|
||||||||||
| PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
| SUMMARY: INNER | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD | |||||||||
java.lang.Object
|
+--java.security.cert.CRL
|
+--java.security.cert.X509CRL
|
+--iaik.x509.X509CRL
This class represents a X.509v2 CertificateRevocationList (CRL).
A Certificate Revocation List (CRL) denotes a list of certificates that have been expired for some reason (e.g. the name of the subject has changed, the private key can no more being treated to be only known by the subject, ...) prior to the regular ending of its validity period. A CRL is maintained by a certification authority (CA) making it publicly available and refreshing it in certain time intervals. Each recoked certificate included in a revocation list can be identified by its serial number. The recvocation list is signed by the maintaining CA.
A profile for X.509v2 revocation lists is presented together with the X.509v3 certificate format in the PKIX internet draft draft-ietf-pkix-ipki-part1-07.txt, where a CRL is defined as an ASN.1 SEQUENCE structure containing the following components:
CertificateList ::= SEQUENCE {
tbsCertList TBSCertList,
signatureAlgorithm AlgorithmIdentifier,
signature BIT STRING }
where signatureAlgorithm identifies the signature algorithm used by
the signing certification authority for computing the digital signature upon
the ASN.1 DER encoded TBSCertList structure, which itself is
expressed as ASN.1 SEQUENCE structure specifying the (distinguished) name of
the issuer, the issue date of the CRL, the date when the next CRL will be issued,
and optionally lists of revoked certificates (identified by their serial numbers)
and CRL extensions. The list of revoked certificates is classified as being optional
since a CA may not have revoked any issued certificate when publishing a CRL.
ASN.1 definition:
TBSCertList ::= SEQUENCE {
version Version OPTIONAL,
-- if present, must be v2
signature AlgorithmIdentifier,
issuer Name,
thisUpdate Time,
nextUpdate Time OPTIONAL,
revokedCertificates SEQUENCE OF SEQUENCE {
userCertificate CertificateSerialNumber,
revocationDate Time,
crlEntryExtensions Extensions OPTIONAL
-- if present, must be v2
} OPTIONAL,
crlExtensions [0] EXPLICIT Extensions OPTIONAL
-- if present, must be v2
}
where:
Version ::= INTEGER { v1(0), v2(1), v3(2) }
-- v3 does not apply to CRLs but appears for consistency
-- with definition of Version for certs
AlgorithmIdentifier ::= SEQUENCE {
algorithm OBJECT IDENTIFIER,
parameters ANY DEFINED BY algorithm OPTIONAL }
-- contains a value of the type
-- registered for use with the
-- algorithm object identifier value
Name ::= CHOICE { RDNSequence }
RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
RelativeDistinguishedName ::= SET OF AttributeTypeAndValue
AttributeTypeAndValue ::= SEQUENCE {
type AttributeType,
value AttributeValue }
AttributeType ::= OBJECT IDENTIFIER
AttributeValue ::= ANY -- Directory string type --
DirectoryString ::= CHOICE {
teletexString TeletexString (SIZE (1..maxSize),
printableString PrintableString (SIZE (1..maxSize)),
universalString UniversalString (SIZE (1..maxSize)),
bmpString BMPString (SIZE(1..maxSIZE))
}
Time ::= CHOICE {
utcTime UTCTime,
generalTime GeneralizedTime }
CertificateSerialNumber ::= INTEGER
Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
Extension ::= SEQUENCE {
extnID OBJECT IDENTIFIER,
critical BOOLEAN DEFAULT FALSE,
extnValue OCTET STRING }
For a detail description of the several fields refer to the PKIX internet draft draft-ietf-pkix-ipki-part1-07.txt.
For each value extists a setValue() and a getValue() method.
After creating a X509CRL, the, for instance, CRL issuing date may be set to the
current date by using the setThisUpdate
method:
X509CRL crl = new X509CRL(); GregorianCalendar date = (GregorianCalendar)Calendar.getInstance(); crl.setThisUpdate(date.getTime());
Manipulating the extensions of a CRL is described in class X509Extensions.
A CRL extension (support introduced by the X.509v2 CRL format) may be a defined
standard extension (e.g. CRLNumber, ...), or it may be a
private extension providing some community-specific information. If an
extension is marked as critical, but the CRL handling software cannot parse
this extension, the CRL validation must fail. Non-Critical extensions can be
ignored, if they cannot be handled (i.e. of unknown state).
