|
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: INNER | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Object | +--com.rsa.certj.cert.CRL | +--com.rsa.certj.cert.X509CRL
This class builds and holds X.509 certificate revocation lists (CRLs). Certificates can be revoked before their expiration time. Revoke a certificate if the user's private key is assumed to be compromised, the user is no longer to be certified by the CA, or the CA's certificate is assumed to be compromised. Two related points are as follows:
AlgorithmIdentifier
CRL ::= SEQUENCE { innerDER InnerDER, signatureAlgorithm AlgorithmIdentifier, signature BIT STRING } InnerDER ::= SEQUENCE { version Version OPTIONAL, -- if present, version must be v2 signature AlgorithmIdentifier, -- the algorithm identifier for the algorithm used to sign the CRL. issuer Name, -- identifies the entity who has signed and issued the CRL. Alternative name forms may also appear in the issuerAltName extension thisUpdate Time, -- the issue date of this CRL. nextUpdate Time OPTIONAL, -- the date by which the next CRL will be issued. The next CRL could be issued before the indicated date, but it will not be issued any later than the indicated date. revokedCertificates SEQUENCE OF SEQUENCE { -- Revoked certificates are listed. userCertificate CertificateSerialNumber, revocationDate Time, crlEntryExtensions Extensions OPTIONAL } OPTIONAL, crlExtensions [0] Extensions OPTIONAL }} -- provide methods for associating additional attributes with CRLs. |
X500Name
class for more information about an X.500 name.
Copyright © RSA Security Inc., 1999-2001. All rights reserved.
See Also
Field Summary |
|
static int |
X509_VERSION_1
Sets the CRL to be version 1, or determines if an existing CRL is version 1. |
static int |
X509_VERSION_2
Sets the CRL to be version 2, or determines if an existing CRL is version 2. |
Fields inherited from class com.rsa.certj.cert.CRL |
DSA_WITH_SHA1_X930, DSA_WITH_SHA1_X957, RSA_WITH_SHA1_ISO_OIW, RSA_WITH_SHA1_PKCS |
Constructor Summary |
|
X509CRL()
Constructs an empty |
|
X509CRL(byte[] x509CrlBER,
int offset,
int special)
Constructs a signed |
|
X509CRL(byte[] x509CrlBER,
int offset,
int special,
CertJ certJContext)
|
|
X509CRL(CertJ certJContext)
Constructs an empty |
Method Summary |
|
clone()
Overrides the default |
|
boolean |
compareIssuerName(X500Name issuerName)
Compares the given name, issuerName, with the issuer name of the CRL represented by this object. |
boolean |
equals(Object obj)
Returns |
int |
getDEREncoding(byte[] encoding,
int offset,
int special)
Places the DER encoding of the CRL in this object into encoding, beginning at offset. |
int |
getDERLen(int special)
Returns the number of bytes of the DER encoding of this CRL. |
getExtensions()
Gets the extensions in this CRL. |
|
int |
getInnerDER(byte[] encoding,
int offset)
Places the DER encoding of the inner DER of the CRL in this object into encoding, beginning at offset. |
int |
getInnerDERLen()
Returns the number of bytes of the innerDER. |
getIssuerName()
Gets the issuer name of this CRL. |
|
static int |
getNextBEROffset(byte[] x509CrlBER,
int offset)
Given x509CrlBER, the BER encoding of an X.509 CRL, beginning at offset, finds the index to the next element in the encoding. |
getNextUpdate()
Gets the date by which the next update will be issued. |
|
getRevokedCertificates()
Gets the revoked certificates of this CRL. |
|
byte[] |
getSignature()
Gets the signature octets. |
getThisUpdate()
Gets the issue date of this CRL. |
|
int |
getVersion()
Gets the version of this CRL. |
void |
setExtensions(X509V3Extensions extensions)
Sets the extensions of this CRL to be extensions. |
void |
setInnerDER(byte[] x509InnerDER,
int offset)
Sets this object to be the unsigned CRL represented by x509InnerDER, beginning at offset, the DER encoding of the inner CRL of an X.509 CRL. |
void |
setIssuerName(X500Name issuerName)
Sets the issuer name of this CRL to be issuerName. |
void |
setNextUpdate(Date update)
Sets the time when the next CRL is updated. |
void |
setRevokedCertificates(RevokedCertificates revokedCerts)
Sets the value of the |
void |
setThisUpdate(Date update)
Sets the time of the issue date of this CRL to be update. |
void |
setTimeType(boolean flag)
Sets the flag specifying the time encoding type to use. |
void |
setVersion(int version)
Sets the version of this CRL to version. |
void |
signCRL(String transformation,
String device,
com.rsa.jsafe.JSAFE_PrivateKey signingKey,
SecureRandom random)
Signs the CRL using transformation and signingKey on the specified device. |
boolean |
verifyCRLSignature(String device,
com.rsa.jsafe.JSAFE_PublicKey verifyingKey,
SecureRandom random)
Verifies the CRL's signature, using verifyingKey, on the specified device. |
Methods inherited from class com.rsa.certj.cert.CRL |
getCertJ, getDevice, getDeviceList, getSignatureAlgorithm, getSignatureAlgorithmDER, getSignatureFormat, getSignatureStandard, setCertJ, setSignatureStandard, signCRL, verifyCRLSignature, verifyCRLSignature |
Methods inherited from class java.lang.Object |
getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Field Detail |
public static final int X509_VERSION_1
public static final int X509_VERSION_2
Constructor Detail |
public X509CRL()
X.509CRL
object.public X509CRL(CertJ certJContext)
X.509CRL
object with
CertJ context specified.Parameters
certJContext |
|
public X509CRL(byte[] x509CrlBER, int offset, int special) throws CertificateException
X509CRL
object and initializes it
with the value given by x509CrlBER, beginning at
offset, the BER encoding of an X.509-signed CRL.
