com.tencent.kona.sun.security.x509

Class X509CRLImpl

java.lang.Object

java.security.cert.CRL

java.security.cert.X509CRL

com.tencent.kona.sun.security.x509.X509CRLImpl

All Implemented Interfaces:

com.tencent.kona.sun.security.util.DerEncoder, java.security.cert.X509Extension

public class X509CRLImpl
extends java.security.cert.X509CRL
implements com.tencent.kona.sun.security.util.DerEncoder

An implementation for X509 CRL (Certificate Revocation List).

The X.509 v2 CRL format is described below in ASN.1:

 CertificateList  ::=  SEQUENCE  {
     tbsCertList          TBSCertList,
     signatureAlgorithm   AlgorithmIdentifier,
     signature            BIT STRING  }
 

More information can be found in RFC 5280: Internet X.509 Public Key Infrastructure Certificate and CRL Profile.

The ASN.1 definition of tbsCertList is:

 TBSCertList  ::=  SEQUENCE  {
     version                 Version OPTIONAL,
                             -- if present, must be v2
     signature               AlgorithmIdentifier,
     issuer                  Name,
     thisUpdate              ChoiceOfTime,
     nextUpdate              ChoiceOfTime OPTIONAL,
     revokedCertificates     SEQUENCE OF SEQUENCE  {
         userCertificate         CertificateSerialNumber,
         revocationDate          ChoiceOfTime,
         crlEntryExtensions      Extensions OPTIONAL
                                 -- if present, must be v2
         }  OPTIONAL,
     crlExtensions           [0]  EXPLICIT Extensions OPTIONAL
                                  -- if present, must be v2
     }
 

See Also:

X509CRL

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	X509CRLImpl.TBSCertList

Constructor Summary

Constructors

Constructor and Description
X509CRLImpl(byte[] crlData) Unmarshals an X.509 CRL from its encoded form, parsing the encoded bytes.
X509CRLImpl(com.tencent.kona.sun.security.util.DerValue val) Unmarshals an X.509 CRL from an DER value.
X509CRLImpl(java.io.InputStream inStrm) Unmarshals an X.509 CRL from an input stream.
X509CRLImpl(X509CRLImpl.TBSCertList info, com.tencent.kona.sun.security.x509.AlgorithmId sigAlgId, byte[] signature, byte[] tbsCertList, byte[] signedCRL) Constructor simply setting all (non-cache) fields.

