Featured White Papers

• Measuring Risk to Improve Java Software Quality
• Do You Really Get Classloaders?
• Pragmatic Continuous Delivery with Jenkins, Nexus, and LiveRebel
• Your Next Java Web App: Less XML, No Long Restarts, Fewer Hassles
• Coding with JRebel, Java Forever Changed
• 2012 Developer Productivity Report: Java Tools, Tech, Devs, and Data

Sponsored Links

• Graph databases are 1000x faster than relational.

  Learn More!

• Career opportunities at Harman- Careers That'll Rock Your Socks Off.

  Learn More!

• Developer-friendly Java PDF libraries by Qoppa Software

  Live Demos

• Stop blaming your app! Diagnose Java performance issues.

  Free tool >

• UrbanCode: Go From Continuous Integration to
  Continuous Delivery

  Learn More!

Sponsored Links

Optimize with a SATA RAID Storage Solution
Range of capacities as low as $1250 per TB. Ideal if you currently rely on servers/disks/JBODs

Construct secure networked applications with certificates, Part 3

Use the Java CRL and X509CRL classes

By Todd Sundsted, JavaWorld.com, 03/16/01

Page 2 of 4

A final class, the java.security.cert.X509CRLEntry class, provides access to each entry in an X.509 CRL.

Let's look at each class in turn.

java.security.cert.CRL

Class java.security.cert.CRL defines the interface common to all types of CRLs. I will describe this class's most important method:

• public boolean isRevoked(Certificate certificate) indicates whether or not the specified certificate is revoked by checking for inclusion in the revocation list contained in this instance.

java.security.cert.X509CRL

The class java.security.cert.X509CRL extends the CRL class described above and adds X.509-specific functionality:

• public byte [] getEncoded() returns the encoded form of the CRL represented by the instance upon which this method is invoked.
• public Date getNextUpdate() returns the date by which the CA will release an updated CRL. The next CRL could be issued earlier than that date, but it will not be issued later.
• public Date getThisUpdate() returns the date on which the CA released this CRL.

The X509CRL class also contains methods for enumerating the entries that make up the certificate revocation list. I'll talk about the X509CRLEntry class below:

• public Set getRevokedCertificates() returns the set of entries representing revoked certificates.
• public X509CRLEntry getRevokedCertificate(BigInteger serialnumber) returns an entry representing the revoked certificate with the specified serial number.

Most of the remaining methods are query methods that return information about the CRL itself (as opposed to its entries):

• public int getVersion() returns the CRL's version.
• public abstract Principal getIssuerDN() returns information that identifies the CRL's issuer, which is the entity that signed the CRL.
• public String getSigAlgName(), public String getSigAlgOID(), and public byte [] getSigAlgParams() return information about the algorithm (and its parameters) used to sign the CRL.
• public byte [] getSignature() returns the raw signature information for the CRL.
• public byte [] getTBSCertList() returns the raw TBS (to be signed) information for this CRL. Most likely, you will not use this method; it exists primarily so that you can independently verify the CRL's signature (outside of the API).

Finally, the X509CRL class contains methods for establishing the validity of the X509CRL instance:

• public void verify(PublicKey publickey), as its name suggests, verifies that the CRL instance was signed with the private key corresponding to the specified public key.
• public void verify(PublicKey publickey, String stringProvider) performs the same operation as above using the specified service provider, rather than the default.

java.security.cert.X509CRLEntry

The java.security.cert.X509CRL class contains two methods -- getRevokedCertificate() and getRevokedCertificates() -- that return one or more entries in the revocation list as instances of the java.security.cert.X509CRLEntry class. The following methods provide information about these entries:

• public byte [] getEncoded() returns the encoded form of the entry represented by the instance upon which this method is invoked.
• public BigInteger getSerialNumber() returns the revoked certificate's serial number.
• public Date getRevocationDate() returns the certificate's revocation date.
• public boolean hasExtensions() indicates whether or not the CRL entry has extensions. Unfortunately, the API doesn't provide access to these extensions as it does for X.509 certificate extensions. If you want them, you must parse the encoded form of the entry obtained from the getEncoded() method.

The code

The following class demonstrates how to obtain a certificate factory, how to use the factory to generate a X.509 CRL from the DER-encoded representation in a file, and how to extract and display information about the CRL.