This constructor only reads the CRL, it does not
perform any verification.
The ASN.1 definition
means the tag will be 0x30
. However, an
X.509 CRL object can be
part of a PKCS #7 message (or some other construct), and it might
have a different tag caused by IMPLICIT
or
EXPLICIT
.
For example, if the definition is as follows:
crl [2] IMPLICIT CRL |
0x30
to 0xa2
.
To indicate that the DER encoding of the X.509 certificate object
should follow any special circumstances, use the special
argument.
Set special to any special circumstances of the
BER encoding; for example, to indicate the following:
crl [2] IMPLICIT CRL |
special = (ASN1.CONTEXT_IMPLICIT | 2); |
special = 0 |
APP_IMPLICIT
, APP_EXPLICIT
,
PRIVATE_IMPLICIT
, PRIVATE_EXPLICIT
,
OPTIONAL
, DEFAULT
,
CONTEXT_IMPLICIT
,
or CONTEXT_EXPLICIT
.Parameters
x509CrlBER | The BER encoding of an X.509-signed CRL. | ||
offset | The offset into x509CrlBER where the encoding begins. | ||
special | The special circumstances of the BER encoding, if there are any. |
Throws
CertificateException
- If the BER is not a valid X.509 CRL.public X509CRL(byte[] x509CrlBER, int offset, int special, CertJ certJContext) throws CertificateException
Method Detail |
public static int getNextBEROffset(byte[] x509CrlBER, int offset) throws CertificateException
x509CrlBER[120]
is
the first byte in the encoding of the CRL, x509CrlBER[1938]
is the last byte in the encoding of the CRL, and the next element begins
at index 1939.Parameters
x509CrlBER | The BER encoding of an X.509 CRL. | ||
offset | The offset into x509CrlBER where the encoding begins. |
Returns
int
that contains the index to the next
element in the BER encoding.
Throws
CertificateException
- If the method cannot read the BER
encoding.public int getDERLen(int special)
0x30
. However, a CRL object
can be part of a PKCS #7 message (or some other construct),
and it can
have a different tag caused by IMPLICIT
or
EXPLICIT
. This can affect the
length. For example, suppose a definition is as follows:
crl [2] IMPLICIT CRL |
0x30
to 0xa2
.
To indicate that the DER encoding of
the X509CRL
should follow any special circumstances,
use the special argument. Set special to any
special circumstances of the DER encoding; for example, to indicate
the following:
crl [2] IMPLICIT CRL |
special = (ASN1.CONTEXT_IMPLICIT | 2); |
special = 0 |
APP_IMPLICIT
, APP_EXPLICIT
,
PRIVATE_IMPLICIT
, PRIVATE_EXPLICIT
,
OPTIONAL
, DEFAULT
,
CONTEXT_IMPLICIT
,
or CONTEXT_EXPLICIT
.Parameters
special | The special circumstances of the DER encoding, if there are any. |
Returns
public int getDEREncoding(byte[] encoding, int offset, int special) throws CertificateException
getDERLen
. If this object is not yet set with a CRL
(or not yet signed), this method throws an exception.
The ASN.1 definition, previously defined in this class,
means the tag will be 0x30. However, a CRL can be part of a
PKCS #7 message (or some other construct), and it might have a different
tag caused by IMPLICIT
or EXPLICIT
.
For instance, suppose the definition is as follows:
crl [2] EXPLICIT CRL |
X509CRL
object
should follow any special circumstances, use ther special
argument. Set special to any special
circumstances of the DER encoding.
For example, to indicate the following:
crl [2] EXPLICIT CRL |
special = (ASN1.CONTEXT_EXPLICIT | 2); |
special = 0 |
APP_IMPLICIT
, APP_EXPLICIT
,
PRIVATE_IMPLICIT
, PRIVATE_EXPLICIT
,
OPTIONAL
, DEFAULT
,
CONTEXT_IMPLICIT
,
or CONTEXT_EXPLICIT
.