Method Summary

Modifier and Type	Method and Description
void	encode(com.tencent.kona.sun.security.util.DerOutputStream out)
KeyIdentifier	getAuthKeyId() return the AuthorityKeyIdentifier, if any.
AuthorityKeyIdentifierExtension	getAuthKeyIdExtension() return the AuthorityKeyIdentifierExtension, if any.
java.math.BigInteger	getBaseCRLNumber() return the base CRL number from the DeltaCRLIndicatorExtension, if any.
java.util.Set<java.lang.String>	getCriticalExtensionOIDs() Gets a Set of the extension(s) marked CRITICAL in the CRL.
java.math.BigInteger	getCRLNumber() return the CRL number from the CRLNumberExtension, if any.
CRLNumberExtension	getCRLNumberExtension() return the CRLNumberExtension, if any.
DeltaCRLIndicatorExtension	getDeltaCRLIndicatorExtension() return the DeltaCRLIndicatorExtension, if any.
byte[]	getEncoded() Returns the ASN.1 DER encoded form of this CRL.
byte[]	getEncodedInternal() Returned the encoding as an uncloned byte array.
static byte[]	getEncodedInternal(java.security.cert.X509CRL crl) Returned the encoding of the given certificate for internal use.
java.lang.Object	getExtension(com.tencent.kona.sun.security.util.ObjectIdentifier oid) get an extension
byte[]	getExtensionValue(java.lang.String oid) Gets the DER encoded OCTET string for the extension value (extnValue) identified by the passed in oid String.
IssuerAlternativeNameExtension	getIssuerAltNameExtension() return the IssuerAlternativeNameExtension, if any.
java.security.Principal	getIssuerDN() Gets the issuer distinguished name from this CRL.
javax.security.auth.x500.X500Principal	getIssuerX500Principal() Return the issuer as X500Principal.
static javax.security.auth.x500.X500Principal	getIssuerX500Principal(java.security.cert.X509CRL crl) Extract the issuer X500Principal from an X509CRL.
IssuingDistributionPointExtension	getIssuingDistributionPointExtension() return the IssuingDistributionPointExtension, if any.
java.util.Date	getNextUpdate() Gets the nextUpdate date from the CRL.
java.util.Set<java.lang.String>	getNonCriticalExtensionOIDs() Gets a Set of the extension(s) marked NON-CRITICAL in the CRL.
java.security.cert.X509CRLEntry	getRevokedCertificate(java.math.BigInteger serialNumber) Gets the CRL entry with the given serial number from this CRL.
java.security.cert.X509CRLEntry	getRevokedCertificate(java.security.cert.X509Certificate cert) Gets the CRL entry for the given certificate.
java.util.Set<java.security.cert.X509CRLEntry>	getRevokedCertificates() Gets all the revoked certificates from the CRL.
com.tencent.kona.sun.security.x509.AlgorithmId	getSigAlgId() Gets the signature AlgorithmId from the CRL.
java.lang.String	getSigAlgName() Gets the signature algorithm name for the CRL signature algorithm.
java.lang.String	getSigAlgOID() Gets the signature algorithm OID string from the CRL.
byte[]	getSigAlgParams() Gets the DER encoded signature algorithm parameters from this CRL's signature algorithm.
byte[]	getSignature() Gets the raw Signature bits from the CRL.
byte[]	getTBSCertList() Gets the DER encoded CRL information, the tbsCertList from this CRL.
java.util.Date	getThisUpdate() Gets the thisUpdate date from the CRL.
int	getVersion() Gets the version number from this CRL.
boolean	hasUnsupportedCriticalExtension() Return true if a critical extension is found that is not supported, otherwise return false.
boolean	isRevoked(java.security.cert.Certificate cert) Checks whether the given certificate is on this CRL.
static X509CRLImpl	newSigned(X509CRLImpl.TBSCertList info, java.security.PrivateKey key, java.lang.String algorithm) Creates a new X.509 CRL, which is signed using the given key.
static X509CRLImpl	newSigned(X509CRLImpl.TBSCertList info, java.security.PrivateKey key, java.lang.String algorithm, java.lang.String provider) Creates a new X.509 CRL, which is signed using the given key.
static X509CRLImpl	toImpl(java.security.cert.X509CRL crl) Utility method to convert an arbitrary instance of X509CRL to a X509CRLImpl.
java.lang.String	toString() Returns a printable string of this CRL.
java.lang.String	toStringWithAlgName(java.lang.String name)
void	verify(java.security.PublicKey key) Verifies that this CRL was signed using the private key that corresponds to the given public key.
void	verify(java.security.PublicKey key, java.security.Provider sigProvider) Verifies that this CRL was signed using the private key that corresponds to the given public key, and that the signature verification was computed by the given provider.
void	verify(java.security.PublicKey key, java.lang.String sigProvider) Verifies that this CRL was signed using the private key that corresponds to the given public key, and that the signature verification was computed by the given provider.

Methods inherited from class java.security.cert.X509CRL

equals, hashCode

Methods inherited from class java.security.cert.CRL

getType

Methods inherited from class java.lang.Object

clone, finalize, getClass, notify, notifyAll, wait, wait, wait

Constructor Detail

X509CRLImpl

public X509CRLImpl(X509CRLImpl.TBSCertList info,
                   com.tencent.kona.sun.security.x509.AlgorithmId sigAlgId,
                   byte[] signature,
                   byte[] tbsCertList,
                   byte[] signedCRL)

Constructor simply setting all (non-cache) fields. Only used in newSigned(com.tencent.kona.sun.security.x509.X509CRLImpl.TBSCertList, java.security.PrivateKey, java.lang.String).

