下面列出了怎么用java.security.cert.X509CRLEntry的API类实例代码及写法,或者点击链接到github查看源代码。
/**
* This static method is the default implementation of the
* getRevocationReason method in X509CRLEntry.
*/
public static CRLReason getRevocationReason(X509CRLEntry crlEntry) {
try {
byte[] ext = crlEntry.getExtensionValue("2.5.29.21");
if (ext == null) {
return null;
}
DerValue val = new DerValue(ext);
byte[] data = val.getOctetString();
CRLReasonCodeExtension rcExt =
new CRLReasonCodeExtension(Boolean.FALSE, data);
return rcExt.getReasonCode();
} catch (IOException ioe) {
return null;
}
}
/**
* This static method is the default implementation of the
* getRevocationReason method in X509CRLEntry.
*/
public static CRLReason getRevocationReason(X509CRLEntry crlEntry) {
try {
byte[] ext = crlEntry.getExtensionValue("2.5.29.21");
if (ext == null) {
return null;
}
DerValue val = new DerValue(ext);
byte[] data = val.getOctetString();
CRLReasonCodeExtension rcExt =
new CRLReasonCodeExtension(Boolean.FALSE, data);
return rcExt.getReasonCode();
} catch (IOException ioe) {
return null;
}
}
/**
* This static method is the default implementation of the
* getRevocationReason method in X509CRLEntry.
*/
public static CRLReason getRevocationReason(X509CRLEntry crlEntry) {
try {
byte[] ext = crlEntry.getExtensionValue("2.5.29.21");
if (ext == null) {
return null;
}
DerValue val = new DerValue(ext);
byte[] data = val.getOctetString();
CRLReasonCodeExtension rcExt =
new CRLReasonCodeExtension(Boolean.FALSE, data);
return rcExt.getReasonCode();
} catch (IOException ioe) {
return null;
}
}
private void displayCrlEntryExtensions() {
int row = jtRevokedCerts.getSelectedRow();
if (row != -1) {
BigInteger serialNumber = (BigInteger) jtRevokedCerts.getValueAt(row, 0);
Set<?> revokedCertsSet = crl.getRevokedCertificates();
X509CRLEntry x509CrlEntry = null;
for (Iterator<?> itr = revokedCertsSet.iterator(); itr.hasNext();) {
X509CRLEntry entry = (X509CRLEntry) itr.next();
if (serialNumber.equals(entry.getSerialNumber())) {
x509CrlEntry = entry;
break;
}
}
if (x509CrlEntry.hasExtensions()) {
DViewExtensions dViewExtensions = new DViewExtensions(this,
res.getString("DViewCrl.EntryExtensions.Title"), x509CrlEntry);
dViewExtensions.setLocationRelativeTo(this);
dViewExtensions.setVisible(true);
}
}
}
/**
* Add the CRLEntry objects contained in a previous CRL.
*
* @param other the X509CRL to source the other entries from.
*/
public void addCRL(X509CRL other)
throws CRLException
{
Set revocations = other.getRevokedCertificates();
if (revocations != null)
{
Iterator it = revocations.iterator();
while (it.hasNext())
{
X509CRLEntry entry = (X509CRLEntry)it.next();
ASN1InputStream aIn = new ASN1InputStream(entry.getEncoded());
try
{
tbsGen.addCRLEntry(ASN1Sequence.getInstance(aIn.readObject()));
}
catch (IOException e)
{
throw new CRLException("exception processing encoding of CRL: " + e.toString());
}
}
}
}
@Test
public void derVsPemEncodedTest() throws Exception {
try (InputStream isDer = AbstractTestCRLUtils.class.getResourceAsStream("/DSS-2039/crl.der");
InputStream isPem = AbstractTestCRLUtils.class.getResourceAsStream("/DSS-2039/crl.pem");
InputStream isCert = AbstractTestCRLUtils.class.getResourceAsStream("/DSS-2039/cert.pem");
InputStream isCA = AbstractTestCRLUtils.class.getResourceAsStream("/DSS-2039/ca.pem") ) {
CertificateToken cert = loadCert(isCert);
CertificateToken ca = loadCert(isCA);
CRLBinary crlBinaryDER = CRLUtils.buildCRLBinary(toByteArray(isDer));
CRLValidity crlDER = CRLUtils.buildCRLValidity(crlBinaryDER, ca);
CRLBinary crlBinaryPEM = CRLUtils.buildCRLBinary(toByteArray(isPem));
CRLValidity crlPEM = CRLUtils.buildCRLValidity(crlBinaryPEM, ca);
assertArrayEquals(crlDER.getDerEncoded(), crlPEM.getDerEncoded());
X509CRLEntry revocationInfoDER = CRLUtils.getRevocationInfo(crlDER, cert.getSerialNumber());
X509CRLEntry revocationInfoPEM = CRLUtils.getRevocationInfo(crlPEM, cert.getSerialNumber());
assertEquals(revocationInfoDER, revocationInfoPEM);
}
}
public X509CRLEntry getRevokedCertificate(BigInteger serialNumber)
{
TBSCertList.CRLEntry[] certs = c.getRevokedCertificates();
if ( certs != null )
{
for ( int i = 0; i < certs.length; i++ )
{
if ( certs[i].getUserCertificate().getValue().equals(serialNumber) ) {
return new X509CRLEntryObject(certs[i]);
}
}
}
return null;
}
/**
* This static method is the default implementation of the
* getRevocationReason method in X509CRLEntry.
