Package org.mozilla.jss.netscape.security.x509

Class X509CRLImpl

  • All Implemented Interfaces:
    java.security.cert.X509Extension
    public class X509CRLImpl
extends java.security.cert.X509CRL

    An implmentation for X509 CRL (Certificate Revocation List).

    The X.509 v2 CRL format is described below in ASN.1:

    CertificateList ::= SEQUENCE { tbsCertList TBSCertList, signatureAlgorithm AlgorithmIdentifier, signature BIT STRING }

    A good description and profiling is provided in the IETF PKIX WG draft, Part I: X.509 Certificate and CRL Profile, <draft-ietf-pkix-ipki-part1-06.txt>.

    The ASN.1 definition of tbsCertList is: 

     TBSCertList  ::=  SEQUENCE  {
     version                 Version OPTIONAL,
                             -- if present, must be v2
     signature               AlgorithmIdentifier,
     issuer                  Name,
     thisUpdate              ChoiceOfTime,
     nextUpdate              ChoiceOfTime OPTIONAL,
     revokedCertificates     SEQUENCE OF SEQUENCE  {
         userCertificate         CertificateSerialNumber,
         revocationDate          ChoiceOfTime,
         crlEntryExtensions      Extensions OPTIONAL
                                 -- if present, must be v2
         }  OPTIONAL,
     crlExtensions           [0]  EXPLICIT Extensions OPTIONAL
                                  -- if present, must be v2
     }
    See Also:
    X509CRL

    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      boolean areEntriesIncluded()  
      void encodeInfo​(java.io.OutputStream out)
      Encodes the "to-be-signed" CRL to the OutputStream.
      java.util.Set<java.lang.String> getCriticalExtensionOIDs()
      Gets a Set of the extension(s) marked CRITICAL in the CRL by OID strings.
      java.math.BigInteger getCRLNumber()  
      java.math.BigInteger getDeltaBaseCRLNumber()  
      byte[] getEncoded()
      Returns the ASN.1 DER encoded form of this CRL.
      CRLExtensions getExtensions()
      Returns extensions for this impl.
      byte[] getExtensionValue​(java.lang.String oid)
      Gets the DER encoded OCTET string for the extension value (extnValue) identified by the passed in oid String.
      java.security.Principal getIssuerDN()
      Gets the issuer distinguished name from this CRL.
      java.util.Hashtable<java.math.BigInteger,​RevokedCertificate> getListOfRevokedCertificates()  
      java.util.Date getNextUpdate()
      Gets the nextUpdate date from the CRL.
      java.util.Set<java.lang.String> getNonCriticalExtensionOIDs()
      Gets a Set of the extension(s) marked NON-CRITICAL in the CRL by OID strings.
      int getNumberOfRevokedCertificates()  
      java.security.cert.X509CRLEntry getRevokedCertificate​(java.math.BigInteger serialNumber)
      Get the revoked certificate from the CRL by the serial number provided.
      java.util.Set<RevokedCertificate> getRevokedCertificates()
      Gets all the revoked certificates from the CRL.
      java.lang.String getSigAlgName()
      Gets the signature algorithm name for the CRL signature algorithm.
      java.lang.String getSigAlgOID()
      Gets the signature algorithm OID string from the CRL.
      byte[] getSigAlgParams()
      Gets the DER encoded signature algorithm parameters from this CRL's signature algorithm.
      byte[] getSignature()
      Gets the raw Signature bits from the CRL.
      byte[] getTBSCertList()
      Gets the DER encoded CRL information, the tbsCertList from this CRL.
      java.util.Date getThisUpdate()
      Gets the thisUpdate date from the CRL.
      int getVersion()
      Gets the version number from the CRL.
      boolean hasUnsupportedCriticalExtension()  
      boolean isDeltaCRL()  
      boolean isRevoked​(java.math.BigInteger serialNumber)
      Checks whether the given serial number is on this CRL.
      boolean isRevoked​(java.security.cert.Certificate cert)  
      boolean setSignature​(byte[] crlSignature)
      Returns true if signature was set.
      boolean setSignedCRL​(byte[] crl)
      Returns true if signedCRL was set.
      void sign​(java.security.PrivateKey key, java.lang.String algorithm)
      Encodes an X.509 CRL, and signs it using the key passed.
      void sign​(java.security.PrivateKey key, java.lang.String algorithm, java.lang.String provider)
      Encodes an X.509 CRL, and signs it using the key passed.
      java.lang.String toString()
      Returns a printable string of this CRL.
      void verify​(java.security.PublicKey key)
      Verifies that this CRL was signed using the private key that corresponds to the specified public key.
      void verify​(java.security.PublicKey key, java.lang.String sigProvider)
      Verifies that this CRL was signed using the private key that corresponds to the specified public key, and that the signature verification was computed by the given provider.