For adding some extension to a X509CRL use the addExtension method. The CRL profile
presented in the PKIX internet draft
draft-ietf-pkix-ipki-part1-07.txt requires confirming CAs to support the CRL number
extension conveying a monotonically increasing sequence number for each CRL issued by a
given CA through a specific CA X.500 Directory entry or CRL distribution point, e.g.:
X509CRL crl = new X509CRL(); ... CRLNumber crl_number = new CRLNumber(BigInteger.valueOf(4234234)); crl.addExtension(crl_number);
A X509Certificate) to be revoked may be added
by means of the {@link #addCertificate(X509Certificate, Date)
addCertificate(X509Certificate cert, Date revocationDate) method.
Alternatively an instance of RevokedCertificate
may be added by using the addCertificate(RevokedCertificate revokedCertificate) method.
For finally signing the CRL with the CRL issuer´s private key, call the
sign method.
The X509CRL(byte[]) and
X509CRL(InputStream) constructors
may be used for parsing an X509CRL from its DER encoding.
X509Extensions,
V3Extension,
UnknownExtension,
X509Certificate,
RevokedCertificate,
X509CRL| Constructor Summary | |
X509CRL()
Default constructor for creating a new empty X509CRL. |
|
X509CRL(byte[] crl)
Creates a CRL form a PEM or DER byte array. |
|
X509CRL(java.io.InputStream is)
Creates a CRL from an input stream supplying a DER or PEM encoded CRL. |
|
| Method Summary | |
void |
addCertificate(RevokedCertificate revokedCert)
Adds a revoked certificate to the CRL. |
void |
addCertificate(X509Certificate cert,
java.util.Date revocationDate)
Adds a certificate to the CRL to be revoked on the given date. |
void |
addExtension(V3Extension e)
Adds the given X509v2 CRL extension. |
RevokedCertificate |
containsCertificate(java.math.BigInteger serialNumber)
Checks, if the CRL contains a certificate with the given serial number. |
RevokedCertificate |
containsCertificate(X509Certificate cert)
Checks, if the CRL contains the given certificate. |
int |
countExtensions()
Returns the number of extensions included into this CRL. |
void |
decode(ASN1Object crl)
Creates a CRL from an ASN1Object. |
java.util.Set |
getCriticalExtensionOIDs()
Returns a Set of the OID strings identifying the extension(s) that are marked CRITICAL in this CRL. |
byte[] |
getEncoded()
Returns this CRL as DER encoded ASN.1 data structure. |
V3Extension |
getExtension(ObjectID oid)
Returns a specific extension, identyfied by its object identifier. |
byte[] |
getExtensionValue(java.lang.String oid)
Returns a byte array representing the DER encoding of the extension value identified by the passed-in OID string. |
byte[] |
getFingerprint()
Returns the fingerprint of this CRL. |
Principal |
getIssuerDN()
Returns the Distinguished Name of the issuer of this CRL, as Principal. |
java.util.Date |
getNextUpdate()
Returns the date of nextUpdate. |
java.util.Set |
getNonCriticalExtensionOIDs()
Returns a Set of the OID strings for the extension(s) marked NON-CRITICAL in this CRL. |
X509CRLEntry |
getRevokedCertificate(java.math.BigInteger serialNumber)
Searches the CRL for the specified serial number and returns the appertaining revoked certificate, if included into this CRL. |
java.util.Set |
getRevokedCertificates()
Returns a set containing all the revoked certificates included into this CRL. |
java.lang.String |
getSigAlgName()
Returns the name of the signature algorithm used by the issuer for signing this CRL. |
java.lang.String |
getSigAlgOID()
Returns the OID of the signature algorithm used by the issuer for signing this CRL. |
byte[] |
getSigAlgParams()
Returns the algorithm parameters associated with the signature algorithm used by the issuer for signing this CRL. |
byte[] |
getSignature()
Returns the signature of this CRL. |
AlgorithmID |
getSignatureAlgorithm()
Returns the signature algorithm of this CRL. |
byte[] |
getTBSCertList()
Returns the TBSCertList inherent to this CRL as DER encoded ASN.1 structure. |
java.util.Date |
getThisUpdate()
Returns the date of thisUpdate. |
int |
getVersion()
Returns the version number of this CRL as int. |
