example crl are direct entries that refer to certificates that have been issued by the crl issuer. Entry 11 to 18 are indirect entries, all referring to certificates that have been issued by CertIssuer1. Entry 19 to 24 refer to certificates that have been issued by CertIssuer2, entry 25 to 34 refer to certificates that have been issued by CertIssuer3. Only the first entry (11., 19., 25.) for each cert issuer must contain the CertificateIssuer extension, any following entry belongs to the same certificate issuer as the preceding entry.

Overrides:

getRevokedCertificate in class java.security.cert.X509CRL

Parameters:

cert - the certificate to check; shall be an iaik.x509.X509Certificate; if not, the certificate is tried to converted to an iaik.x509.X509Certificate object

Returns:

null if the CRL doesn't contain the certificate, the RevokedCertificate from the CRL otherwise

Throws:

java.lang.IllegalArgumentException - if the certificate cannot be converted to an iaik.x509.X509Certificate object

getRevokedCertificates

public java.util.Set getRevokedCertificates()

Returns a set containing all the revoked certificates included in this CRL.

Unlike method listCertificates which returns an Enumeration of revocation entries, this method returns a Set and therefore may not reflect the order of revoked certificates. For that reason each RevokedCertificate object that represents an indirect crl entry must contain a CertificateIssuer extension with the name of the responsible certificate issuer. Thus calling this method is more expensive than calling method listCertificates.

Specified by:

getRevokedCertificates in class java.security.cert.X509CRL

Returns:

a Set of RevokedCertificate objects representing the certificates revoked by this CRL, or null if there are no certificates revoked by this CRL

getTBSCertList

public byte[] getTBSCertList()
                      throws java.security.cert.CRLException

Returns the TBSCertList inherent to this CRL as DER encoded ASN.1 structure. The TBSCertList specifies the (distinguished) name of the issuer, the issue date of the CRL, the date when the next CRL will be issued, and optionally lists of revoked certificates (identified by their serial numbers) and CRL extensions. The list of revoked certificates is classified as being optional, since a CA may not have revoked any issued certificate when publishing a CRL:

 TBSCertList  ::=  SEQUENCE  {
   version                 Version OPTIONAL,
                                -- if present, must be v2
   signature               AlgorithmIdentifier,
   issuer                  Name,
   thisUpdate              Time,
   nextUpdate              Time OPTIONAL,
   revokedCertificates     SEQUENCE OF SEQUENCE  {
      userCertificate         CertificateSerialNumber,
      revocationDate          Time,
      crlEntryExtensions      Extensions OPTIONAL
                                     -- if present, must be v2
   }  OPTIONAL,
   crlExtensions           [0]  EXPLICIT Extensions OPTIONAL
                                     -- if present, must be v2
 }
 

where:

 Version  ::=  INTEGER  {  v1(0), v2(1), v3(2) }
           -- v3 does not apply to CRLs but appears for consistency
           -- with definition of Version for certs
 

 AlgorithmIdentifier  ::=  SEQUENCE  {
   algorithm               OBJECT IDENTIFIER,
   parameters              ANY DEFINED BY algorithm OPTIONAL  }
                              -- contains a value of the type
                              -- registered for use with the
                              -- algorithm object identifier value
 

 Name ::= CHOICE {     RDNSequence }
 

 RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
 

 RelativeDistinguishedName ::=     SET OF AttributeTypeAndValue
 

 AttributeTypeAndValue ::= SEQUENCE {
   type     AttributeType,
   value    AttributeValue }
 

 AttributeType ::= OBJECT IDENTIFIER
 

 AttributeValue ::= ANY   -- Directory string type --
 

 DirectoryString ::= CHOICE {
    teletexString           TeletexString (SIZE (1..maxSize),
    printableString         PrintableString (SIZE (1..maxSize)),
    universalString         UniversalString (SIZE (1..maxSize)),
    bmpString               BMPString (SIZE(1..maxSIZE))
 }
 

 Time ::= CHOICE {
   utcTime        UTCTime,
   generalTime    GeneralizedTime }
 

 CertificateSerialNumber  ::=  INTEGER
 

 Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension
 

 Extension  ::=  SEQUENCE  {
   extnID      OBJECT IDENTIFIER,
   critical    BOOLEAN DEFAULT FALSE,
   extnValue   OCTET STRING  }
 
 

The CRL issuing CA computes the digital signature upon the ASN.1 DER encoded TBSCertList structure.

Specified by:

getTBSCertList in class java.security.cert.X509CRL

Returns:

a byte array representing the DER encoded ASN.1 TBSCertList structure inherent to this CRL

Throws:

java.security.cert.CRLException - if an error occurs when parsing the CRL

getSignature

public byte[] getSignature()

Returns the signature of this CRL. The signature is defined as an ASN.1 BIT STRING structure. This method returns the inherent signature value as byte array.

Specified by:

getSignature in class java.security.cert.X509CRL

Returns:

the signature value as byte array

getSigAlgName

public java.lang.String getSigAlgName()

Returns the (JCA standard) name of the signature algorithm used by the issuer for signing this CRL.

For the RSA-PSS signature algorithm the JCA standard name is derived from the algorithm id parameters. Since there is only one AlgorithmID specified for RSA-PSS, hash algorithm and mask generation function are given by the algorithm id parameters. The JCA uses the <digest>with<RSA>and<mgf> naming scheme for RSA-PSS where <digest> and <mgf> have to be got from the algorithm id parameters. Thus the JCA standard name for, e.g., a RSA-PSS algorithm id using SHA-256 as hash algorithm and MGF1 as mask generation function is "SHA256withRSAandMGF1". If the parameters cannot be parsed, "RSASSA-PSS" is returned as (general) signature algorithm name.

Specified by:

getSigAlgName in class java.security.cert.X509CRL

Returns:

the name of the signature algorithm

getSigAlgOID

public java.lang.String getSigAlgOID()

Returns the OID of the signature algorithm used by the issuer for signing this CRL. An object identifier consists of a sequence of integer components and is used for identifying, e.g. the signature algorithm used for this certificate. This method returns the OID in String representation, e.g. "1.2.840.113549.1.1.5"

Specified by:

getSigAlgOID in class java.security.cert.X509CRL

Returns:

the OID of the signature algorithm as String representation

See Also:

ObjectID, AlgorithmID

getSigAlgParams

public byte[] getSigAlgParams()

Returns the algorithm parameters associated with the signature algorithm used by the issuer for signing this CRL. The parameters are returned as DER encoded ASN.1 data structure.

Specified by:

getSigAlgParams in class java.security.cert.X509CRL

Returns:

the signature algorithm parameters as DER encoded ASN.1 data structure, or null if there are no parameters used

getCriticalExtensionOIDs

public java.util.Set getCriticalExtensionOIDs()

Returns a Set of the OID strings identifying the extension(s) that are marked CRITICAL in this CRL. Extensions can be marked as being critical. If the CRL handling software cannot parse such an extension, the appertaining certificate has to be rejected. Non-Critical extensions can be ignored, if they cannot be handled (i.e. of unknown state).

Specified by:

getCriticalExtensionOIDs in interface java.security.cert.X509Extension

Returns:

a Set (or an empty Set if none are marked critical) of the extension OID strings for extensions that are marked critical. If there are no extensions present at all, then this method returns null

See Also:

getNonCriticalExtensionOIDs()

getNonCriticalExtensionOIDs

public java.util.Set getNonCriticalExtensionOIDs()

Returns a Set of the OID strings for the extension(s) marked NON-CRITICAL in this CRL.

Specified by:

getNonCriticalExtensionOIDs in interface java.security.cert.X509Extension

Returns:

a Set (or an empty Set if none are marked non-critical) of the extension OID strings for extensions that are marked non-critical. If there are no extensions present at all, then this method returns null.

See Also:

getCriticalExtensionOIDs()

getExtensionValue

public byte[] getExtensionValue(java.lang.String oid)

Returns a byte array representing the DER encoding of the extnValue OCTET STRING field of the extension identified by the given OID string.

The OID string is represented by a set of non-negative integers separated by periods, e.g. "2.5.29.15" for the KeyUsage extension.

In ASN.1, the Extensions field is defined as a SEQUENCE of Extension:

 Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension
 
 Extension  ::=  SEQUENCE  {
   extnID      OBJECT IDENTIFIER,
   critical    BOOLEAN DEFAULT FALSE,
   extnValue   OCTET STRING  }
 

where critical specifies whether an extension has to be treated as being critical or not; the default value is FALSE. An extension is identified by its object identifier, specified in the extnID field. The extnValue field is an OCTET STRING which contains the DER encoding of the specific extension's ASN.1 representation itself. Only one instance of a particular extension may be present.

The byte value returned by this method represents the DER encoding of the extnValue (OCTET_STRING) from above, and the value of this OCTET STRING represents the DER encoding of the specific extension's ASN.1 representation itself. If you want to get the DER encoding of the specific extension's ASN.1 representation itself (not wrapped in an OCTET STRING), use method getRawExtensionValue.

Specified by:

getExtensionValue in interface java.security.cert.X509Extension

Parameters:

oid - the object identifier of the extension to be searched for

Returns:

the DER encoded extnValue OCTET STRING or null if no extension with the specified oid is present

getRawExtensionValue

public byte[] getRawExtensionValue(java.lang.String oid)

Returns a byte array representing the DER encoding of the extension value identified by the given OID string.