      • Methods inherited from class java.security.cert.X509CRL

        equals, getIssuerX500Principal, getRevokedCertificate, hashCode, verify

      • Methods inherited from class java.security.cert.CRL

        getType

      • Methods inherited from class java.lang.Object

        clone, finalize, getClass, notify, notifyAll, wait, wait, wait

    • Constructor Detail

      • X509CRLImpl

        public X509CRLImpl​(byte[] crlData)
            throws java.security.cert.CRLException,
                   X509ExtensionException
        Unmarshals an X.509 CRL from its encoded form, parsing the encoded bytes. This form of constructor is used by agents which need to examine and use CRL contents. Note that the buffer must include only one CRL, and no "garbage" may be left at the end.
        Parameters:
        crlData - the encoded bytes, with no trailing padding.
        Throws:
        java.security.cert.CRLException - on parsing errors.
        X509ExtensionException - on extension handling errors.

      • X509CRLImpl

        public X509CRLImpl​(java.io.InputStream inStrm)
            throws java.security.cert.CRLException,
                   X509ExtensionException
        Unmarshals an X.509 CRL from an input stream. Only one CRL is expected at the end of the input stream.
        Parameters:
        inStrm - an input stream holding at least one CRL
        Throws:
        java.security.cert.CRLException - on parsing errors.
        X509ExtensionException - on extension handling errors.

      • X509CRLImpl

        public X509CRLImpl​(X500Name issuer,
                   java.util.Date thisDate,
                   java.util.Date nextDate)
        Initial CRL constructor, no revoked certs, and no extensions.
        Parameters:
        issuer - the name of the CA issuing this CRL.
        thisDate - the Date of this issue.
        nextDate - the Date of the next CRL.

      • X509CRLImpl

        public X509CRLImpl​(X500Name issuer,
                   java.util.Date thisDate,
                   java.util.Date nextDate,
                   RevokedCertificate[] badCerts)
            throws java.security.cert.CRLException,
                   X509ExtensionException
        CRL constructor, revoked certs, no extensions.
        Parameters:
        issuer - the name of the CA issuing this CRL.
        thisDate - the Date of this issue.
        nextDate - the Date of the next CRL.
        badCerts - the array of revoked certificates.
        Throws:
        java.security.cert.CRLException - on parsing/construction errors.
        X509ExtensionException - on extension handling errors.

      • X509CRLImpl

        public X509CRLImpl​(X500Name issuer,
                   java.util.Date thisDate,
                   java.util.Date nextDate,
                   RevokedCertificate[] badCerts,
                   CRLExtensions crlExts)
            throws java.security.cert.CRLException,
                   X509ExtensionException
        CRL constructor, revoked certs and extensions.
        Parameters:
        issuer - the name of the CA issuing this CRL.
        thisDate - the Date of this issue.
        nextDate - the Date of the next CRL.
        badCerts - the array of revoked certificates.
        crlExts - the CRL extensions.
        Throws:
        java.security.cert.CRLException - on parsing/construction errors.
        X509ExtensionException - on extension handling errors.

