iaik.x509.attr

Class RevokedAttributeCertificate

java.lang.Object

java.security.cert.X509CRLEntry

iaik.x509.RevokedCertificate

iaik.x509.attr.RevokedAttributeCertificate

All Implemented Interfaces:

java.lang.Cloneable, java.security.cert.X509Extension

public class RevokedAttributeCertificate
extends RevokedCertificate

This class represents a revoked attribute certificate.

A revoked certificate denotes a attribute certificate that has been revoked for some reason (e.g. the holder has changed, ...) prior to the regular ending of its validity period.

Revoked certificates are collected in certificate revocation lists (CRLs) maintained by certificate issuing certification authorities (CAs). CRLs are publicly available and have to be refreshed in certain time intervals. Each certificate included in a revocation list can be identified by its serial number. The recvocation list is signed by the maintaining CA.

A profile for X.509v2 revocation lists is presented together with the X.509v3 certificate format in RFC 3280, where revoked certificates are defined as the following ASN.1 structure:

 revokedCertificates     SEQUENCE OF SEQUENCE  {
   userCertificate         CertificateSerialNumber,
   revocationDate          Time,
   crlEntryExtensions      Extensions OPTIONAL
                           -- if present, must be v2
 }  OPTIONAL
 

where:

 CertificateSerialNumber  ::=  INTEGER

 Time ::= CHOICE {
   utcTime        UTCTime,
   generalTime    GeneralizedTime }

 Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension

 Extension  ::=  SEQUENCE  {
   extnID      OBJECT IDENTIFIER,
   critical    BOOLEAN DEFAULT FALSE,
   extnValue   OCTET STRING  }
 

The serial number is used for uniquely identifying some particular certificate within a given revocation list. The revocation date specifies the date on which the revocation of the listed certificate becomes meaning. Dates through the year 2049 shall be encoded as UTCTime, and dates in 2050 or later as GeneralizedTime.

The crlEntryExtensions field may be used for including some additional information. An extension may be a defined standard entry extension (e.g. reasonCode for specifying the reason for revocation), or it may be a private entry extension providing some community-specific information. If an entry extension is marked as critical, but the CRL handling software cannot properly parse this extension, the CRL validation must fail. Non-Critical entry extensions can be ignored, if they cannot be handled (i.e. of unknown state).

The ACRL class implements a certificate revocation list for X.509 attribute certificates. A revoked certifcate represents a CRL entry.

For adding a CRL entry extension to a revoked certificate, use the addExtension method, e.g.:

 //Create a revoked certificate from an AttributeCertificate and set the revocation date
 //to the current date; the AttributeCertificate is read in from a file:
 GregorianCalendar date = (GregorianCalendar)Calendar.getInstance();
 InputStream fis = new FileInputStream("attrCert.der");
 AttributeCertificate cert = new AttributeCertificate(fis);
 fis.close();
 RevokedAttributeCertificate revCert = new RevokedAttributeCertificate(cert, date.getTime());
 //optionally add the reason code CRL entry extension to the revoked certificate:
 ReasonCode reasonCode = new ReasonCode(ReasonCode.superseded);
 revCert.addExtension(reasonCode);
 

You only will need this class to add a revoked certificate to an ACRL.

Version:

File Revision 3

See Also:

ACRL, AttributeCertificate

Constructor Summary

Constructors

Constructor and Description
RevokedAttributeCertificate(ASN1Object obj) Creates a RevokedAttributeCertificate from an ASN1Object.
RevokedAttributeCertificate(AttributeCertificate cert, java.util.Date revocationDate) Creates a RevokedAttributeCertificate from a attribute certificate and a date.
RevokedAttributeCertificate(java.math.BigInteger serialNumber, java.util.Date revocationDate) Creates a RevokedAttributeCertificate from a serial number and a date.

Method Summary

Methods inherited from class iaik.x509.RevokedCertificate

addExtension, clone, countExtensions, getCriticalExtensionOIDs, getEncoded, getExtension, getExtensionValue, getNonCriticalExtensionOIDs, getRawExtensionValue, getRevocationDate, getSerialNumber, hasExtensions, hasUnsupportedCriticalExtension, listExtensions, removeAllExtensions, removeExtension, toASN1Object, toString, toString

Methods inherited from class java.security.cert.X509CRLEntry

equals, getCertificateIssuer, getRevocationReason, hashCode

Methods inherited from class java.lang.Object

finalize, getClass, notify, notifyAll, wait, wait, wait

Constructor Detail

RevokedAttributeCertificate

public RevokedAttributeCertificate(ASN1Object obj)
                            throws java.security.cert.CRLException

Creates a RevokedAttributeCertificate from an ASN1Object.

This constructor may be used for parsing an already existing RevokedAttributeCertificate, supplied as ASN1Object that may have been created by calling the toASN1Object method.

Parameters:

obj - the revoked attribute certificate as ASN1Object

Throws:

java.security.cert.CRLException - if the ASN1Object can not be parsed

RevokedAttributeCertificate

public RevokedAttributeCertificate(AttributeCertificate cert,
                           java.util.Date revocationDate)

Creates a RevokedAttributeCertificate from a attribute certificate and a date. The required serial number is obtained from the given certificate.

Parameters:

cert - the attribute certificate to be revoked

revocationDate - the date when the certificate becomes invalid

RevokedAttributeCertificate

public RevokedAttributeCertificate(java.math.BigInteger serialNumber,
                           java.util.Date revocationDate)

Creates a RevokedAttributeCertificate from a serial number and a date.

Parameters:

serialNumber - the serial number of the attribute certificate to revoke

revocationDate - the date when the certificate becomes invalid