com.ibm.security12.sun.security.x509
Class X509CRLImpl

java.lang.Object
  |
  +--com.ibm.security12.java.security.cert.CRL
        |
        +--com.ibm.security12.java.security.cert.X509CRL
              |
              +--com.ibm.security12.sun.security.x509.X509CRLImpl

public class X509CRLImpl
extends X509CRL

An implmentation for X509 CRL (Certificate Revocation List).

The X.509 v2 CRL format is described below in ASN.1:

 CertificateList  ::=  SEQUENCE  {
     tbsCertList          TBSCertList,
     signatureAlgorithm   AlgorithmIdentifier,
     signature            BIT STRING  }
 
A good description and profiling is provided in the IETF PKIX WG draft, Part I: X.509 Certificate and CRL Profile, <draft-ietf-pkix-ipki-part1-06.txt>.

The ASN.1 definition of tbsCertList is:

 TBSCertList  ::=  SEQUENCE  {
     version                 Version OPTIONAL,
                             -- if present, must be v2
     signature               AlgorithmIdentifier,
     issuer                  Name,
     thisUpdate              ChoiceOfTime,
     nextUpdate              ChoiceOfTime OPTIONAL,
     revokedCertificates     SEQUENCE OF SEQUENCE  {
         userCertificate         CertificateSerialNumber,
         revocationDate          ChoiceOfTime,
         crlEntryExtensions      Extensions OPTIONAL
                                 -- if present, must be v2
         }  OPTIONAL,
     crlExtensions           [0]  EXPLICIT Extensions OPTIONAL
                                  -- if present, must be v2
     }
 

Version:
1.17
Author:
Hemma Prafullchandra
See Also:
X509CRL

Constructor Summary
X509CRLImpl(byte[] crlData)
          Unmarshals an X.509 CRL from its encoded form, parsing the encoded bytes.
X509CRLImpl(DerValue val)
          Unmarshals an X.509 CRL from an DER value.
X509CRLImpl(InputStream inStrm)
          Unmarshals an X.509 CRL from an input stream.
X509CRLImpl(X500Name issuer, Date thisDate, Date nextDate)
          Initial CRL constructor, no revoked certs, and no extensions.
X509CRLImpl(X500Name issuer, Date thisDate, Date nextDate, X509CRLEntry[] badCerts)
          CRL constructor, revoked certs, no extensions.
X509CRLImpl(X500Name issuer, Date thisDate, Date nextDate, X509CRLEntry[] badCerts, CRLExtensions crlExts)
          CRL constructor, revoked certs and extensions.
 
Method Summary
 void encodeInfo(OutputStream out)
          Encodes the "to-be-signed" CRL to the OutputStream.
 Set getCriticalExtensionOIDs()
          Gets a Set of the extension(s) marked CRITICAL in the CRL.
 byte[] getEncoded()
          Returns the ASN.1 DER encoded form of this CRL.
 byte[] getExtensionValue(String oid)
          Gets the DER encoded OCTET string for the extension value (extnValue) identified by the passed in oid String.
 Principal getIssuerDN()
          Gets the issuer distinguished name from this CRL.
 Date getNextUpdate()
          Gets the nextUpdate date from the CRL.
 Set getNonCriticalExtensionOIDs()
          Gets a Set of the extension(s) marked NON-CRITICAL in the CRL.
 X509CRLEntry getRevokedCertificate(java.math.BigInteger serialNumber)
          Gets the CRL entry with the given serial number from this CRL.
 Set getRevokedCertificates()
          Gets all the revoked certificates from the CRL.
 String getSigAlgName()
          Gets the signature algorithm name for the CRL signature algorithm.
 String getSigAlgOID()
          Gets the signature algorithm OID string from the CRL.
 byte[] getSigAlgParams()
          Gets the DER encoded signature algorithm parameters from this CRL's signature algorithm.
 byte[] getSignature()
          Gets the raw Signature bits from the CRL.
 byte[] getTBSCertList()
          Gets the DER encoded CRL information, the tbsCertList from this CRL.
 Date getThisUpdate()
          Gets the thisUpdate date from the CRL.
 int getVersion()
          Gets the version number from this CRL.
 boolean hasUnsupportedCriticalExtension()
          Return true if a critical extension is found that is not supported, otherwise return false.
 boolean isRevoked(Certificate cert)
          Checks whether the given certificate is on this CRL.
 void sign(PrivateKey key, String algorithm)
          Encodes an X.509 CRL, and signs it using the given key.
 void sign(PrivateKey key, String algorithm, String provider)
          Encodes an X.509 CRL, and signs it using the given key.
 String toString()
          Returns a printable string of this CRL.
 void verify(PublicKey key)
          Verifies that this CRL was signed using the private key that corresponds to the given public key.
 void verify(PublicKey key, String sigProvider)
          Verifies that this CRL was signed using the private key that corresponds to the given public key, and that the signature verification was computed by the given provider.
 
