com.rsa.certj.cert

Class CRL

java.lang.Object
  |
  +--com.rsa.certj.cert.CRL

All Implemented Interfaces:

Cloneable, Serializable

Direct Known Subclasses:

X509CRL

public abstract class CRL

extends Object

implements Cloneable, Serializable

This class builds and holds a certificate revocation list (CRL). It is the base class for a CRL. There are many kinds of CRLs, the most common is X.509. This class is general; subclasses implement the details.

Because this general CRL class does not perform any of the activities of a specified CRL (a CRL defined by some standard), it is an abstract class.

Copyright © RSA Security Inc., 1999-2001. All rights reserved.

See Also

Serialized Form

Field Summary

static int	DSA_WITH_SHA1_X930 Use this flag in setSignatureStandard if the signing transformation is SHA1/DSA and the OID and ASN.1 definition to use for the signature algorithm's BER encoding should follow the X9.30 standard.
static int	DSA_WITH_SHA1_X957 Use this flag in setSignatureStandard if the signing transformation is SHA1/DSA and the OID and ASN.1 definition to use for the signature algorithm's BER encoding should follow the X9.57 standard.
static int	RSA_WITH_SHA1_ISO_OIW Use this flag in setSignatureStandard if the signing transformation is SHA1/RSA/PKCS1Block01Pad and the OID and ASN.1 definition to use for the signature algorithm's BER encoding should follow the ISO OIW.
static int	RSA_WITH_SHA1_PKCS Use this flag in setSignatureStandard if the signing transformation is SHA1/RSA/PKCS1Block01Pad and the OID and ASN.1 definition to use for the signature algorithm's BER encoding should follow the PKCS.

Constructor Summary

CRL()

Method Summary

CertJ	getCertJ() This is a method to get the CertJ context dynamically.
String	getDevice() Gets the name of the device that performed the signing or verification.
String[]	getDeviceList() Gets a list of names of devices that performed the individual elements of the signature or verification operation, such as digest, signature algorithm, and padding scheme.
abstract byte[]	getSignature() Gets the signature octets.
String	getSignatureAlgorithm() Gets the signature algorithm.
byte[]	getSignatureAlgorithmDER() Gets the DER encoding of the signature algorithm.
String	getSignatureFormat() Gets the String to use when calling the JSAFE_Signature method getDERAlgorithmID.
int	getSignatureStandard() Gets the signature standard for this object.
void	setCertJ(CertJ certJContext) This is a method to set the CertJ context dynamically.
void	setSignatureStandard(int standardFlag) Sets this object to the specified standard.
void	signCRL(byte[] signatureAlgorithmBER, int offset, String device, com.rsa.jsafe.JSAFE_PrivateKey signingKey, SecureRandom random) Signs the CRL, using the algorithm represented by the algorithm identifier signatureAlgorithmBER, and signingKey on the specified device.
abstract void	signCRL(String transformation, String device, com.rsa.jsafe.JSAFE_PrivateKey signingKey, SecureRandom random) Signs the CRL, using transformation and signingKey on the specified device.
boolean	verifyCRLSignature(String device, byte[] verifyingKeyBER, int offset, SecureRandom random) Verifies the signature of the CRL using the public key represented by verifyingKeyBER, the BER encoding of a public key, on the specified device.
boolean	verifyCRLSignature(String device, Certificate signerCert, SecureRandom random) Verifies the CRL's signature using the public key found in signerCert on the specified device.
abstract boolean	verifyCRLSignature(String device, com.rsa.jsafe.JSAFE_PublicKey verifyingKey, SecureRandom random) Verifies the signature of the CRL using the public key represented by verifyingKey, the BER encoding of a public key, on the specified device.

Methods inherited from class java.lang.Object

equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

RSA_WITH_SHA1_PKCS

public static final int RSA_WITH_SHA1_PKCS

Use this flag in setSignatureStandard if the signing transformation is SHA1/RSA/PKCS1Block01Pad and the OID and ASN.1 definition to use for the signature algorithm's BER encoding should follow the PKCS.

This is the default. If setSignatureStandard is not called and the transformation is SHA1/RSA/PKCS1Block01Pad, the signature algorithm's BER will follow the PKCS. This is used only when the digest algorithm is SHA1. For all other RSA signatures, do not set the signature standard.

RSA_WITH_SHA1_ISO_OIW

public static final int RSA_WITH_SHA1_ISO_OIW

Use this flag in setSignatureStandard if the signing transformation is SHA1/RSA/PKCS1Block01Pad and the OID and ASN.1 definition to use for the signature algorithm's BER encoding should follow the ISO OIW.

This is NOT the default. If setSignatureStandard is not called and the transformation is SHA1/RSA/PKCS1Block01Pad, the signature algorithm's BER will follow the PKCS. This is used only when the digest algorithm is SHA1. For all other RSA signatures, do not set the signature standard.

DSA_WITH_SHA1_X930

public static final int DSA_WITH_SHA1_X930

Use this flag in setSignatureStandard if the signing transformation is SHA1/DSA and the OID and ASN.1 definition to use for the signature algorithm's BER encoding should follow the X9.30 standard. This is the default. If setSignatureStandard is not called and the transformation is SHA1/DSA, the signature algorithm's BER will follow X9.30.

DSA_WITH_SHA1_X957

public static final int DSA_WITH_SHA1_X957

Use this flag in setSignatureStandard if the signing transformation is SHA1/DSA and the OID and ASN.1 definition to use for the signature algorithm's BER encoding should follow the X9.57 standard.

This is NOT the default. If setSignatureStandard is not called and the transformation is SHA1/DSA, the signature algorithm's BER will follow X9.30.

Constructor Detail

CRL

public CRL()

Method Detail

setCertJ

public final void setCertJ(CertJ certJContext)

This is a method to set the CertJ context dynamically. Applications either call this method or instantiate X509CRL object with CertJ context specified to initialize CertJ context. The value is checked when it is used.

Parameters

certJContex

CertJ

getCertJ

public final CertJ getCertJ()

This is a method to get the CertJ context dynamically. The toolkit does not use it for the time being.

Returns

CertJ context

getSignatureAlgorithm

public String getSignatureAlgorithm()
                             throws CertificateException

Gets the signature algorithm. The return value will be a String, following the format specified in the Crypto-J class JSAFE_Signature. The following are examples:

   "MD5/RSA/PKCS1Block01Pad"
   "SHA1/DSA"

For more information, see the RSA BSAFE Crypto-J Javadocs.

Returns

A String specifying the signature algorithm.

Throws

CertificateException - If the CRL is not set with a signature algorithm.

getSignatureAlgorithmDER

public byte[] getSignatureAlgorithmDER()
                                throws CertificateException

Gets the DER encoding of the signature algorithm.

Returns

A new byte array that contains the DER encoding of the signature algorithm.

Throws

CertificateException - If the CRL is not set with a signature algorithm.

getSignature

public abstract byte[] getSignature()
                             throws CertificateException

Gets the signature octets.

Returns

A new byte array that contains the signature octets.

Throws

CertificateException - If the CRL is not signed.

getDevice

public String getDevice()
                 throws CertificateException

Gets the name of the device that performed the signing or verification. For more information, see the RSA BSAFE Crypto-J Javadocs.

Returns

A String specifying the device chosen to perform the signing or verification.

Throws

CertificateException - If a device is not set for this object.

getDeviceList

public String[] getDeviceList()
                       throws CertificateException

Gets a list of names of devices that performed the individual elements of the signature or verification operation, such as digest, signature algorithm, and padding scheme. For more information, see the RSA BSAFE Crypto-J Javadocs.

Returns

A String array specifying the devices chosen to perform the signing or verification.

Throws

CertificateException - If a device is not set for this object.

setSignatureStandard

public void setSignatureStandard(int standardFlag)

Sets this object to the specified standard. This will affect only the BER encoding of the signature algorithm ID. Use one of fields defined in the this class.

