|
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: INNER | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Object | +--com.ibm.security12.java.security.cert.CRL | +--com.ibm.security12.java.security.cert.X509CRL | +--com.ibm.security12.sun.security.x509.X509CRLImpl
An implmentation for X509 CRL (Certificate Revocation List).
The X.509 v2 CRL format is described below in ASN.1:
CertificateList ::= SEQUENCE { tbsCertList TBSCertList, signatureAlgorithm AlgorithmIdentifier, signature BIT STRING }A good description and profiling is provided in the IETF PKIX WG draft, Part I: X.509 Certificate and CRL Profile, <draft-ietf-pkix-ipki-part1-06.txt>.
The ASN.1 definition of tbsCertList
is:
TBSCertList ::= SEQUENCE { version Version OPTIONAL, -- if present, must be v2 signature AlgorithmIdentifier, issuer Name, thisUpdate ChoiceOfTime, nextUpdate ChoiceOfTime OPTIONAL, revokedCertificates SEQUENCE OF SEQUENCE { userCertificate CertificateSerialNumber, revocationDate ChoiceOfTime, crlEntryExtensions Extensions OPTIONAL -- if present, must be v2 } OPTIONAL, crlExtensions [0] EXPLICIT Extensions OPTIONAL -- if present, must be v2 }
X509CRL
Constructor Summary | |
X509CRLImpl(byte[] crlData)
Unmarshals an X.509 CRL from its encoded form, parsing the encoded bytes. |
|
X509CRLImpl(DerValue val)
Unmarshals an X.509 CRL from an DER value. |
|
X509CRLImpl(InputStream inStrm)
Unmarshals an X.509 CRL from an input stream. |
|
X509CRLImpl(X500Name issuer,
Date thisDate,
Date nextDate)
Initial CRL constructor, no revoked certs, and no extensions. |
|
X509CRLImpl(X500Name issuer,
Date thisDate,
Date nextDate,
X509CRLEntry[] badCerts)
CRL constructor, revoked certs, no extensions. |
|
X509CRLImpl(X500Name issuer,
Date thisDate,
Date nextDate,
X509CRLEntry[] badCerts,
CRLExtensions crlExts)
CRL constructor, revoked certs and extensions. |
Method Summary | |
void |
encodeInfo(OutputStream out)
Encodes the "to-be-signed" CRL to the OutputStream. |
Set |
getCriticalExtensionOIDs()
Gets a Set of the extension(s) marked CRITICAL in the CRL. |
byte[] |
getEncoded()
Returns the ASN.1 DER encoded form of this CRL. |
byte[] |
getExtensionValue(String oid)
Gets the DER encoded OCTET string for the extension value ( extnValue ) identified by the passed in oid String. |
Principal |
getIssuerDN()
Gets the issuer distinguished name from this CRL. |
Date |
getNextUpdate()
Gets the nextUpdate date from the CRL. |
Set |
getNonCriticalExtensionOIDs()
Gets a Set of the extension(s) marked NON-CRITICAL in the CRL. |
X509CRLEntry |
getRevokedCertificate(java.math.BigInteger serialNumber)
Gets the CRL entry with the given serial number from this CRL. |
Set |
getRevokedCertificates()
Gets all the revoked certificates from the CRL. |
String |
getSigAlgName()
Gets the signature algorithm name for the CRL signature algorithm. |
String |
getSigAlgOID()
Gets the signature algorithm OID string from the CRL. |
byte[] |
getSigAlgParams()
Gets the DER encoded signature algorithm parameters from this CRL's signature algorithm. |
byte[] |
getSignature()
Gets the raw Signature bits from the CRL. |
byte[] |
getTBSCertList()
Gets the DER encoded CRL information, the tbsCertList from this CRL. |
Date |
getThisUpdate()
Gets the thisUpdate date from the CRL. |
int |
getVersion()
Gets the version number from this CRL. |
boolean |
hasUnsupportedCriticalExtension()
Return true if a critical extension is found that is not supported, otherwise return false. |
boolean |
isRevoked(Certificate cert)
Checks whether the given certificate is on this CRL. |
void |
sign(PrivateKey key,
String algorithm)
Encodes an X.509 CRL, and signs it using the given key. |
void |
sign(PrivateKey key,
String algorithm,
String provider)
Encodes an X.509 CRL, and signs it using the given key. |
String |
toString()
Returns a printable string of this CRL. |
void |
verify(PublicKey key)
Verifies that this CRL was signed using the private key that corresponds to the given public key. |
void |
verify(PublicKey key,
String sigProvider)
Verifies that this CRL was signed using the private key that corresponds to the given public key, and that the signature verification was computed by the given provider. |
Methods inherited from class com.ibm.security12.java.security.cert.X509CRL |
equals,
hashCode |
Methods inherited from class com.ibm.security12.java.security.cert.CRL |
getType |
Methods inherited from class java.lang.Object |
