iaik.x509.stream

Class RevokedCertificatesCRLListener

java.lang.Object

iaik.x509.stream.RevokedCertificatesCRLListener

All Implemented Interfaces:

CRLListener

public class RevokedCertificatesCRLListener
extends java.lang.Object
implements CRLListener

Through this CRL listener implementation, an application can easily stream-parse a CRL looking for the revocation state of certain certificates. The application passes the list of concerned certificates to the constructor. See the documentation of X509CRLStream for a sample.

This implementation can also handle indirect CRLs.

Derived classes should take into account the behavior of revokedCertificate(byte[], int, int, int, int) and revokedCertificate(RevokedCertificate). If a class wants to receive all entries, it should implement the CRLListener interface directly.

Constructor Summary

Constructors

Constructor and Description
RevokedCertificatesCRLListener(X509Certificate[] consideredCertificates, java.security.PublicKey issuerKey) Create a CRL listener which searches for entries in the CRL which refer to any of the certificates in the array consideredCertificates.
RevokedCertificatesCRLListener(X509Certificate[] consideredCertificates, java.security.PublicKey issuerKey, java.security.Provider signatureProvider) Create a CRL listener which searches for entries in the CRL which refer to any of the certificates in the array consideredCertificates.

Method Summary

Methods

Modifier and Type	Method and Description
void	extensions(X509Extensions extensions) The implementation of this method stores the given extensions for latter retrieval.
X509Certificate[]	getConsideredCertificates()
X509Extensions	getExtensions()
Name	getIssuer()
java.security.PublicKey	getIssuerKey()
java.util.Date	getNextUpdate()
java.util.Hashtable	getRevokedCertificates() Through this method, the application can get information about the concerned certificates; i.e.
AlgorithmID	getSignature()
java.security.Signature	getSignature(AlgorithmID signatureAlgorithm) This implementation of CRLListener.getSignature(iaik.asn1.structures.AlgorithmID)tries to instantiate a Signatureobject from the IAIK provider for the given signature algorithm if the issuer public key has been specified in the constructor.
AlgorithmID	getSignatureAlgorithm()
byte[]	getSignatureValue()
java.util.Date	getThisUpdate()
int	getVersion()
void	header(int version, Name issuer, java.util.Date thisUpdate, java.util.Date nextUpdate) This implementation of this method simply stores the given parameters in member variables for later retrieval.
boolean	isIndirect() true if there is at least one entry in the CRL which contains a CertificateIssuer extension.
boolean	isVerified()
void	revokedCertificate(byte[] buffer, int offset, int length, int serialOffset, int serialLength) The CRL stream parser calls this listener method for each CRL entry exactly once and in the order in which they appear in the CRL.
void	revokedCertificate(RevokedCertificate entry) This implementation looks if the given entry refers to a certificate in the list of concerned certificates which has been passed to the constructor.
void	signature(AlgorithmID signatureAlgorithm, byte[] signatureValue, boolean verified) The implementation of this method stores the given information about the signature for latter retrievement.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

RevokedCertificatesCRLListener

public RevokedCertificatesCRLListener(X509Certificate[] consideredCertificates,
                              java.security.PublicKey issuerKey)

Create a CRL listener which searches for entries in the CRL which refer to any of the certificates in the array consideredCertificates.
The issuerKey specifies the public key which should be used to verify the signature of the CRL; e.g. the public key out of the CRL issuer certificate. If the key is null, the signature will not be verified. However, the application may verify the signature itself.

Parameters:

consideredCertificates - The list of certificates which should should be searched for in the CRL.

issuerKey - The public key to use for verifying the CRL signature.

RevokedCertificatesCRLListener

public RevokedCertificatesCRLListener(X509Certificate[] consideredCertificates,
                              java.security.PublicKey issuerKey,
                              java.security.Provider signatureProvider)

Create a CRL listener which searches for entries in the CRL which refer to any of the certificates in the array consideredCertificates.
The issuerKey specifies the public key which should be used to verify the signature of the CRL; e.g. the public key out of the CRL issuer certificate. If the key is null, the signature will not be verified. However, the application may verify the signature itself.

Parameters:

consideredCertificates - The list of certificates which should should be searched for in the CRL.

issuerKey - The public key to use for verifying the CRL signature.

signatureProvider - the JCA provider to be used for verifying the signature.

Method Detail

getSignature

public java.security.Signature getSignature(AlgorithmID signatureAlgorithm)
                                     throws java.security.NoSuchAlgorithmException,
                                            java.security.InvalidKeyException

This implementation of CRLListener.getSignature(iaik.asn1.structures.AlgorithmID)tries to instantiate a Signatureobject from the IAIK provider for the given signature algorithm if the issuer public key has been specified in the constructor. If the public key has not been specified, this method returns null.

Specified by:

getSignature in interface CRLListener

Parameters:

signatureAlgorithm - The signature algorithm. This is the signature algorithm as encoded in the signature field of the TBSCertList of the CRL.

Returns:

An signature implementation of the IAIK provider which has already been initialized for signature verification.

Throws:

java.security.NoSuchAlgorithmException - If there is no implementation available for the requested algorithm.

java.security.InvalidKeyException - If the verification key does not suit for the algorithm.

See Also:

CRLListener.getSignature(iaik.asn1.structures.AlgorithmID)

header

public void header(int version,
          Name issuer,
          java.util.Date thisUpdate,
          java.util.Date nextUpdate)

This implementation of this method simply stores the given parameters in member variables for later retrieval.

Specified by:

header in interface CRLListener

Parameters:

version - The version number; e.g. 1 for a v2 CRL. -1 if unavailable.

issuer - The issuer name of the CRL.

thisUpdate - The thisUpdate value of the CRL.

nextUpdate - The nextUpdate value of the CRL or null if not present.