• For RSA signatures, the Public Key Cryptography Standards (PKCS) defined an OID for sha1WithRSAEncryption. Later, the ISO Open Systems Environment Implementors' Workshop (OIW) defined a new OID. This class is able to read ither OID in an existing certificate. To create a certificate using the ISO OIW OID, call this method with the argument RSA_WITH_SHA1_ISO_OIW. If this method is not called or if it is called with the argument RSA_WITH_SHA1_PKCS when creating certificates, this class uses the OID defined in the PKCS.

• For DSA, the X9.30 standard defined the sha1WithDSA signature OID and the DSA key OID. Later, the X9.57 standard defined a new OID. It also redefined the ASN.1 definition of the DSA parameters (p, q, and g). This class can read either OID in an existing certificate. To create a certificate using the X9.57 OID, and to represent the public key in it with DSA parameters as defined in X9.57, call this method with the argument DSA_WITH_SHA1_X957. If this method is not called or if it is called with the argument DSA_WITH_SHA1_X930 when creating certificates, this class will use the OID defined in X9.30 and represent the public key as defined in X9.30.

Parameters

standardFlag

One of the fields previously defined in this class that indicates which standard to use.

getSignatureStandard

public int getSignatureStandard()

Gets the signature standard for this object. Returns one of the public static final ints previously defined in this class.

For RSA signatures, the Public Key Cryptography Standards (PKCS) defined an OID for sha1WithRSAEncryption. Later, the ISO Open Systems Environment Implementors' Workshop (OIW) defined a new OID.

For DSA, the X9.30 standard defined the sha1WithDSA signature OID and the DSA key OID. Later, the X9.57 standard defined a new OID. It also redefined the ASN.1 definition of the DSA parameters (p, q, and g). If a signature standard is not set, it will return -1.

Returns

The signature algorithm format. It indicates which standard to use. It should be one of the fields previously defined in this class.

getSignatureFormat

public String getSignatureFormat()

Gets the String to use when calling the JSAFE_Signature method getDERAlgorithmID. A return value of null means the default value will be used.

• For RSA, PKCS defined sha1WithRSAEncryption.
• For DSA, X.930 defined DSA_WITH_SHA1_X930.

Returns

A String indicating the appropriate format.

signCRL

public abstract void signCRL(String transformation,
                             String device,
                             com.rsa.jsafe.JSAFE_PrivateKey signingKey,
                             SecureRandom random)
                      throws CertificateException

Signs the CRL, using transformation and signingKey on the specified device. The format of transformation follows the format specified in the Crypto-J class JSAFE_Signature.

The following are examples of transformations:

   "MD5/RSA/PKCS1Block01Pad"
   "SHA1/DSA"
 

The format of device follows the format specified in Crypto-J. The following are examples of device arguments:

   Java         --Perform signature using Java code
   Native       --Perform signature using the native link
   Native/Java  --Use native if possible, if not, use Java

For more information, see the RSA BSAFE Crypto-J Javadocs.

Parameters

	transformation		A String specifying the algorithm to use to sign the CRL.
	device		A String specifying the device or choice of devices to use in computing the signature.
	signingKey		A JSAFE_PrivateKey used to compute the signature.
	random		Random bytes. If the signature algorithm needs random bytes, get them from this object.

Throws

CertificateException - If the code cannot perform the specified transformation on the specified device, if the CRL is not set correctly, or if the CRL is already signed.

signCRL

public void signCRL(byte[] signatureAlgorithmBER,
                    int offset,
                    String device,
                    com.rsa.jsafe.JSAFE_PrivateKey signingKey,
                    SecureRandom random)
             throws CertificateException

Signs the CRL, using the algorithm represented by the algorithm identifier signatureAlgorithmBER, and signingKey on the specified device. If this algorithm needs system parameters, this method expects them to be contained in either the algorithm identifier or the key.

The format of device follows the format specified in Crypto-J. The following are examples of device arguments:

   Java         --Perform signature using Java code
   Native       --Perform signature using the native link
   Native/Java  --Use native if possible, if not, use Java

For more information, see the RSA BSAFE Crypto-J Javadocs.