*/
public static CRLReason getRevocationReason(X509CRLEntry crlEntry) {
try {
byte[] ext = crlEntry.getExtensionValue("2.5.29.21");
if (ext == null) {
return null;
}
DerValue val = new DerValue(ext);
byte[] data = val.getOctetString();
CRLReasonCodeExtension rcExt =
new CRLReasonCodeExtension(Boolean.FALSE, data);
return rcExt.getReasonCode();
} catch (IOException ioe) {
return null;
}
}
/**
* This static method is the default implementation of the
* getRevocationReason method in X509CRLEntry.
*/
public static CRLReason getRevocationReason(X509CRLEntry crlEntry) {
try {
byte[] ext = crlEntry.getExtensionValue("2.5.29.21");
if (ext == null) {
return null;
}
DerValue val = new DerValue(ext);
byte[] data = val.getOctetString();
CRLReasonCodeExtension rcExt =
new CRLReasonCodeExtension(Boolean.FALSE, data);
return rcExt.getReasonCode();
} catch (IOException ioe) {
return null;
}
}
/**
* CRL constructor, revoked certs, no extensions.
*
* @param issuer the name of the CA issuing this CRL.
* @param thisUpdate the Date of this issue.
* @param nextUpdate the Date of the next CRL.
* @param badCerts the array of CRL entries.
*
* @exception CRLException on parsing/construction errors.
*/
public X509CRLImpl(X500Name issuer, Date thisDate, Date nextDate,
X509CRLEntry[] badCerts)
throws CRLException
{
this.issuer = issuer;
this.thisUpdate = thisDate;
this.nextUpdate = nextDate;
if (badCerts != null) {
X500Principal crlIssuer = getIssuerX500Principal();
X500Principal badCertIssuer = crlIssuer;
for (int i = 0; i < badCerts.length; i++) {
X509CRLEntryImpl badCert = (X509CRLEntryImpl)badCerts[i];
try {
badCertIssuer = getCertIssuer(badCert, badCertIssuer);
} catch (IOException ioe) {
throw new CRLException(ioe);
}
badCert.setCertificateIssuer(crlIssuer, badCertIssuer);
X509IssuerSerial issuerSerial = new X509IssuerSerial
(badCertIssuer, badCert.getSerialNumber());
this.revokedMap.put(issuerSerial, badCert);
this.revokedList.add(badCert);
if (badCert.hasExtensions()) {
this.version = 1;
}
}
}
}
/**
* Gets the CRL entry with the given serial number from this CRL.
*
* @return the entry with the given serial number, or <code>null</code> if
* no such entry exists in the CRL.
* @see X509CRLEntry
*/
public X509CRLEntry getRevokedCertificate(BigInteger serialNumber) {
if (revokedMap.isEmpty()) {
return null;
}
// assume this is a direct CRL entry (cert and CRL issuer are the same)
X509IssuerSerial issuerSerial = new X509IssuerSerial
(getIssuerX500Principal(), serialNumber);
return revokedMap.get(issuerSerial);
}
@Override
public X509CRLEntry getRevocationInfo(CRLValidity crlValidity, BigInteger serialNumber) {
CRLParser parser = new CRLParser();
X509CRLEntry crlEntry = null;
try (InputStream is = crlValidity.toCRLInputStream()) {
crlEntry = parser.retrieveRevocationInfo(is, serialNumber);
} catch (IOException e) {
LOG.error("Unable to retrieve the revocation status", e);
}
return crlEntry;
}
/**
* Gets the CRL entry with the given serial number from this CRL.
*
* @return the entry with the given serial number, or <code>null</code> if
* no such entry exists in the CRL.
* @see X509CRLEntry
*/
public X509CRLEntry getRevokedCertificate(BigInteger serialNumber) {
if (revokedMap.isEmpty()) {
return null;
}
// assume this is a direct CRL entry (cert and CRL issuer are the same)
X509IssuerSerial issuerSerial = new X509IssuerSerial
(getIssuerX500Principal(), serialNumber);
return revokedMap.get(issuerSerial);
}
@Test
public void retrieveRevocationInfoMediumLastEntry() throws IOException {
try (InputStream fis = CRLParserTest.class.getResourceAsStream("/http___crl.globalsign.com_gs_gspersonalsign2sha2g2.crl")) {
BigInteger serialNumber = new BigInteger("288350169419475868349393264025423631520");
X509CRLEntry entry = parser.retrieveRevocationInfo(fis, serialNumber);
assertNotNull(entry);
assertNotNull(entry.getRevocationDate());
assertNull(entry.getRevocationReason());
assertNotNull(entry.getSerialNumber());
assertEquals(serialNumber, entry.getSerialNumber());
}
}
/**
* Gets the CRL entry for the given certificate.
*/
public X509CRLEntry getRevokedCertificate(X509Certificate cert) {
if (revokedMap.isEmpty()) {
return null;
}
X509IssuerSerial issuerSerial = new X509IssuerSerial(cert);
return revokedMap.get(issuerSerial);
}
/**
* Gets the CRL entry with the given serial number from this CRL.
*
* @return the entry with the given serial number, or <code>null</code> if
* no such entry exists in the CRL.
* @see X509CRLEntry
*/
public X509CRLEntry getRevokedCertificate(BigInteger serialNumber) {
if (revokedMap.isEmpty()) {
return null;
}
// assume this is a direct CRL entry (cert and CRL issuer are the same)
X509IssuerSerial issuerSerial = new X509IssuerSerial
(getIssuerX500Principal(), serialNumber);
return revokedMap.get(issuerSerial);
}
/**
* Gets the CRL entry for the given certificate.
*/
public X509CRLEntry getRevokedCertificate(X509Certificate cert) {
if (revokedMap.isEmpty()) {
return null;
}
X509IssuerSerial issuerSerial = new X509IssuerSerial(cert);
return revokedMap.get(issuerSerial);
}
/**
* Utility method to convert an arbitrary instance of X509CRLEntry
* to a X509CRLEntryImpl. Does a cast if possible, otherwise reparses
* the encoding.
*/
public static X509CRLEntryImpl toImpl(X509CRLEntry entry)
throws CRLException {
if (entry instanceof X509CRLEntryImpl) {
return (X509CRLEntryImpl)entry;
} else {
return new X509CRLEntryImpl(entry.getEncoded());
}
}
/**
* Check that {@code cert} is signed by the {@code ca} and not revoked.
*
* <p>Support for certificate chains has not been implemented.
*
* @throws GeneralSecurityException for unsupported protocols, certs not signed by the TMCH,
* parsing errors, encoding errors, if the CRL is expired, or if the CRL is older than the
* one currently in memory.
*/
public static void verifyCertificate(
X509Certificate rootCert, X509CRL crl, @Tainted X509Certificate cert, Date now)
throws GeneralSecurityException {
cert.checkValidity(checkNotNull(now, "now"));
cert.verify(rootCert.getPublicKey());
if (crl.isRevoked(cert)) {
X509CRLEntry entry = crl.getRevokedCertificate(cert);
throw new CertificateRevokedException(
checkNotNull(entry.getRevocationDate(), "revocationDate"),
Optional.ofNullable(entry.getRevocationReason()).orElse(CRLReason.UNSPECIFIED),
firstNonNull(entry.getCertificateIssuer(), crl.getIssuerX500Principal()),
ImmutableMap.of());
}
}
/**
* Utility method to convert an arbitrary instance of X509CRLEntry
* to a X509CRLEntryImpl. Does a cast if possible, otherwise reparses
* the encoding.