See Also:

CRLListener.header(int, iaik.asn1.structures.Name, java.util.Date, java.util.Date)

revokedCertificate

public void revokedCertificate(byte[] buffer,
                      int offset,
                      int length,
                      int serialOffset,
                      int serialLength)
                        throws java.security.cert.CRLException,
                               X509ExtensionException

The CRL stream parser calls this listener method for each CRL entry exactly once and in the order in which they appear in the CRL. Please note that a CRL may have no entries in which case this method will not be called at all. Note that the X509CRLStream.parse(java.io.InputStream) method calls this method for all entries and not directly the revokedCertificate(RevokedCertificate) method. This method investigates the encoded CRL entry. If it finds out that the entry matches one of the considered certificates, it will parse the entry and call revokedCertificate(RevokedCertificate).

Parameters:

buffer - The buffer that contains the CRL entry. It may contain extensions.

offset - The offset in the buffer where the encoded entry begins.

length - The length of the encoded entry in the buffer.

serialOffset - The offset in the buffer where the encoded serial number of the entry begins , excluding tag and encoded length of the INTEGER.

serialLength - The number of octet that the serial number occupies starting from serialOffset.

Throws:

java.security.cert.CRLException - If the entry is invalid.

X509ExtensionException - If the entry has invalid extensions.

revokedCertificate

public void revokedCertificate(RevokedCertificate entry)
                        throws java.security.cert.CRLException,
                               X509ExtensionException

This implementation looks if the given entry refers to a certificate in the list of concerned certificates which has been passed to the constructor. If this is the case, the entry will be stored in a table for later retrieval using the getRevokedCertificates() method.

This class has an improved mechanism for parsing the CRL entries. The X509CRLStream.parse(java.io.InputStream) method calls the revokedCertificate(byte[], int, int, int, int). If it method realizes that this entry is of interest, it calls this method with the parsed entry object.

Specified by:

revokedCertificate in interface CRLListener

Parameters:

entry - The current CRL entry. This may contain also extensions.

Throws:

java.security.cert.CRLException - If the entry is invalid.

X509ExtensionException - If the entry has invalid extensions.

See Also:

CRLListener.revokedCertificate(iaik.x509.RevokedCertificate)

extensions

public void extensions(X509Extensions extensions)

The implementation of this method stores the given extensions for latter retrieval.

Specified by:

extensions in interface CRLListener

Parameters:

extensions - The extensions of the parsed CRL or null if there are no extensions.

See Also:

CRLListener.extensions(iaik.x509.X509Extensions)

signature

public void signature(AlgorithmID signatureAlgorithm,
             byte[] signatureValue,
             boolean verified)
               throws java.security.cert.CRLException

The implementation of this method stores the given information about the signature for latter retrievement.

Specified by:

signature in interface CRLListener

Parameters:

signatureAlgorithm - The signature algorithm as encoded in the CertificateList of the CRL.

signatureValue - The signature value as encoded in the CRL.

verified - true if the CRL parser has already verified the signature value, false if it has not been verified. In the latter case, the listener can verify the signature value on its own.

Throws:

java.security.cert.CRLException

See Also:

CRLListener.signature(iaik.asn1.structures.AlgorithmID, byte[], boolean)

getRevokedCertificates

public java.util.Hashtable getRevokedCertificates()

Through this method, the application can get information about the concerned certificates; i.e. if the CRL contained entries which referred to these certificates.

The table contains an entry for each certificate which has been listed in the CRL. The key for the table is the X509Certificate object as passed to the constructor. The value is a RevokedCertificate object if the CRL contains the certificate. The value is null if the CRL does not contain an entry which refers to the certificate.

Please note that the table only contains information about those certificates which have been passed to the constructor as considered certificates.

Returns:

The table mapping X509Certificate objects to RevokedCertificate objects.

getConsideredCertificates

public X509Certificate[] getConsideredCertificates()

Returns:

Returns the considered certificates as they have been passed to the constructor.

getExtensions

public X509Extensions getExtensions()

Returns:

Returns the extensions of this CRL. Note that this does not include extensions of each entry. Entry extensions are available from the RevokedCertificate objects which are stored in the table returned by getRevokedCertificates().

isIndirect

public boolean isIndirect()

true if there is at least one entry in the CRL which contains a CertificateIssuer extension.

Returns:

Returns true if the CRL is an indirect CRL.

getIssuer

public Name getIssuer()

Returns:

Returns the issuer name of this CRL.

getIssuerKey

public java.security.PublicKey getIssuerKey()

Returns:

Returns the issuer key used to verify the CRL signature. null if the signature verification key has not been specified.

getNextUpdate

public java.util.Date getNextUpdate()

Returns:

Returns the nextUpdate field of the CRL or null if it is not included in the CRL.

getSignature

public AlgorithmID getSignature()

Returns:

Returns the signature algorithm as encoded in the CertificateList of the CRL.

getSignatureAlgorithm

public AlgorithmID getSignatureAlgorithm()

Returns:

Returns the signatureAlgorithm as encoded in the signature field of the TBSCertList of the CRL.

getSignatureValue

public byte[] getSignatureValue()

Returns:

Returns the signature value as encoded in the CRL.

getThisUpdate

public java.util.Date getThisUpdate()

Returns:

Returns the thisUpdate field of the CRL.

isVerified

public boolean isVerified()

Returns:

Returns true if the signature of the CRL has already been verified successfully. It is false, if the signature is invalid.
Note that this value is only meaningful if the signature verification key (i.e. CRL issuer key) has been specified.

getVersion

public int getVersion()

Returns:

Returns the version integer of the CRL; e.g. 1 if the CRL is a v2 CRL. -1 if unavailable.