Parameters

	signatureAlgorithmBER		The BER encoding of the AlgorithmIdentifier.
	offset		The offset into signatureAlgorithmBER where the encoding begins.
	device		A String specifying the device or choice of devices to use in computing the signature.
	signingKey		A JSAFE_PrivateKey used to compute the signature.
	random		Random bytes. If the signature algorithm needs random bytes, get them from this object.

Throws

CertificateException - If the code cannot perform the specified signature on the specified device, if the CRL is not set correctly, or if the CRL is already signed.

verifyCRLSignature

public abstract boolean verifyCRLSignature(String device,
                                           com.rsa.jsafe.JSAFE_PublicKey verifyingKey,
                                           SecureRandom random)
                                    throws CertificateException

Verifies the signature of the CRL using the public key represented by verifyingKey, the BER encoding of a public key, on the specified device. This method expects the input of the key to follow the ANS.1 definition SubjectPublicKeyInfo as follows:

   SubjectPublicKeyInfo ::= SEQUENCE {
     algorithmID       AlgorithmIdentifier,
     subjectPublicKey  BIT STRING }

If the signature algorithm needs system parameters, this method expects them to be contained within the SubjectPublicKeyInfo.

The format of device follows the format specified in Crypto-J.

The following are examples of device agruments:

   Java          --Perform signature using Java code
   Native        --Perform signature using the native link
   Native/Java   --Use native if possible, if not, use Java

Parameters

	device		A String specifying the device or choice of devices to use in computing the signature.
	verifyingKey		A JSAFE_PublicKey used to verify the signature.
	random		If the signature algorithm needs random bytes, get them from this object.

Returns

A boolean indicating whether the signature on the CRL is valid.

Throws

CertificateException - If the code cannot perform the signature algorithm on the specified device.

verifyCRLSignature

public boolean verifyCRLSignature(String device,
                                  byte[] verifyingKeyBER,
                                  int offset,
                                  SecureRandom random)
                           throws CertificateException

Verifies the signature of the CRL using the public key represented by verifyingKeyBER, the BER encoding of a public key, on the specified device. This method expects the input of the key to follow the ASN.1 definition SubjectPublicKeyInfo, as follows:

   SubjectPublicKeyInfo ::= SEQUENCE {
     algorithmID       AlgorithmIdentifier,
     subjectPublicKey  BIT STRING }

If the signature algorithm needs system parameters, this method expects them to be contained within the SubjectPublicKeyInfo.

The format of device follows the format specified in Crypto-J.

The following are examples of device agruments:

   Java          --Perform signature using Java code
   Native        --Perform signature using the native link
   Native/Java   --Use native if possible, if not, use Java

Parameters

	device		A String that specifies the device or choice of devices to use in computing the signature.
	verifyingKeyBER		The BER encoding of a public key.
	offset		The offset into verifyingKeyBER where the encoding begins.
	random		Random bytes. If the signature algorithm needs random bytes, get them from this object.

Returns

A boolean that indicates whether the signature on the certificate is valid.

Throws

CertificateException - If the code cannot perform the signature algorithm on the specified device.

verifyCRLSignature

public boolean verifyCRLSignature(String device,
                                  Certificate signerCert,
                                  SecureRandom random)
                           throws CertificateException

Verifies the CRL's signature using the public key found in signerCert on the specified device. If the algorithm needs system parameters, this method uses those in the SubjectPublicKeyInfo of the signerCert for security reasons as specified in PKIX.

The format of device follows the format specified in Crypto-J. The following are example device arguments:

    Java             --Perform verification using Java code
    Native           --Perform verification using the native link
    Native/Java      --Use native if possible, if not, use Java
 

For more information, see the RSA BSAFE Crypto-J Java Components documentation.

Parameters

	device		A String specifying the device or choice of devices to use in computing the signature.
	signerCert		A Certificate that contains the public key of the entity that signed the CRL whose signature is being verified.
	random		If the signature algorithm needs random bytes, get them from this object.

Returns

A boolean indicating whether the signature on the CRL is valid.

Throws

CertificateException - If the code cannot perform the signature algorithm on the specified device.