Methods inherited from class com.ibm.security12.java.security.cert.X509CRL
equals, hashCode
 
Methods inherited from class com.ibm.security12.java.security.cert.CRL
getType
 
Methods inherited from class java.lang.Object
clone, finalize, getClass, notify, notifyAll, wait, wait, wait
 

Constructor Detail

X509CRLImpl

public X509CRLImpl(byte[] crlData)
            throws CRLException
Unmarshals an X.509 CRL from its encoded form, parsing the encoded bytes. This form of constructor is used by agents which need to examine and use CRL contents. Note that the buffer must include only one CRL, and no "garbage" may be left at the end.
Parameters:
crlData - the encoded bytes, with no trailing padding.
Throws:
CRLException - on parsing errors.

X509CRLImpl

public X509CRLImpl(DerValue val)
            throws CRLException
Unmarshals an X.509 CRL from an DER value.
Parameters:
val - a DER value holding at least one CRL
Throws:
CRLException - on parsing errors.

X509CRLImpl

public X509CRLImpl(InputStream inStrm)
            throws CRLException
Unmarshals an X.509 CRL from an input stream. Only one CRL is expected at the end of the input stream.
Parameters:
inStrm - an input stream holding at least one CRL
Throws:
CRLException - on parsing errors.

X509CRLImpl

public X509CRLImpl(X500Name issuer,
                   Date thisDate,
                   Date nextDate)
Initial CRL constructor, no revoked certs, and no extensions.
Parameters:
issuer - the name of the CA issuing this CRL.
thisUpdate - the Date of this issue.
nextUpdate - the Date of the next CRL.

X509CRLImpl

public X509CRLImpl(X500Name issuer,
                   Date thisDate,
                   Date nextDate,
                   X509CRLEntry[] badCerts)
            throws CRLException
CRL constructor, revoked certs, no extensions.
Parameters:
issuer - the name of the CA issuing this CRL.
thisUpdate - the Date of this issue.
nextUpdate - the Date of the next CRL.
badCerts - the array of CRL entries.
Throws:
CRLException - on parsing/construction errors.

X509CRLImpl

public X509CRLImpl(X500Name issuer,
                   Date thisDate,
                   Date nextDate,
                   X509CRLEntry[] badCerts,
                   CRLExtensions crlExts)
            throws CRLException
CRL constructor, revoked certs and extensions.
Parameters:
issuer - the name of the CA issuing this CRL.
thisUpdate - the Date of this issue.
nextUpdate - the Date of the next CRL.
badCerts - the array of CRL entries.
crlExts - the CRL extensions.
Throws:
CRLException - on parsing/construction errors.
Method Detail

getEncoded

public byte[] getEncoded()
                  throws CRLException
Returns the ASN.1 DER encoded form of this CRL.
Throws:
CRLException - if an encoding error occurs.
Overrides:
getEncoded in class X509CRL

encodeInfo

public void encodeInfo(OutputStream out)
                throws CRLException
Encodes the "to-be-signed" CRL to the OutputStream.
Parameters:
out - the OutputStream to write to.
Throws:
CRLException - on encoding errors.