Parameters
encoding | The byte array into which the result will be placed. | ||
offset | The offset into encoding where writing begins. | ||
special | The special circumstances of the DER encoding, if there are any. |
Returns
Throws
CertificateException
- If the CRL is not signed or if
all required fields are not set.public void setInnerDER(byte[] x509InnerDER, int offset) throws CertificateException
Parameters
x509InnerDER | The DER encoding of the inner CRL of an X.509 unsigned CRL. | ||
offset | The offset into x509InnerDER where the encoding begins. |
Throws
CertificateException
- If the DER is not a valid X.509 CRL.public int getInnerDERLen()
Returns
public int getInnerDER(byte[] encoding, int offset) throws CertificateException
getInnerDERLen
.
If this object is not yet set with a CRL,
this method throws an exception.Parameters
encoding | The | ||
offset | The offset into encoding where the writing is to begin. |
Returns
Throws
CertificateException
- if the object is not set with
a valid signed X.509
CRL.public byte[] getSignature() throws CertificateException
BIT STRING
.
Overrides
getSignature
in class CRL
Returns
byte
array that
contains the signature octets.
Throws
CertificateException
- If the CRL has not yet been signed.public void setVersion(int version) throws CertificateException
X509CRL.X509_VERSION_1
or
X509CRL.X509_VERSION_2
.
If the CRL object possesses a signature, calling this
method causes the signature to be deleted.Parameters
version | The version number of this CRL. |
Throws
CertificateException
- If the input value is an unsupported
version number.public int getVersion()
X509CRL.X509_VERSION_1
or
X509CRL.X509_VERSION_2
, previously defined in this class.
If the CRL has not yet been set,
this method will return the default version number, version 1.
Returns
int
that contains the version number.public void setIssuerName(X500Name issuerName) throws CertificateException
Parameters
issuerName | An |
Throws
CertificateException
- If the issuerName is invalid.public X500Name getIssuerName()
null
.
Returns
X500Name
object that contains the name.public void setNextUpdate(Date update)
Parameters
update | A |
public Date getNextUpdate()
Returns
Date
that contains
the nextUpdate value.public void setThisUpdate(Date update)
Parameters
update | A |
public Date getThisUpdate()
Returns
Date
that contains the issue date value.public void setRevokedCertificates(RevokedCertificates revokedCerts) throws CertificateException
revokedCerts
field of this CRL to
revokedCerts.
If the CRL object possesses a signature, calling this
method causes the signature to be deleted.Parameters
revokedCerts | A |
public RevokedCertificates getRevokedCertificates()
null
.
Returns
RevokedCertificates
object. If there
is no revoked certificate, this method returns null
.public boolean compareIssuerName(X500Name issuerName)
true
; otherwise,
false
. This method is useful for finding
a CRL in a collection of CRLs.Parameters
issuerName | An |
Returns
boolean
indicating whether the given name
matches the issuer name of the CRL represented by this object.public void setTimeType(boolean flag)
Parameters
flag | A |
public void setExtensions(X509V3Extensions extensions) throws CertificateException
X509_EXT_TYPE_*
fields defined in the
X509V3Extentions
class.Parameters
extensions | An |
Throws
CertificateException
- If the CRL is not version 2,
or if the extensions object is of the wrong type.public X509V3Extensions getExtensions()
Returns
X509V3Extensions
object
that contains the extensions.public void signCRL(String transformation, String device, com.rsa.jsafe.JSAFE_PrivateKey signingKey, SecureRandom random) throws CertificateException
JSAFE_Signature
. The following are examples of
transformation arguments:
"MD5/RSA/PKCS1Block01Pad" "SHA1/DSA" |
Java --Perform signature using Java code Native --Perform signature using the native link Native/Java --Use native if possible, if not, use Java |
Overrides
signCRL
in class CRL
Parameters
transformation | A | ||
device | A | ||
signingKey | A | ||
random | If the signature algorithm needs random bytes, get them from this object. |
Throws
CertificateException
- If the code cannot perform the
specified transformation on the specified device,
the CRL is not set properly, or the CRL is already signed.public boolean verifyCRLSignature(String device, com.rsa.jsafe.JSAFE_PublicKey verifyingKey, SecureRandom random) throws CertificateException
Java --Perform signature using Java code Native --Perform signature using the native link Native/Java --Use native if possible, if not, use Java |
Overrides
verifyCRLSignature
in class CRL
Parameters
device | A | ||
verifyingKey | A | ||
random | If the signature algorithm needs random bytes, get them from this object. |
Returns
boolean
indicating whether the signature on the CRL
is valid.
Throws
CertificateException
- If the code cannot perform the
signature algorithm on the specified device.public boolean equals(Object obj)
true
if this object and obj contain
the same X509CRL; otherwise false
.Overrides
equals
in class Object
Parameters
obj | An instance of the |
Returns
boolean
indicating
whether these objects are equal.public Object clone() throws CloneNotSupportedException
clone
method to get a deeper clone.
Returns
Throws
CloneNotSupportedException
- If the cloning operation
is not successful.
|
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: INNER | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |