|
|
Optimize with a SATA RAID Storage Solution
Range of capacities as low as $1250 per TB. Ideal if you currently rely on servers/disks/JBODs
Page 3 of 4
import java.io.FileInputStream;
import java.util.Set;
import java.util.Iterator;
import java.security.cert.CertificateFactory;
import java.security.cert.X509CRL;
import java.security.cert.X509CRLEntry;
public
class Main
{
public
static
void
main(String [] arstring)
{
try
{
// Get the correct certificate factory.
CertificateFactory certificatefactory =
CertificateFactory.getInstance("X.509");
// Each file specified on the command line must contain a single
// DER-encoded X.509 CRL.
for (int i = 0; i < arstring.length; i++)
{
// Open the file.
FileInputStream fileinputstream = new FileInputStream(arstring[i]);
// Generate a certificate from the data in the file.
X509CRL x509crl =
(X509CRL)certificatefactory.generateCRL(fileinputstream);
// Print out information about the crl.
System.out.println("---CRL---");
System.out.println("type = " +
x509crl.getType());
System.out.println("version = " +
x509crl.getVersion());
System.out.println("issuer = " +
x509crl.getIssuerDN().getName());
System.out.println("signing algorithm = " +
x509crl.getSigAlgName());
System.out.println("signing OID = " +
x509crl.getSigAlgOID());
System.out.println("this update = " +
x509crl.getThisUpdate());
System.out.println("next update = " +
x509crl.getNextUpdate());
System.out.println();
// Next, let's print out information about the entries.
System.out.println("---Entries---");
Set setEntries = x509crl.getRevokedCertificates();
if (setEntries != null && setEntries.isEmpty() == false)
{
for (Iterator iterator = setEntries.iterator();
iterator.hasNext(); )
{
X509CRLEntry x509crlentry = (X509CRLEntry)iterator.next();
System.out.println("serial number = " +
x509crlentry.getSerialNumber());
System.out.println("revocation date = " +
x509crlentry.getRevocationDate());
System.out.println("extensions = " +
x509crlentry.hasExtensions());
System.out.println();
}
}
// We're done.
System.out.println("---");
// Close the file.
fileinputstream.close();
}
}
catch (Exception exception)
{
exception.printStackTrace();
}
}
}
You should be able to compile the class definition in the listing above into a classfile. When you execute the class, you should specify the names of one or more CRL files on the command line. I've included a sample CRL in the downloadable source code in Resources.
CRLs, while obviously necessary and actually fine for many applications, suffer from two drawbacks.
The first deals with update latency. CRL distribution is a push scheme -- meaning the CA pushes new CRLs to the public distribution point(s) according to some timetable. In order for CRLs to be effective, the CA must update them regularly and often. But no matter how often the update occurs, there will always be some application that will need more frequent updates. A CRL that publishes every hour may publish too frequently for certificates used for applet code signing, but not frequently enough for certificates that secure financial and banking transactions.
The second drawback deals with the length of the CRL. Certificates are issued for a fixed period of time -- for example, 180 days. If a certificate must be revoked before its expiration date, you can do so by adding it to a CRL. The entry must remain in the CRL until the certificate expires, and if there are many revocations, a CRL can grow very large. Unfortunately, the average length of a CRL will grow as the popularity of PKI in general grows -- not a good approach to scalability.
java.security.cert