X509CRLImpl

public X509CRLImpl(byte[] crlData)
            throws java.security.cert.CRLException

Unmarshals an X.509 CRL from its encoded form, parsing the encoded bytes. This form of constructor is used by agents which need to examine and use CRL contents. Note that the buffer must include only one CRL, and no "garbage" may be left at the end.

Parameters:

crlData - the encoded bytes, with no trailing padding.

Throws:

java.security.cert.CRLException - on parsing errors.

X509CRLImpl

public X509CRLImpl(com.tencent.kona.sun.security.util.DerValue val)
            throws java.security.cert.CRLException

Unmarshals an X.509 CRL from an DER value.

Parameters:

val - a DER value holding at least one CRL

Throws:

java.security.cert.CRLException - on parsing errors.

X509CRLImpl

public X509CRLImpl(java.io.InputStream inStrm)
            throws java.security.cert.CRLException

Unmarshals an X.509 CRL from an input stream. Only one CRL is expected at the end of the input stream.

Parameters:

inStrm - an input stream holding at least one CRL

Throws:

java.security.cert.CRLException - on parsing errors.

Method Detail

getEncodedInternal

public byte[] getEncodedInternal()
                          throws java.security.cert.CRLException

Returned the encoding as an uncloned byte array. Callers must guarantee that they neither modify it nor expose it to untrusted code.

Throws:

java.security.cert.CRLException

getEncoded

public byte[] getEncoded()
                  throws java.security.cert.CRLException

Returns the ASN.1 DER encoded form of this CRL.

Specified by:

getEncoded in class java.security.cert.X509CRL

Throws:

java.security.cert.CRLException - if an encoding error occurs.

verify

public void verify(java.security.PublicKey key)
            throws java.security.cert.CRLException,
                   java.security.NoSuchAlgorithmException,
                   java.security.InvalidKeyException,
                   java.security.NoSuchProviderException,
                   java.security.SignatureException

Verifies that this CRL was signed using the private key that corresponds to the given public key.

Specified by:

verify in class java.security.cert.X509CRL

Parameters:

key - the PublicKey used to carry out the verification.

Throws:

java.security.NoSuchAlgorithmException - on unsupported signature algorithms.

java.security.InvalidKeyException - on incorrect key.

java.security.NoSuchProviderException - if there's no default provider.

java.security.SignatureException - on signature errors.

java.security.cert.CRLException - on encoding errors.

verify

public void verify(java.security.PublicKey key,
                   java.lang.String sigProvider)
            throws java.security.cert.CRLException,
                   java.security.NoSuchAlgorithmException,
                   java.security.InvalidKeyException,
                   java.security.NoSuchProviderException,
                   java.security.SignatureException

Verifies that this CRL was signed using the private key that corresponds to the given public key, and that the signature verification was computed by the given provider.

Specified by:

verify in class java.security.cert.X509CRL

Parameters:

key - the PublicKey used to carry out the verification.

sigProvider - the name of the signature provider.

Throws:

java.security.NoSuchAlgorithmException - on unsupported signature algorithms.

java.security.InvalidKeyException - on incorrect key.

java.security.NoSuchProviderException - on incorrect provider.

java.security.SignatureException - on signature errors.

java.security.cert.CRLException - on encoding errors.

verify

public void verify(java.security.PublicKey key,
                   java.security.Provider sigProvider)
            throws java.security.cert.CRLException,
                   java.security.NoSuchAlgorithmException,
                   java.security.InvalidKeyException,
                   java.security.SignatureException

Verifies that this CRL was signed using the private key that corresponds to the given public key, and that the signature verification was computed by the given provider. Note that the specified Provider object does not have to be registered in the provider list.

Overrides:

verify in class java.security.cert.X509CRL

Parameters:

key - the PublicKey used to carry out the verification.

sigProvider - the signature provider.

Throws:

java.security.NoSuchAlgorithmException - on unsupported signature algorithms.

java.security.InvalidKeyException - on incorrect key.

java.security.SignatureException - on signature errors.

java.security.cert.CRLException - on encoding errors.

newSigned

public static X509CRLImpl newSigned(X509CRLImpl.TBSCertList info,
                                    java.security.PrivateKey key,
                                    java.lang.String algorithm)
                             throws java.security.cert.CRLException,
                                    java.security.NoSuchAlgorithmException,
                                    java.security.InvalidKeyException,
                                    java.security.NoSuchProviderException,
                                    java.security.SignatureException

Creates a new X.509 CRL, which is signed using the given key.

Parameters:

info - the TBSCertList to sign

key - the private key used for signing.

algorithm - the name of the signature algorithm used.

Returns:

a newly signed CRL

Throws:

java.security.NoSuchAlgorithmException - on unsupported signature algorithms.

java.security.InvalidKeyException - on incorrect key.

java.security.NoSuchProviderException - on incorrect provider.

java.security.SignatureException - on signature errors.

java.security.cert.CRLException - if any mandatory data was omitted.

newSigned

public static X509CRLImpl newSigned(X509CRLImpl.TBSCertList info,
                                    java.security.PrivateKey key,
                                    java.lang.String algorithm,
                                    java.lang.String provider)
                             throws java.security.cert.CRLException,
                                    java.security.NoSuchAlgorithmException,
                                    java.security.InvalidKeyException,
                                    java.security.NoSuchProviderException,
                                    java.security.SignatureException

Creates a new X.509 CRL, which is signed using the given key.

Parameters:

info - the TBSCertList to sign

key - the private key used for signing.

algorithm - the name of the signature algorithm used.

provider - (optional) the name of the provider.

Returns:

a newly signed CRL

Throws:

java.security.NoSuchAlgorithmException - on unsupported signature algorithms.

java.security.InvalidKeyException - on incorrect key.

java.security.NoSuchProviderException - on incorrect provider.

java.security.SignatureException - on signature errors.

java.security.cert.CRLException - if any mandatory data was omitted.

toString

public java.lang.String toString()

Returns a printable string of this CRL.

Specified by:

toString in class java.security.cert.CRL

Returns:

value of this CRL in a printable form.

toStringWithAlgName

public java.lang.String toStringWithAlgName(java.lang.String name)

isRevoked

public boolean isRevoked(java.security.cert.Certificate cert)

Checks whether the given certificate is on this CRL.

Specified by:

isRevoked in class java.security.cert.CRL

Parameters:

cert - the certificate to check for.

Returns:

true if the given certificate is on this CRL, false otherwise.

getVersion

public int getVersion()

Gets the version number from this CRL. The ASN.1 definition for this is:

 Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
             -- v3 does not apply to CRLs but appears for consistency
             -- with definition of Version for certs
 

Specified by:

getVersion in class java.security.cert.X509CRL

Returns:

the version number, i.e. 1 or 2.

getIssuerDN

public java.security.Principal getIssuerDN()

Gets the issuer distinguished name from this CRL. The issuer name identifies the entity who has signed (and issued the CRL). The issuer name field contains an X.500 distinguished name (DN). The ASN.1 definition for this is:

 issuer    Name

 Name ::= CHOICE { RDNSequence }
 RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
 RelativeDistinguishedName ::=
     SET OF AttributeValueAssertion

 AttributeValueAssertion ::= SEQUENCE {
                               AttributeType,
                               AttributeValue }
 AttributeType ::= OBJECT IDENTIFIER
 AttributeValue ::= ANY
 

The Name describes a hierarchical name composed of attributes, such as country name, and corresponding values, such as US. The type of the component AttributeValue is determined by the AttributeType; in general it will be a directoryString. A directoryString is usually one of PrintableString, TeletexString or UniversalString.

Specified by:

getIssuerDN in class java.security.cert.X509CRL

Returns:

the issuer name.

getIssuerX500Principal

public javax.security.auth.x500.X500Principal getIssuerX500Principal()

Return the issuer as X500Principal. Overrides method in X509CRL to provide a slightly more efficient version.

Overrides:

getIssuerX500Principal in class java.security.cert.X509CRL

getThisUpdate

public java.util.Date getThisUpdate()

Gets the thisUpdate date from the CRL. The ASN.1 definition for this is:

Specified by:

getThisUpdate in class java.security.cert.X509CRL

Returns:

the thisUpdate date from the CRL.

getNextUpdate

public java.util.Date getNextUpdate()

Gets the nextUpdate date from the CRL.

Specified by:

getNextUpdate in class java.security.cert.X509CRL

Returns:

the nextUpdate date from the CRL, or null if not present.

getRevokedCertificate

public java.security.cert.X509CRLEntry getRevokedCertificate(java.math.BigInteger serialNumber)

Gets the CRL entry with the given serial number from this CRL.

Specified by:

getRevokedCertificate in class java.security.cert.X509CRL

Returns:

the entry with the given serial number, or null if no such entry exists in the CRL.

See Also:

X509CRLEntry

getRevokedCertificate

public java.security.cert.X509CRLEntry getRevokedCertificate(java.security.cert.X509Certificate cert)

Gets the CRL entry for the given certificate.

Overrides:

getRevokedCertificate in class java.security.cert.X509CRL

getRevokedCertificates

public java.util.Set<java.security.cert.X509CRLEntry> getRevokedCertificates()

Gets all the revoked certificates from the CRL. A Set of X509CRLEntry.

Specified by:

getRevokedCertificates in class java.security.cert.X509CRL

Returns:

all the revoked certificates or null if there are none.

See Also:

X509CRLEntry

getTBSCertList

public byte[] getTBSCertList()
                      throws java.security.cert.CRLException

Gets the DER encoded CRL information, the tbsCertList from this CRL. This can be used to verify the signature independently.

Specified by:

getTBSCertList in class java.security.cert.X509CRL

Returns:

the DER encoded CRL information.

Throws:

java.security.cert.CRLException - on encoding errors.

getSignature

public byte[] getSignature()

Gets the raw Signature bits from the CRL.

Specified by:

getSignature in class java.security.cert.X509CRL

Returns:

the signature.

getSigAlgName

public java.lang.String getSigAlgName()

Gets the signature algorithm name for the CRL signature algorithm. For example, the string "SHA1withDSA". The ASN.1 definition for this is:

 AlgorithmIdentifier  ::=  SEQUENCE  {
     algorithm               OBJECT IDENTIFIER,
     parameters              ANY DEFINED BY algorithm OPTIONAL  }
                             -- contains a value of the type
                             -- registered for use with the
                             -- algorithm object identifier value
 

Specified by:

getSigAlgName in class java.security.cert.X509CRL

Returns:

the signature algorithm name.

getSigAlgOID

public java.lang.String getSigAlgOID()

Gets the signature algorithm OID string from the CRL. An OID is represented by a set of positive whole number separated by ".", that means,
<positive whole number>.<positive whole number>.<...> For example, the string "1.2.840.10040.4.3" identifies the SHA-1 with DSA signature algorithm defined in RFC 3279: Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and CRL Profile.

Specified by:

getSigAlgOID in class java.security.cert.X509CRL

Returns:

the signature algorithm oid string.

getSigAlgParams

public byte[] getSigAlgParams()

Gets the DER encoded signature algorithm parameters from this CRL's signature algorithm. In most cases, the signature algorithm parameters are null, the parameters are usually supplied with the Public Key.

Specified by:

getSigAlgParams in class java.security.cert.X509CRL

Returns:

the DER encoded signature algorithm parameters, or null if no parameters are present.

getSigAlgId

public com.tencent.kona.sun.security.x509.AlgorithmId getSigAlgId()

Gets the signature AlgorithmId from the CRL.

Returns:

the signature AlgorithmId

getAuthKeyId

public KeyIdentifier getAuthKeyId()

return the AuthorityKeyIdentifier, if any.

Returns:

AuthorityKeyIdentifier or null (if no AuthorityKeyIdentifierExtension)

getAuthKeyIdExtension

public AuthorityKeyIdentifierExtension getAuthKeyIdExtension()

return the AuthorityKeyIdentifierExtension, if any.

Returns:

AuthorityKeyIdentifierExtension or null (if no such extension)

getCRLNumberExtension

public CRLNumberExtension getCRLNumberExtension()

return the CRLNumberExtension, if any.