      • X509CRLImpl

        public X509CRLImpl​(X500Name issuer,
                   AlgorithmId algId,
                   java.util.Date thisDate,
                   java.util.Date nextDate,
                   RevokedCertificate[] badCerts,
                   CRLExtensions crlExts)
            throws java.security.cert.CRLException,
                   X509ExtensionException
        CRL constructor, revoked certs and extensions. This will be used by code that constructs CRL and uses encodeInfo() in order to sign it using external means (other than sign() method)
        Parameters:
        issuer - the name of the CA issuing this CRL.
        algId - signing algorithm id
        thisDate - the Date of this issue.
        nextDate - the Date of the next CRL.
        badCerts - the array of revoked certificates.
        crlExts - the CRL extensions.
        Throws:
        java.security.cert.CRLException
        X509ExtensionException

      • X509CRLImpl

        public X509CRLImpl​(X500Name issuer,
                   AlgorithmId algId,
                   java.util.Date thisDate,
                   java.util.Date nextDate,
                   java.util.Hashtable<java.math.BigInteger,​RevokedCertificate> badCerts,
                   CRLExtensions crlExts)
            throws java.security.cert.CRLException,
                   X509ExtensionException
        CRL constructor, revoked certs and extensions.
        Parameters:
        issuer - the name of the CA issuing this CRL.
        algId - signing algorithm id
        thisDate - the Date of this issue.
        nextDate - the Date of the next CRL.
        badCerts - the hashtable of revoked certificates.
        crlExts - the CRL extensions.
        Throws:
        java.security.cert.CRLException - on parsing/construction errors.
        X509ExtensionException - on extension handling errors.

    • Method Detail

      • getEncoded

        public byte[] getEncoded()
                  throws java.security.cert.CRLException
        Returns the ASN.1 DER encoded form of this CRL.
        Specified by:
        getEncoded in class java.security.cert.X509CRL
        Throws:
        java.security.cert.CRLException - if an encoding error occurs.

      • setSignedCRL

        public boolean setSignedCRL​(byte[] crl)
        Returns true if signedCRL was set.
        Parameters:
        crl - byte array of containing signed CRL.

      • hasUnsupportedCriticalExtension

        public boolean hasUnsupportedCriticalExtension()

      • encodeInfo

        public void encodeInfo​(java.io.OutputStream out)
                throws java.security.cert.CRLException,
                       X509ExtensionException
        Encodes the "to-be-signed" CRL to the OutputStream.
        Parameters:
        out - the OutputStream to write to.
        Throws:
        java.security.cert.CRLException - on encoding errors.
        X509ExtensionException - on extension encoding errors.

      • verify

        public void verify​(java.security.PublicKey key)
            throws java.security.cert.CRLException,
                   java.security.NoSuchAlgorithmException,
                   java.security.InvalidKeyException,
                   java.security.NoSuchProviderException,
                   java.security.SignatureException
        Verifies that this CRL was signed using the private key that corresponds to the specified public key.
        Specified by:
        verify in class java.security.cert.X509CRL
        Parameters:
        key - the PublicKey used to carry out the verification.
        Throws:
        java.security.NoSuchAlgorithmException - on unsupported signature algorithms.
        java.security.InvalidKeyException - on incorrect key.
        java.security.NoSuchProviderException - if there's no default provider.
        java.security.SignatureException - on signature errors.
        java.security.cert.CRLException - on encoding errors.

      • verify

        public void verify​(java.security.PublicKey key,
                   java.lang.String sigProvider)
            throws java.security.cert.CRLException,
                   java.security.NoSuchAlgorithmException,
                   java.security.InvalidKeyException,
                   java.security.NoSuchProviderException,
                   java.security.SignatureException
        Verifies that this CRL was signed using the private key that corresponds to the specified public key, and that the signature verification was computed by the given provider.
        Specified by:
        verify in class java.security.cert.X509CRL
        Parameters:
        key - the PublicKey used to carry out the verification.
        sigProvider - the name of the signature provider.
        Throws:
        java.security.NoSuchAlgorithmException - on unsupported signature algorithms.
        java.security.InvalidKeyException - on incorrect key.
        java.security.NoSuchProviderException - on incorrect provider.
        java.security.SignatureException - on signature errors.
        java.security.cert.CRLException - on encoding errors.

      • sign

        public void sign​(java.security.PrivateKey key,
                 java.lang.String algorithm)
          throws java.security.cert.CRLException,
                 java.security.NoSuchAlgorithmException,
                 java.security.InvalidKeyException,
                 java.security.NoSuchProviderException,
                 java.security.SignatureException,
                 X509ExtensionException
        Encodes an X.509 CRL, and signs it using the key passed.
        Parameters:
        key - the private key used for signing.
        algorithm - the name of the signature algorithm used.
        Throws:
        java.security.NoSuchAlgorithmException - on unsupported signature algorithms.
        java.security.InvalidKeyException - on incorrect key.
        java.security.NoSuchProviderException - on incorrect provider.
        java.security.SignatureException - on signature errors.
        java.security.cert.CRLException - if any mandatory data was omitted.
        X509ExtensionException - on any extension errors.