clone,
finalize,
getClass,
notify,
notifyAll,
wait,
wait,
wait |
Constructor Detail |
public X509CRLImpl(byte[] crlData) throws CRLException
crlData
- the encoded bytes, with no trailing padding.public X509CRLImpl(DerValue val) throws CRLException
val
- a DER value holding at least one CRLpublic X509CRLImpl(InputStream inStrm) throws CRLException
inStrm
- an input stream holding at least one CRLpublic X509CRLImpl(X500Name issuer, Date thisDate, Date nextDate)
issuer
- the name of the CA issuing this CRL.thisUpdate
- the Date of this issue.nextUpdate
- the Date of the next CRL.public X509CRLImpl(X500Name issuer, Date thisDate, Date nextDate, X509CRLEntry[] badCerts) throws CRLException
issuer
- the name of the CA issuing this CRL.thisUpdate
- the Date of this issue.nextUpdate
- the Date of the next CRL.badCerts
- the array of CRL entries.public X509CRLImpl(X500Name issuer, Date thisDate, Date nextDate, X509CRLEntry[] badCerts, CRLExtensions crlExts) throws CRLException
issuer
- the name of the CA issuing this CRL.thisUpdate
- the Date of this issue.nextUpdate
- the Date of the next CRL.badCerts
- the array of CRL entries.crlExts
- the CRL extensions.Method Detail |
public byte[] getEncoded() throws CRLException
public void encodeInfo(OutputStream out) throws CRLException
out
- the OutputStream to write to.public void verify(PublicKey key) throws CRLException, NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException, SignatureException
key
- the PublicKey used to carry out the verification.public void verify(PublicKey key, String sigProvider) throws CRLException, NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException, SignatureException
key
- the PublicKey used to carry out the verification.sigProvider
- the name of the signature provider.public void sign(PrivateKey key, String algorithm) throws CRLException, NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException, SignatureException
key
- the private key used for signing.algorithm
- the name of the signature algorithm used.public void sign(PrivateKey key, String algorithm, String provider) throws CRLException, NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException, SignatureException
key
- the private key used for signing.algorithm
- the name of the signature algorithm used.provider
- the name of the provider.public String toString()
public boolean isRevoked(Certificate cert)
cert
- the certificate to check for.public int getVersion()
Version ::= INTEGER { v1(0), v2(1), v3(2) } -- v3 does not apply to CRLs but appears for consistency -- with definition of Version for certs
public Principal getIssuerDN()
issuer Name Name ::= CHOICE { RDNSequence } RDNSequence ::= SEQUENCE OF RelativeDistinguishedName RelativeDistinguishedName ::= SET OF AttributeValueAssertion AttributeValueAssertion ::= SEQUENCE { AttributeType, AttributeValue } AttributeType ::= OBJECT IDENTIFIER AttributeValue ::= ANYThe Name describes a hierarchical name composed of attributes, such as country name, and corresponding values, such as US. The type of the component AttributeValue is determined by the AttributeType; in general it will be a directoryString. A directoryString is usually one of PrintableString, TeletexString or UniversalString.
public Date getThisUpdate()
public Date getNextUpdate()
public X509CRLEntry getRevokedCertificate(java.math.BigInteger serialNumber)
X509CRLEntry
public Set getRevokedCertificates()
X509CRLEntry
public byte[] getTBSCertList() throws CRLException
tbsCertList
from this CRL.
This can be used to verify the signature independently.public byte[] getSignature()
public String getSigAlgName()
AlgorithmIdentifier ::= SEQUENCE { algorithm OBJECT IDENTIFIER, parameters ANY DEFINED BY algorithm OPTIONAL } -- contains a value of the type -- registered for use with the -- algorithm object identifier value
public String getSigAlgOID()
public byte[] getSigAlgParams()
public boolean hasUnsupportedCriticalExtension()
public Set getCriticalExtensionOIDs()
public Set getNonCriticalExtensionOIDs()
public byte[] getExtensionValue(String oid)
extnValue
) identified by the passed in oid String.
The oid
string is
represented by a set of positive whole number separated
by ".", that means,oid
- the Object Identifier value for the extension.
|
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: INNER | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |