public class

X509CRLImpl

extends X509CRL
java.lang.Object
   ↳ java.security.cert.CRL
     ↳ java.security.cert.X509CRL
       ↳ sun.security.x509.X509CRLImpl

Class Overview

An implmentation for X509 CRL (Certificate Revocation List).

The X.509 v2 CRL format is described below in ASN.1: 

 CertificateList  ::=  SEQUENCE  {
     tbsCertList          TBSCertList,
     signatureAlgorithm   AlgorithmIdentifier,
     signature            BIT STRING  }
More information can be found in RFC 3280: Internet X.509 Public Key Infrastructure Certificate and CRL Profile.

The ASN.1 definition of tbsCertList is: 

 TBSCertList  ::=  SEQUENCE  {
     version                 Version OPTIONAL,
                             -- if present, must be v2
     signature               AlgorithmIdentifier,
     issuer                  Name,
     thisUpdate              ChoiceOfTime,
     nextUpdate              ChoiceOfTime OPTIONAL,
     revokedCertificates     SEQUENCE OF SEQUENCE  {
         userCertificate         CertificateSerialNumber,
         revocationDate          ChoiceOfTime,
         crlEntryExtensions      Extensions OPTIONAL
                                 -- if present, must be v2
         }  OPTIONAL,
     crlExtensions           [0]  EXPLICIT Extensions OPTIONAL
                                  -- if present, must be v2
     }

See Also

Summary

Public Constructors
X509CRLImpl(byte[] crlData)
Unmarshals an X.509 CRL from its encoded form, parsing the encoded bytes.
X509CRLImpl(DerValue val)
Unmarshals an X.509 CRL from an DER value.
X509CRLImpl(InputStream inStrm)
Unmarshals an X.509 CRL from an input stream.
X509CRLImpl(X500Name issuer, Date thisDate, Date nextDate)
Initial CRL constructor, no revoked certs, and no extensions.
X509CRLImpl(X500Name issuer, Date thisDate, Date nextDate, X509CRLEntry[] badCerts)
CRL constructor, revoked certs, no extensions.
X509CRLImpl(X500Name issuer, Date thisDate, Date nextDate, X509CRLEntry[] badCerts, CRLExtensions crlExts)
CRL constructor, revoked certs and extensions.
Public Methods
void encodeInfo(OutputStream out)
Encodes the "to-be-signed" CRL to the OutputStream.
KeyIdentifier getAuthKeyId()
return the AuthorityKeyIdentifier, if any.
AuthorityKeyIdentifierExtension getAuthKeyIdExtension()
return the AuthorityKeyIdentifierExtension, if any.
BigInteger getBaseCRLNumber()
return the base CRL number from the DeltaCRLIndicatorExtension, if any.
BigInteger getCRLNumber()
return the CRL number from the CRLNumberExtension, if any.
CRLNumberExtension getCRLNumberExtension()
return the CRLNumberExtension, if any.
Set<String> getCriticalExtensionOIDs()
Gets a Set of the extension(s) marked CRITICAL in the CRL.
DeltaCRLIndicatorExtension getDeltaCRLIndicatorExtension()
return the DeltaCRLIndicatorExtension, if any.
byte[] getEncoded()
Returns the ASN.1 DER encoded form of this CRL.
byte[] getEncodedInternal()
Returned the encoding as an uncloned byte array.
static byte[] getEncodedInternal(X509CRL crl)
Returned the encoding of the given certificate for internal use.
Object getExtension(ObjectIdentifier oid)
get an extension
byte[] getExtensionValue(String oid)
Gets the DER encoded OCTET string for the extension value (extnValue) identified by the passed in oid String.
IssuerAlternativeNameExtension getIssuerAltNameExtension()
return the IssuerAlternativeNameExtension, if any.
Principal getIssuerDN()
Gets the issuer distinguished name from this CRL.
static X500Principal getIssuerX500Principal(X509CRL crl)
Extract the issuer X500Principal from an X509CRL.
X500Principal getIssuerX500Principal()
Return the issuer as X500Principal.
IssuingDistributionPointExtension getIssuingDistributionPointExtension()
return the IssuingDistributionPointExtension, if any.
Date getNextUpdate()
Gets the nextUpdate date from the CRL.
Set<String> getNonCriticalExtensionOIDs()
Gets a Set of the extension(s) marked NON-CRITICAL in the CRL.
X509CRLEntry getRevokedCertificate(BigInteger serialNumber)
Gets the CRL entry with the given serial number from this CRL.
X509CRLEntry getRevokedCertificate(X509Certificate cert)
Gets the CRL entry for the given certificate.
Set<X509CRLEntry> getRevokedCertificates()
Gets all the revoked certificates from the CRL.
String getSigAlgName()
Gets the signature algorithm name for the CRL signature algorithm.
String getSigAlgOID()
Gets the signature algorithm OID string from the CRL.
byte[] getSigAlgParams()
Gets the DER encoded signature algorithm parameters from this CRL's signature algorithm.
byte[] getSignature()
Gets the raw Signature bits from the CRL.
byte[] getTBSCertList()
Gets the DER encoded CRL information, the tbsCertList from this CRL.
Date getThisUpdate()
Gets the thisUpdate date from the CRL.
int getVersion()
Gets the version number from this CRL.
boolean hasUnsupportedCriticalExtension()
Return true if a critical extension is found that is not supported, otherwise return false.
boolean isRevoked(Certificate cert)
Checks whether the given certificate is on this CRL.
void sign(PrivateKey key, String algorithm, String provider)
Encodes an X.509 CRL, and signs it using the given key.
void sign(PrivateKey key, String algorithm)
Encodes an X.509 CRL, and signs it using the given key.
static X509CRLImpl toImpl(X509CRL crl)
Utility method to convert an arbitrary instance of X509CRL to a X509CRLImpl.
String toString()
Returns a printable string of this CRL.
synchronized void verify(PublicKey key, String sigProvider)
Verifies that this CRL was signed using the private key that corresponds to the given public key, and that the signature verification was computed by the given provider.
void verify(PublicKey key)
Verifies that this CRL was signed using the private key that corresponds to the given public key.
[Expand]
Inherited Methods
From class java.security.cert.X509CRL
From class java.security.cert.CRL
From class java.lang.Object
From interface java.security.cert.X509Extension

Public Constructors

public X509CRLImpl (byte[] crlData)

Unmarshals an X.509 CRL from its encoded form, parsing the encoded bytes. This form of constructor is used by agents which need to examine and use CRL contents. Note that the buffer must include only one CRL, and no "garbage" may be left at the end.

Parameters
crlData the encoded bytes, with no trailing padding.
Throws
CRLException on parsing errors.

public X509CRLImpl (DerValue val)

Unmarshals an X.509 CRL from an DER value.

Parameters
val a DER value holding at least one CRL
Throws
CRLException on parsing errors.

public X509CRLImpl (InputStream inStrm)

Unmarshals an X.509 CRL from an input stream. Only one CRL is expected at the end of the input stream.

Parameters
inStrm an input stream holding at least one CRL
Throws
CRLException on parsing errors.

public X509CRLImpl (X500Name issuer, Date thisDate, Date nextDate)

Initial CRL constructor, no revoked certs, and no extensions.

Parameters
issuer the name of the CA issuing this CRL.

public X509CRLImpl (X500Name issuer, Date thisDate, Date nextDate, X509CRLEntry[] badCerts)

CRL constructor, revoked certs, no extensions.

Parameters
issuer the name of the CA issuing this CRL.
badCerts the array of CRL entries.
Throws
CRLException on parsing/construction errors.

public X509CRLImpl (X500Name issuer, Date thisDate, Date nextDate, X509CRLEntry[] badCerts, CRLExtensions crlExts)

CRL constructor, revoked certs and extensions.

Parameters
issuer the name of the CA issuing this CRL.
badCerts the array of CRL entries.
crlExts the CRL extensions.
Throws
CRLException on parsing/construction errors.

Public Methods

public void encodeInfo (OutputStream out)

Encodes the "to-be-signed" CRL to the OutputStream.

Parameters
out the OutputStream to write to.
Throws
CRLException on encoding errors.

public KeyIdentifier getAuthKeyId ()

return the AuthorityKeyIdentifier, if any.

Throws
IOException on error

public AuthorityKeyIdentifierExtension getAuthKeyIdExtension ()

return the AuthorityKeyIdentifierExtension, if any.

Throws
IOException on error

public BigInteger getBaseCRLNumber ()

return the base CRL number from the DeltaCRLIndicatorExtension, if any.

Throws
IOException on error

public BigInteger getCRLNumber ()

return the CRL number from the CRLNumberExtension, if any.

Throws
IOException on error

public CRLNumberExtension getCRLNumberExtension ()

return the CRLNumberExtension, if any.

Throws
IOException on error

public Set<String> getCriticalExtensionOIDs ()

Gets a Set of the extension(s) marked CRITICAL in the CRL. In the returned set, each extension is represented by its OID string.

Returns
  • a set of the extension oid strings in the CRL that are marked critical.

public DeltaCRLIndicatorExtension getDeltaCRLIndicatorExtension ()

return the DeltaCRLIndicatorExtension, if any.

Throws
IOException on error

public byte[] getEncoded ()

Returns the ASN.1 DER encoded form of this CRL.

Returns
  • the encoded form of this certificate
Throws
CRLException if an encoding error occurs.

public byte[] getEncodedInternal ()

Returned the encoding as an uncloned byte array. Callers must guarantee that they neither modify it nor expose it to untrusted code.

Throws
CRLException

public static byte[] getEncodedInternal (X509CRL crl)

Returned the encoding of the given certificate for internal use. Callers must guarantee that they neither modify it nor expose it to untrusted code. Uses getEncodedInternal() if the certificate is instance of X509CertImpl, getEncoded() otherwise.

Throws
CRLException

public Object getExtension (ObjectIdentifier oid)

get an extension

Parameters
oid ObjectIdentifier of extension desired
Throws
IOException on error

public byte[] getExtensionValue (String oid)

Gets the DER encoded OCTET string for the extension value (extnValue) identified by the passed in oid String. The oid string is represented by a set of positive whole number separated by ".", that means,
<positive whole number>.<positive whole number>.<...>

Parameters
oid the Object Identifier value for the extension.
Returns
  • the der encoded octet string of the extension value.

public IssuerAlternativeNameExtension getIssuerAltNameExtension ()

return the IssuerAlternativeNameExtension, if any.

Throws
IOException on error

public Principal getIssuerDN ()

Gets the issuer distinguished name from this CRL. The issuer name identifies the entity who has signed (and issued the CRL). The issuer name field contains an X.500 distinguished name (DN). The ASN.1 definition for this is: 

 issuer    Name

 Name ::= CHOICE { RDNSequence }
 RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
 RelativeDistinguishedName ::=
     SET OF AttributeValueAssertion

 AttributeValueAssertion ::= SEQUENCE {
                               AttributeType,
                               AttributeValue }
 AttributeType ::= OBJECT IDENTIFIER
 AttributeValue ::= ANY
The Name describes a hierarchical name composed of attributes, such as country name, and corresponding values, such as US. The type of the component AttributeValue is determined by the AttributeType; in general it will be a directoryString. A directoryString is usually one of PrintableString, TeletexString or UniversalString.

Returns
  • the issuer name.

public static X500Principal getIssuerX500Principal (X509CRL crl)

Extract the issuer X500Principal from an X509CRL. Parses the encoded form of the CRL to preserve the principal's ASN.1 encoding. Called by java.security.cert.X509CRL.getIssuerX500Principal().

public X500Principal getIssuerX500Principal ()

Return the issuer as X500Principal. Overrides method in X509CRL to provide a slightly more efficient version.

Returns
  • an X500Principal representing the issuer distinguished name

public IssuingDistributionPointExtension getIssuingDistributionPointExtension ()

return the IssuingDistributionPointExtension, if any.

Throws
IOException on error

public Date getNextUpdate ()

Gets the nextUpdate date from the CRL.

Returns
  • the nextUpdate date from the CRL, or null if not present.

public Set<String> getNonCriticalExtensionOIDs ()

Gets a Set of the extension(s) marked NON-CRITICAL in the CRL. In the returned set, each extension is represented by its OID string.

Returns
  • a set of the extension oid strings in the CRL that are NOT marked critical.

public X509CRLEntry getRevokedCertificate (BigInteger serialNumber)

Gets the CRL entry with the given serial number from this CRL.

Parameters
serialNumber the serial number of the certificate for which a CRL entry is to be looked up
Returns
  • the entry with the given serial number, or null if no such entry exists in the CRL.
See Also

public X509CRLEntry getRevokedCertificate (X509Certificate cert)

Gets the CRL entry for the given certificate.

Parameters
cert the certificate for which a CRL entry is to be looked up
Returns
  • the entry for the given certificate, or null if no such entry exists in this CRL.

public Set<X509CRLEntry> getRevokedCertificates ()

Gets all the revoked certificates from the CRL. A Set of X509CRLEntry.

Returns
  • all the revoked certificates or null if there are none.
See Also

public String getSigAlgName ()

Gets the signature algorithm name for the CRL signature algorithm. For example, the string "SHA1withDSA". The ASN.1 definition for this is: 

 AlgorithmIdentifier  ::=  SEQUENCE  {
     algorithm               OBJECT IDENTIFIER,
     parameters              ANY DEFINED BY algorithm OPTIONAL  }
                             -- contains a value of the type
                             -- registered for use with the
                             -- algorithm object identifier value

Returns
  • the signature algorithm name.

public String getSigAlgOID ()

Gets the signature algorithm OID string from the CRL. An OID is represented by a set of positive whole number separated by ".", that means,
<positive whole number>.<positive whole number>.<...> For example, the string "1.2.840.10040.4.3" identifies the SHA-1 with DSA signature algorithm defined in RFC 3279: Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and CRL Profile.

Returns
  • the signature algorithm oid string.

public byte[] getSigAlgParams ()

Gets the DER encoded signature algorithm parameters from this CRL's signature algorithm. In most cases, the signature algorithm parameters are null, the parameters are usually supplied with the Public Key.

Returns
  • the DER encoded signature algorithm parameters, or null if no parameters are present.

public byte[] getSignature ()

Gets the raw Signature bits from the CRL.

Returns
  • the signature.

public byte[] getTBSCertList ()

Gets the DER encoded CRL information, the tbsCertList from this CRL. This can be used to verify the signature independently.

Returns
  • the DER encoded CRL information.
Throws
CRLException on encoding errors.

public Date getThisUpdate ()

Gets the thisUpdate date from the CRL. The ASN.1 definition for this is:

Returns
  • the thisUpdate date from the CRL.

public int getVersion ()

Gets the version number from this CRL. The ASN.1 definition for this is: 

 Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
             -- v3 does not apply to CRLs but appears for consistency
             -- with definition of Version for certs

Returns
  • the version number, i.e. 1 or 2.

public boolean hasUnsupportedCriticalExtension ()

Return true if a critical extension is found that is not supported, otherwise return false.

public boolean isRevoked (Certificate cert)

Checks whether the given certificate is on this CRL.

Parameters
cert the certificate to check for.
Returns
  • true if the given certificate is on this CRL, false otherwise.

public void sign (PrivateKey key, String algorithm, String provider)

Encodes an X.509 CRL, and signs it using the given key.

Parameters
key the private key used for signing.
algorithm the name of the signature algorithm used.
provider the name of the provider.
Throws
NoSuchAlgorithmException on unsupported signature algorithms.
InvalidKeyException on incorrect key.
NoSuchProviderException on incorrect provider.
SignatureException on signature errors.
CRLException if any mandatory data was omitted.

public void sign (PrivateKey key, String algorithm)

Encodes an X.509 CRL, and signs it using the given key.

Parameters
key the private key used for signing.
algorithm the name of the signature algorithm used.
Throws
NoSuchAlgorithmException on unsupported signature algorithms.
InvalidKeyException on incorrect key.
NoSuchProviderException on incorrect provider.
SignatureException on signature errors.
CRLException if any mandatory data was omitted.

public static X509CRLImpl toImpl (X509CRL crl)

Utility method to convert an arbitrary instance of X509CRL to a X509CRLImpl. Does a cast if possible, otherwise reparses the encoding.

Throws
CRLException

public String toString ()

Returns a printable string of this CRL.

Returns
  • value of this CRL in a printable form.

public synchronized void verify (PublicKey key, String sigProvider)

Verifies that this CRL was signed using the private key that corresponds to the given public key, and that the signature verification was computed by the given provider.

Parameters
key the PublicKey used to carry out the verification.
sigProvider the name of the signature provider.
Throws
NoSuchAlgorithmException on unsupported signature algorithms.
InvalidKeyException on incorrect key.
NoSuchProviderException on incorrect provider.
SignatureException on signature errors.
CRLException on encoding errors.

public void verify (PublicKey key)

Verifies that this CRL was signed using the private key that corresponds to the given public key.

Parameters
key the PublicKey used to carry out the verification.
Throws
NoSuchAlgorithmException on unsupported signature algorithms.
InvalidKeyException on incorrect key.
NoSuchProviderException if there's no default provider.
SignatureException on signature errors.
CRLException on encoding errors.