      • sign

        public void sign​(java.security.PrivateKey key,
                 java.lang.String algorithm,
                 java.lang.String provider)
          throws java.security.cert.CRLException,
                 java.security.NoSuchAlgorithmException,
                 java.security.InvalidKeyException,
                 java.security.NoSuchProviderException,
                 java.security.SignatureException,
                 X509ExtensionException
        Encodes an X.509 CRL, and signs it using the key passed.
        Parameters:
        key - the private key used for signing.
        algorithm - the name of the signature algorithm used.
        provider - the name of the provider.
        Throws:
        java.security.NoSuchAlgorithmException - on unsupported signature algorithms.
        java.security.InvalidKeyException - on incorrect key.
        java.security.NoSuchProviderException - on incorrect provider.
        java.security.SignatureException - on signature errors.
        java.security.cert.CRLException - if any mandatory data was omitted.
        X509ExtensionException - on any extension errors.

      • toString

        public java.lang.String toString()
        Returns a printable string of this CRL.
        Specified by:
        toString in class java.security.cert.CRL
        Returns:
        value of this CRL in a printable form.

      • isRevoked

        public boolean isRevoked​(java.math.BigInteger serialNumber)
        Checks whether the given serial number is on this CRL.
        Parameters:
        serialNumber - the number to check for.
        Returns:
        true if the given serial number is on this CRL, false otherwise.

      • isRevoked

        public boolean isRevoked​(java.security.cert.Certificate cert)
        Specified by:
        isRevoked in class java.security.cert.CRL

      • getVersion

        public int getVersion()
        Gets the version number from the CRL. The ASN.1 definition for this is: 
         Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
             -- v3 does not apply to CRLs but appears for consistency
             -- with definition of Version for certs
        Specified by:
        getVersion in class java.security.cert.X509CRL
        Returns:
        the version number.

      • getIssuerDN

        public java.security.Principal getIssuerDN()
        Gets the issuer distinguished name from this CRL. The issuer name identifies the entity who has signed (and issued the CRL). The issuer name field contains an X.500 distinguished name (DN). The ASN.1 definition for this is: 
         issuer    Name

 Name ::= CHOICE { RDNSequence }
 RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
 RelativeDistinguishedName ::=
     SET OF AttributeValueAssertion

 AttributeValueAssertion ::= SEQUENCE {
                               AttributeType,
                               AttributeValue }
 AttributeType ::= OBJECT IDENTIFIER
 AttributeValue ::= ANY
        The Name describes a hierarchical name composed of attributes, such as country name, and corresponding values, such as US. The type of the component AttributeValue is determined by the AttributeType; in general it will be a directoryString. A directoryString is usually one of PrintableString, TeletexString or UniversalString.
        Specified by:
        getIssuerDN in class java.security.cert.X509CRL
        Returns:
        the issuer name.

      • getThisUpdate

        public java.util.Date getThisUpdate()
        Gets the thisUpdate date from the CRL. The ASN.1 definition for this is:
        Specified by:
        getThisUpdate in class java.security.cert.X509CRL
        Returns:
        the thisUpdate date from the CRL.

      • getNextUpdate

        public java.util.Date getNextUpdate()
        Gets the nextUpdate date from the CRL.
        Specified by:
        getNextUpdate in class java.security.cert.X509CRL
        Returns:
        the nextUpdate date from the CRL, or null if not present.