The OID string is represented by a set of non-negative integers separated by periods, e.g. "2.5.29.15" for the KeyUsage extension.

In ASN.1, the Extensions field is defined as a SEQUENCE of Extension:

 Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension
 
 Extension  ::=  SEQUENCE  {
   extnID      OBJECT IDENTIFIER,
   critical    BOOLEAN DEFAULT FALSE,
   extnValue   OCTET STRING  }
 

where critical specifies whether an extension has to be treated as being critical or not; the default value is FALSE. An extension is identified by its object identifier, specified in the extnID field. The extnValue field is an OCTET STRING which contains the DER encoding of the specific extension's ASN.1 representation itself. Only one instance of a particular extension may be present in a particular certificate.

The byte value returned by this method represents the DER encoding of the specific extension's ASN.1 representation itself (i.e. the value of the extnValue OCTET STRING).

Parameters:

oid - the object identifier of the extension to be searched for

Returns:

the DER encoded ASN.1 representation of the extension or null if no extension with the specified oid is present

addExtension

public void addExtension(V3Extension e)
                  throws X509ExtensionException

Adds the given X509v2 CRL extension.

The extension to be added shall be an implemented V3Extension. If an extension with the same object ID already exists, it is replaced.

For instance:

 X509CRL crl = new X509CRL();
   ...
 CRLNumber crl_number  = new CRLNumber(BigInteger.valueOf(4234234));
 crl.addExtension(crl_number);
 

For getting some extension, use the getExtension(ObjectID) method.

Parameters:

e - the X509v2 CRL extension to add to the list of extensions

Throws:

X509ExtensionException - if an error occurs while DER encoding the extension

See Also:

V3Extension

removeExtension

public boolean removeExtension(ObjectID oid)

Removes the extension specified by its object identifier.

Parameters:

oid - the object ID of the extension to remove

Returns:

true if the extension successfully has been removed false otherwise

removeAllExtensions

public void removeAllExtensions()

Removes all extensions from this CRL.

listExtensions

public java.util.Enumeration listExtensions()

Returns an enumeration of all extensions included into this CRL.

The returned enumeration may contain unknown extensions (instances of UnknownExtension if there are any extensions included in this certificate, for which there exists no registered implementation, and it may contain error extensions (instances of ErrorExtension) indicating extensions which cannot be parsed properly because of some kind of error.

Returns:

an enumeration of the extensions, or null if there are no extensions present at all

hasExtensions

public boolean hasExtensions()

Checks, if there are any extensions included into this CRL.

Returns:

true if there are extensions, false if not

hasUnsupportedCriticalExtension

public boolean hasUnsupportedCriticalExtension()

Returns true if there are unsupported critical extensions.

Specified by:

hasUnsupportedCriticalExtension in interface java.security.cert.X509Extension

Returns:

true, if there are unsupported critical extensions

countExtensions

public int countExtensions()

Returns the number of extensions included into this CRL.

Returns:

the number of extensions

getExtension

public V3Extension getExtension(ObjectID oid)
                         throws X509ExtensionInitException

Returns a specific extension, identified by its object identifier.

If the extension cannot be initialized for some reason, a X509ExtensionInitException is thrown. If the requested extension is an unknown extension, which is not supported by a registered implementation, this method creates and returns an UnknownExtension which may be queried for obtaining as much information as possible about the unknown extension.

Parameters:

oid - the object ID of the extension

Returns:

the desired extension or null if the requested extension is not present

Throws:

X509ExtensionInitException - if the extension can not be initialized

See Also:

X509Extensions.getExtension(iaik.asn1.ObjectID)

getFingerprint

public byte[] getFingerprint()

Returns the fingerprint of this CRL. This is a MD5 hash of the DER encoded CRL.

Returns:

the fingerprint of the CRL

getFingerprint

public byte[] getFingerprint(java.lang.String digestAlgorithm)
                      throws java.security.NoSuchAlgorithmException

Returns the fingerprint of this crl calculated with the given hash algorithm.

Parameters:

digestAlgorithm - the digest algorithm to be used

Returns:

the fingerprint of the crl

Throws:

java.security.NoSuchAlgorithmException - if the requested algorithm is not supported

getFingerprintSHA

public byte[] getFingerprintSHA()

Gets the SHA-1 fingerprint of this CRL. The result is cached for subsequent calls.

Returns:

the SHA-1 fingerprint of this CRL

toString

public java.lang.String toString()

Returns a string that represents the contents of the CRL.

Specified by:

toString in class java.security.cert.CRL

Returns:

the string representation

toString

public java.lang.String toString(boolean detailed)

Returns a string giving some - if requested - detailed information about the contents of the CRL.

Parameters:

detailed - whether or not to give detailed information about the CRL.

Returns:

the string representation