*/
public static X509CRLEntryImpl toImpl(X509CRLEntry entry)
throws CRLException {
if (entry instanceof X509CRLEntryImpl) {
return (X509CRLEntryImpl)entry;
} else {
return new X509CRLEntryImpl(entry.getEncoded());
}
}
/**
* Gets the CRL entry with the given serial number from this CRL.
*
* @return the entry with the given serial number, or <code>null</code> if
* no such entry exists in the CRL.
* @see X509CRLEntry
*/
public X509CRLEntry getRevokedCertificate(BigInteger serialNumber) {
if (revokedMap.isEmpty()) {
return null;
}
// assume this is a direct CRL entry (cert and CRL issuer are the same)
X509IssuerSerial issuerSerial = new X509IssuerSerial
(getIssuerX500Principal(), serialNumber);
return revokedMap.get(issuerSerial);
}
public static void main(String[] args) throws Exception {
// Generate 20 serial numbers with dup and a special order
int count = 20;
BigInteger[] serials = new BigInteger[count];
for (int i=0; i<count; i++) {
serials[i] = BigInteger.valueOf(i*7%10);
}
// Generates a CRL
X509CRLEntry[] badCerts = new X509CRLEntry[count];
for (int i=0; i<count; i++) {
badCerts[i] = new X509CRLEntryImpl(serials[i],
new Date(System.currentTimeMillis()+i*1000));
}
X500Name owner = new X500Name("CN=CA");
X509CRLImpl crl = new X509CRLImpl(owner, new Date(), new Date(), badCerts);
KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
crl.sign(kpg.genKeyPair().getPrivate(), "SHA1withRSA");
byte[] data = crl.getEncodedInternal();
// Check the encoding
checkData(crl, data, serials);
// Load a CRL from raw data
CertificateFactory cf = CertificateFactory.getInstance("X.509");
X509CRLImpl crl2 = (X509CRLImpl)cf.generateCRL(new ByteArrayInputStream(data));
// Check the encoding again
data = crl2.getEncodedInternal();
checkData(crl2, data, serials);
}
/**
* CRL entry selected or deselected. Enable/disable the "CRL Extensions" button accordingly (i.e. enable it if only
* one extension is selected and it has extensions.
*/
private void crlEntrySelection()
{
ListSelectionModel listSelectionModel = m_jtRevokedCerts.getSelectionModel();
if (!listSelectionModel.isSelectionEmpty()) // Entry must be selected
{
// Only one entry though
// TODO: probably no longer necessary?
if (listSelectionModel.getMinSelectionIndex() == listSelectionModel.getMaxSelectionIndex())
{
// Get serial number of entry
int iRow = listSelectionModel.getMinSelectionIndex();
BigInteger serialNumber = (BigInteger) m_jtRevokedCerts.getValueAt(iRow, 0);
// Find CRL entry using serial number
Set<? extends X509CRLEntry> revokedCertsSet = m_crl.getRevokedCertificates();
X509CRLEntry x509CrlEntry = null;
for (X509CRLEntry entry : revokedCertsSet)
{
if (serialNumber.equals(entry.getSerialNumber()))
{
x509CrlEntry = entry;
break;
}
}
if (x509CrlEntry != null && x509CrlEntry.hasExtensions())
{
m_jbCrlEntryExtensions.setEnabled(true);
return;
}
}
}
// Disable "CRL Extensions" button
m_jbCrlEntryExtensions.setEnabled(false);
}
/**
* Utility method to convert an arbitrary instance of X509CRLEntry
* to a X509CRLEntryImpl. Does a cast if possible, otherwise reparses
* the encoding.
*/
public static X509CRLEntryImpl toImpl(X509CRLEntry entry)
throws CRLException {
if (entry instanceof X509CRLEntryImpl) {
return (X509CRLEntryImpl)entry;
} else {
return new X509CRLEntryImpl(entry.getEncoded());
}
}
/**
* Gets the CRL entry for the given certificate.