      • getRevokedCertificate

        public java.security.cert.X509CRLEntry getRevokedCertificate​(java.math.BigInteger serialNumber)
        Get the revoked certificate from the CRL by the serial number provided.
        Specified by:
        getRevokedCertificate in class java.security.cert.X509CRL
        Returns:
        the revoked certificate or null if there is no entry in the CRL marked with the provided serial number.
        See Also:
        RevokedCertificate

      • getRevokedCertificates

        public java.util.Set<RevokedCertificate> getRevokedCertificates()
        Gets all the revoked certificates from the CRL. A Set of RevokedCertificate.
        Specified by:
        getRevokedCertificates in class java.security.cert.X509CRL
        Returns:
        all the revoked certificates or null if there are none.
        See Also:
        RevokedCertificate

      • getListOfRevokedCertificates

        public java.util.Hashtable<java.math.BigInteger,​RevokedCertificate> getListOfRevokedCertificates()

      • getNumberOfRevokedCertificates

        public int getNumberOfRevokedCertificates()

      • getTBSCertList

        public byte[] getTBSCertList()
                      throws java.security.cert.CRLException
        Gets the DER encoded CRL information, the tbsCertList from this CRL. This can be used to verify the signature independently.
        Specified by:
        getTBSCertList in class java.security.cert.X509CRL
        Returns:
        the DER encoded CRL information.
        Throws:
        java.security.cert.CRLException - on parsing errors.

      • getSignature

        public byte[] getSignature()
        Gets the raw Signature bits from the CRL.
        Specified by:
        getSignature in class java.security.cert.X509CRL
        Returns:
        the signature.

      • setSignature

        public boolean setSignature​(byte[] crlSignature)
        Returns true if signature was set.
        Parameters:
        crlSignature - byte array of containing CRL signature.

      • getSigAlgName

        public java.lang.String getSigAlgName()
        Gets the signature algorithm name for the CRL signature algorithm. For example, the string "SHA1withDSA". The ASN.1 definition for this is: 
         AlgorithmIdentifier  ::=  SEQUENCE  {
     algorithm               OBJECT IDENTIFIER,
     parameters              ANY DEFINED BY algorithm OPTIONAL  }
                             -- contains a value of the type
                             -- registered for use with the
                             -- algorithm object identifier value
        Specified by:
        getSigAlgName in class java.security.cert.X509CRL
        Returns:
        the signature algorithm name.

      • getSigAlgOID

        public java.lang.String getSigAlgOID()
        Gets the signature algorithm OID string from the CRL. An OID is represented by a set of positive whole number separated by ".", that means,
        <positive whole number>.<positive whole number>.<...> For example, the string "1.2.840.10040.4.3" identifies the SHA-1 with DSA signature algorithm, as per the PKIX part I.
        Specified by:
        getSigAlgOID in class java.security.cert.X509CRL
        Returns:
        the signature algorithm oid string.

      • getSigAlgParams

        public byte[] getSigAlgParams()
        Gets the DER encoded signature algorithm parameters from this CRL's signature algorithm. In most cases, the signature algorithm parameters are null, the parameters are usually supplied with the Public Key.
        Specified by:
        getSigAlgParams in class java.security.cert.X509CRL
        Returns:
        the DER encoded signature algorithm parameters, or null if no parameters are present.

      • getCriticalExtensionOIDs

        public java.util.Set<java.lang.String> getCriticalExtensionOIDs()
        Gets a Set of the extension(s) marked CRITICAL in the CRL by OID strings.
        Returns:
        a set of the extension oid strings in the CRL that are marked critical.

      • getNonCriticalExtensionOIDs

        public java.util.Set<java.lang.String> getNonCriticalExtensionOIDs()
        Gets a Set of the extension(s) marked NON-CRITICAL in the CRL by OID strings.
        Returns:
        a set of the extension oid strings in the CRL that are NOT marked critical.

      • getExtensionValue

        public byte[] getExtensionValue​(java.lang.String oid)
        Gets the DER encoded OCTET string for the extension value (extnValue) identified by the passed in oid String. The oid string is represented by a set of positive whole number separated by ".", that means,
        <positive whole number>.<positive whole number>.<...>
        Parameters:
        oid - the Object Identifier value for the extension.
        Returns:
        the der encoded octet string of the extension value.

      • getCRLNumber

        public java.math.BigInteger getCRLNumber()

      • getDeltaBaseCRLNumber

        public java.math.BigInteger getDeltaBaseCRLNumber()

      • isDeltaCRL

        public boolean isDeltaCRL()

      • getExtensions

        public CRLExtensions getExtensions()
        Returns extensions for this impl.

      • areEntriesIncluded

        public boolean areEntriesIncluded()