verify

public void verify(PublicKey key)
            throws CRLException,
                   NoSuchAlgorithmException,
                   InvalidKeyException,
                   NoSuchProviderException,
                   SignatureException
Verifies that this CRL was signed using the private key that corresponds to the given public key.
Parameters:
key - the PublicKey used to carry out the verification.
Throws:
NoSuchAlgorithmException - on unsupported signature algorithms.
InvalidKeyException - on incorrect key.
NoSuchProviderException - if there's no default provider.
SignatureException - on signature errors.
CRLException - on encoding errors.
Overrides:
verify in class X509CRL

verify

public void verify(PublicKey key,
                   String sigProvider)
            throws CRLException,
                   NoSuchAlgorithmException,
                   InvalidKeyException,
                   NoSuchProviderException,
                   SignatureException
Verifies that this CRL was signed using the private key that corresponds to the given public key, and that the signature verification was computed by the given provider.
Parameters:
key - the PublicKey used to carry out the verification.
sigProvider - the name of the signature provider.
Throws:
NoSuchAlgorithmException - on unsupported signature algorithms.
InvalidKeyException - on incorrect key.
NoSuchProviderException - on incorrect provider.
SignatureException - on signature errors.
CRLException - on encoding errors.
Overrides:
verify in class X509CRL

sign

public void sign(PrivateKey key,
                 String algorithm)
          throws CRLException,
                 NoSuchAlgorithmException,
                 InvalidKeyException,
                 NoSuchProviderException,
                 SignatureException
Encodes an X.509 CRL, and signs it using the given key.
Parameters:
key - the private key used for signing.
algorithm - the name of the signature algorithm used.
Throws:
NoSuchAlgorithmException - on unsupported signature algorithms.
InvalidKeyException - on incorrect key.
NoSuchProviderException - on incorrect provider.
SignatureException - on signature errors.
CRLException - if any mandatory data was omitted.

sign

public void sign(PrivateKey key,
                 String algorithm,
                 String provider)
          throws CRLException,
                 NoSuchAlgorithmException,
                 InvalidKeyException,
                 NoSuchProviderException,
                 SignatureException
Encodes an X.509 CRL, and signs it using the given key.
Parameters:
key - the private key used for signing.
algorithm - the name of the signature algorithm used.
provider - the name of the provider.
Throws:
NoSuchAlgorithmException - on unsupported signature algorithms.
InvalidKeyException - on incorrect key.
NoSuchProviderException - on incorrect provider.
SignatureException - on signature errors.
CRLException - if any mandatory data was omitted.

toString

public String toString()
Returns a printable string of this CRL.
Returns:
value of this CRL in a printable form.
Overrides:
toString in class CRL

isRevoked

public boolean isRevoked(Certificate cert)
Checks whether the given certificate is on this CRL.
Parameters:
cert - the certificate to check for.
Returns:
true if the given certificate is on this CRL, false otherwise.
Overrides:
isRevoked in class CRL

getVersion

public int getVersion()
Gets the version number from this CRL. The ASN.1 definition for this is:
 Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
             -- v3 does not apply to CRLs but appears for consistency
             -- with definition of Version for certs
 
Returns:
the version number, i.e. 1 or 2.
Overrides:
getVersion in class X509CRL

getIssuerDN

public Principal getIssuerDN()
Gets the issuer distinguished name from this CRL. The issuer name identifies the entity who has signed (and issued the CRL). The issuer name field contains an X.500 distinguished name (DN). The ASN.1 definition for this is:
 issuer    Name

 Name ::= CHOICE { RDNSequence }
 RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
 RelativeDistinguishedName ::=
     SET OF AttributeValueAssertion

 AttributeValueAssertion ::= SEQUENCE {
                               AttributeType,
                               AttributeValue }
 AttributeType ::= OBJECT IDENTIFIER
 AttributeValue ::= ANY
 
The Name describes a hierarchical name composed of attributes, such as country name, and corresponding values, such as US. The type of the component AttributeValue is determined by the AttributeType; in general it will be a directoryString. A directoryString is usually one of PrintableString, TeletexString or UniversalString.
Returns:
the issuer name.
Overrides:
getIssuerDN in class X509CRL

getThisUpdate

public Date getThisUpdate()
Gets the thisUpdate date from the CRL. The ASN.1 definition for this is:
Returns:
the thisUpdate date from the CRL.
Overrides:
getThisUpdate in class X509CRL

getNextUpdate

public Date getNextUpdate()
Gets the nextUpdate date from the CRL.
Returns:
the nextUpdate date from the CRL, or null if not present.
Overrides:
getNextUpdate in class X509CRL

getRevokedCertificate

public X509CRLEntry getRevokedCertificate(java.math.BigInteger serialNumber)
Gets the CRL entry with the given serial number from this CRL.
Returns:
the entry with the given serial number, or null if no such entry exists in the CRL.
Overrides:
getRevokedCertificate in class X509CRL
See Also:
X509CRLEntry

getRevokedCertificates

public Set getRevokedCertificates()
Gets all the revoked certificates from the CRL. A Set of X509CRLEntry.
Returns:
all the revoked certificates or null if there are none.
Overrides:
getRevokedCertificates in class X509CRL
See Also:
X509CRLEntry

getTBSCertList

public byte[] getTBSCertList()
                      throws CRLException
Gets the DER encoded CRL information, the tbsCertList from this CRL. This can be used to verify the signature independently.
Returns:
the DER encoded CRL information.
Throws:
CRLException - on encoding errors.
Overrides:
getTBSCertList in class X509CRL

getSignature

public byte[] getSignature()
Gets the raw Signature bits from the CRL.
Returns:
the signature.
Overrides:
getSignature in class X509CRL

getSigAlgName

public String getSigAlgName()
Gets the signature algorithm name for the CRL signature algorithm. For example, the string "SHA1withDSA". The ASN.1 definition for this is:
 AlgorithmIdentifier  ::=  SEQUENCE  {
     algorithm               OBJECT IDENTIFIER,
     parameters              ANY DEFINED BY algorithm OPTIONAL  }
                             -- contains a value of the type
                             -- registered for use with the
                             -- algorithm object identifier value
 
Returns:
the signature algorithm name.
Overrides:
getSigAlgName in class X509CRL

getSigAlgOID

public String getSigAlgOID()
Gets the signature algorithm OID string from the CRL. An OID is represented by a set of positive whole number separated by ".", that means,
<positive whole number>.<positive whole number>.<...> For example, the string "1.2.840.10040.4.3" identifies the SHA-1 with DSA signature algorithm, as per the PKIX part I.
Returns:
the signature algorithm oid string.
Overrides:
getSigAlgOID in class X509CRL

getSigAlgParams

public byte[] getSigAlgParams()
Gets the DER encoded signature algorithm parameters from this CRL's signature algorithm. In most cases, the signature algorithm parameters are null, the parameters are usually supplied with the Public Key.
Returns:
the DER encoded signature algorithm parameters, or null if no parameters are present.
Overrides:
getSigAlgParams in class X509CRL

hasUnsupportedCriticalExtension

public boolean hasUnsupportedCriticalExtension()
Return true if a critical extension is found that is not supported, otherwise return false.

getCriticalExtensionOIDs

public Set getCriticalExtensionOIDs()
Gets a Set of the extension(s) marked CRITICAL in the CRL. In the returned set, each extension is represented by its OID string.
Returns:
a set of the extension oid strings in the CRL that are marked critical.

getNonCriticalExtensionOIDs

public Set getNonCriticalExtensionOIDs()
Gets a Set of the extension(s) marked NON-CRITICAL in the CRL. In the returned set, each extension is represented by its OID string.
Returns:
a set of the extension oid strings in the CRL that are NOT marked critical.

getExtensionValue

public byte[] getExtensionValue(String oid)
Gets the DER encoded OCTET string for the extension value (extnValue) identified by the passed in oid String. The oid string is represented by a set of positive whole number separated by ".", that means,
<positive whole number>.<positive whole number>.<...>
Parameters:
oid - the Object Identifier value for the extension.
Returns:
the der encoded octet string of the extension value.