*/
public X509CRLEntry getRevokedCertificate(X509Certificate cert) {
if (revokedMap.isEmpty()) {
return null;
}
X509IssuerSerial issuerSerial = new X509IssuerSerial(cert);
return revokedMap.get(issuerSerial);
}
public static void main(String[] args) throws Exception {
// Generate 20 serial numbers with dup and a special order
int count = 20;
BigInteger[] serials = new BigInteger[count];
for (int i=0; i<count; i++) {
serials[i] = BigInteger.valueOf(i*7%10);
}
// Generates a CRL
X509CRLEntry[] badCerts = new X509CRLEntry[count];
for (int i=0; i<count; i++) {
badCerts[i] = new X509CRLEntryImpl(serials[i],
new Date(System.currentTimeMillis()+i*1000));
}
X500Name owner = new X500Name("CN=CA");
X509CRLImpl crl = new X509CRLImpl(owner, new Date(), new Date(), badCerts);
KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
crl.sign(kpg.genKeyPair().getPrivate(), "SHA1withRSA");
byte[] data = crl.getEncodedInternal();
// Check the encoding
checkData(crl, data, serials);
// Load a CRL from raw data
CertificateFactory cf = CertificateFactory.getInstance("X.509");
X509CRLImpl crl2 = (X509CRLImpl)cf.generateCRL(new ByteArrayInputStream(data));
// Check the encoding again
data = crl2.getEncodedInternal();
checkData(crl2, data, serials);
}
@Test
public void retrieveRevocationInfo() throws IOException {
try (InputStream fis = CRLParserTest.class.getResourceAsStream("/LTGRCA.crl"); BufferedInputStream is = new BufferedInputStream(fis)) {
BigInteger serialNumber = new BigInteger("5203");
X509CRLEntry entry = parser.retrieveRevocationInfo(fis, serialNumber);
assertNotNull(entry);
assertNotNull(entry.getRevocationDate());
assertNotNull(entry.getRevocationReason());
assertNotNull(entry.getSerialNumber());
assertEquals(serialNumber, entry.getSerialNumber());
}
}
/**
* @see java.security.cert.CRL#isRevoked(java.security.cert.Certificate)
*/
@Override
public boolean isRevoked(final Certificate cert) {
if (cert instanceof X509Certificate) {
final X509Certificate xcert = (X509Certificate) cert;
for (final X509CRLEntry entry : getRevokedCertificates()) {
if (entry.getSerialNumber().equals(xcert.getSerialNumber())) {
return true;
}
}
}
return false;
}
/**
* @see java.security.cert.CRL#isRevoked(java.security.cert.Certificate)
*/
@Override
public boolean isRevoked(final Certificate cert) {
if (cert instanceof X509Certificate) {
final X509Certificate xcert = (X509Certificate) cert;
for (X509CRLEntry entry : getRevokedCertificates()) {
if (entry.getSerialNumber().equals(xcert.getSerialNumber())) {
return true;
}
}
}
return false;
}
/**
* CRL constructor, revoked certs, no extensions.
*
* @param issuer the name of the CA issuing this CRL.
* @param thisUpdate the Date of this issue.
* @param nextUpdate the Date of the next CRL.
* @param badCerts the array of CRL entries.
*
* @exception CRLException on parsing/construction errors.
*/
public X509CRLImpl(X500Name issuer, Date thisDate, Date nextDate,
X509CRLEntry[] badCerts)
throws CRLException
{
this.issuer = issuer;
this.thisUpdate = thisDate;
this.nextUpdate = nextDate;
if (badCerts != null) {
X500Principal crlIssuer = getIssuerX500Principal();
X500Principal badCertIssuer = crlIssuer;
for (int i = 0; i < badCerts.length; i++) {
X509CRLEntryImpl badCert = (X509CRLEntryImpl)badCerts[i];
try {
badCertIssuer = getCertIssuer(badCert, badCertIssuer);
} catch (IOException ioe) {
throw new CRLException(ioe);
}
badCert.setCertificateIssuer(crlIssuer, badCertIssuer);
X509IssuerSerial issuerSerial = new X509IssuerSerial
(badCertIssuer, badCert.getSerialNumber());
this.revokedMap.put(issuerSerial, badCert);
this.revokedList.add(badCert);
if (badCert.hasExtensions()) {
this.version = 1;
}
}
}
}