Returns:

CRLNumberExtension or null (if no such extension)

getCRLNumber

public java.math.BigInteger getCRLNumber()

return the CRL number from the CRLNumberExtension, if any.

Returns:

number or null (if no such extension)

getDeltaCRLIndicatorExtension

public DeltaCRLIndicatorExtension getDeltaCRLIndicatorExtension()

return the DeltaCRLIndicatorExtension, if any.

Returns:

DeltaCRLIndicatorExtension or null (if no such extension)

getBaseCRLNumber

public java.math.BigInteger getBaseCRLNumber()

return the base CRL number from the DeltaCRLIndicatorExtension, if any.

Returns:

number or null (if no such extension)

getIssuerAltNameExtension

public IssuerAlternativeNameExtension getIssuerAltNameExtension()

return the IssuerAlternativeNameExtension, if any.

Returns:

IssuerAlternativeNameExtension or null (if no such extension)

getIssuingDistributionPointExtension

public IssuingDistributionPointExtension getIssuingDistributionPointExtension()

return the IssuingDistributionPointExtension, if any.

Returns:

IssuingDistributionPointExtension or null (if no such extension)

hasUnsupportedCriticalExtension

public boolean hasUnsupportedCriticalExtension()

Return true if a critical extension is found that is not supported, otherwise return false.

Specified by:

hasUnsupportedCriticalExtension in interface java.security.cert.X509Extension

getCriticalExtensionOIDs

public java.util.Set<java.lang.String> getCriticalExtensionOIDs()

Gets a Set of the extension(s) marked CRITICAL in the CRL. In the returned set, each extension is represented by its OID string.

Specified by:

getCriticalExtensionOIDs in interface java.security.cert.X509Extension

Returns:

a set of the extension oid strings in the CRL that are marked critical.

getNonCriticalExtensionOIDs

public java.util.Set<java.lang.String> getNonCriticalExtensionOIDs()

Gets a Set of the extension(s) marked NON-CRITICAL in the CRL. In the returned set, each extension is represented by its OID string.

Specified by:

getNonCriticalExtensionOIDs in interface java.security.cert.X509Extension

Returns:

a set of the extension oid strings in the CRL that are NOT marked critical.

getExtensionValue

public byte[] getExtensionValue(java.lang.String oid)

Gets the DER encoded OCTET string for the extension value (extnValue) identified by the passed in oid String. The oid string is represented by a set of positive whole number separated by ".", that means,
<positive whole number>.<positive whole number>.<...>

Specified by:

getExtensionValue in interface java.security.cert.X509Extension

Parameters:

oid - the Object Identifier value for the extension.

Returns:

the der encoded octet string of the extension value.

getExtension

public java.lang.Object getExtension(com.tencent.kona.sun.security.util.ObjectIdentifier oid)

get an extension

Parameters:

oid - ObjectIdentifier of extension desired

Returns:

Object of type <extension> or null, if not found

getIssuerX500Principal

public static javax.security.auth.x500.X500Principal getIssuerX500Principal(java.security.cert.X509CRL crl)

Extract the issuer X500Principal from an X509CRL. Parses the encoded form of the CRL to preserve the principal's ASN.1 encoding. Called by java.security.cert.X509CRL.getIssuerX500Principal().

getEncodedInternal

public static byte[] getEncodedInternal(java.security.cert.X509CRL crl)
                                 throws java.security.cert.CRLException

Returned the encoding of the given certificate for internal use. Callers must guarantee that they neither modify it nor expose it to untrusted code. Uses getEncodedInternal() if the certificate is instance of X509CertImpl, getEncoded() otherwise.

Throws:

java.security.cert.CRLException

toImpl

public static X509CRLImpl toImpl(java.security.cert.X509CRL crl)
                          throws java.security.cert.CRLException

Utility method to convert an arbitrary instance of X509CRL to a X509CRLImpl. Does a cast if possible, otherwise reparses the encoding.

Throws:

java.security.cert.CRLException

encode

public void encode(com.tencent.kona.sun.security.util.DerOutputStream out)

Specified by:

encode in interface com.tencent.kona.sun.security.util.DerEncoder