boolean |
hasExtensions()
Checks, if there are any extensions included into this CRL. |
boolean |
hasUnsupportedCriticalExtension()
Returns true if there are unsupported critical extensions. |
boolean |
isRevoked(java.math.BigInteger serialNumber)
Checks if the certificate identified by the given serial number is marked as revoked by this CRL. |
boolean |
isRevoked(Certificate cert)
Checks whether the given certificate is on this CRL. |
java.util.Enumeration |
listCertificates()
Returns an enumeration of the revoked certificates this CRL contains. |
java.util.Enumeration |
listExtensions()
Returns an enumeration of all extensions included into this CRL. |
void |
removeAllCertificates()
Removes all certificates from the CRL. |
void |
removeAllExtensions()
Removes all extensions from this CRL. |
boolean |
removeCertificate(java.math.BigInteger serialNumber)
Removes the certificate with the given serial number from the CRL. |
boolean |
removeExtension(ObjectID oid)
Removes the extension specified by its object identifier. |
void |
setIssuerDN(Principal issuer)
Sets the issuer of this CRL. |
void |
setNextUpdate(java.util.Date nextUpdate)
Sets the date of nextUpdate. |
void |
setSignatureAlgorithm(AlgorithmID signatureAlg)
Sets the signature algorithm for signing this CRL. |
void |
setSignatureAlgorithm(ObjectID signatureAlg)
Sets the signature algorithm for signing this CRL. |
void |
setThisUpdate(java.util.Date thisUpdate)
Sets the date of thisUpdate. |
void |
sign(PrivateKey privateKey)
Signs the CRL with the private key of the issuer. |
ASN1Object |
toASN1Object()
Returns the CRL as an ASN1Object. |
byte[] |
toByteArray()
Returns the CRL as a DER encoded ASN.1 data structure. |
java.lang.String |
toString()
Returns a string that represents the contents of the CRL. |
java.lang.String |
toString(boolean detailed)
Returns a string giving some - if requested - detailed information about the contents of the CRL. |
void |
verify(PublicKey key)
Verifies a signed CRL using the given public key. |
void |
verify(PublicKey key,
java.lang.String sigProvider)
Uses the given public key to verify this CRL based on a signature algorithm supplied by the specified provider. |
void |
writeTo(java.io.OutputStream os)
Writes the CRL DER encoded to the given output stream. |
| Methods inherited from class java.security.cert.X509CRL |
equals,
hashCode |
| Methods inherited from class java.security.cert.CRL |
getType |
| Methods inherited from class java.lang.Object |
clone,
finalize,
getClass,
notify,
notifyAll,
wait,
wait,
wait |
| Constructor Detail |
public X509CRL()
Any value may be set using the corrseponding the set<Value> method.
The version number per default is set to 1 indicating a
Version 1 CRL. When extensions are added, the version field automatically is set to 2.
public X509CRL(java.io.InputStream is)
throws java.io.IOException,
CRLException
This constructor reads a DER or PEM encoded X509CRL that previously may have
been written with method writeTo(OutputStream).
For instance:
InputStream fis = new FileInputStream("crl.der");
X509CRL crl = new X509CRL(fis);
fis.close();
is - InputStream from which to create the CRL
public X509CRL(byte[] crl)
throws CRLException
This constructor may be used for parsing an
already exisiting X509CRL ASN.1 object, supplied as DER encoded
byte array, which may have been created by calling the toByteArray or the getEncoded method.
crl - the byte array which contains the CRL| Method Detail |
public void decode(ASN1Object crl)
throws CodingException
The given ASN1Object represents an already existing X509CRL which may have been
created by calling the toASN1Object
method.
crl - the ASN1Object which contains the CRL
public void sign(PrivateKey privateKey)
throws CRLException,
InvalidKeyException
privateKey - the private key of the issuer
public void verify(PublicKey key,
java.lang.String sigProvider)
throws CRLException,
NoSuchAlgorithmException,
InvalidKeyException,
NoSuchProviderException,
SignatureException
key - the public key of the CRL issuer
public void verify(PublicKey key)
throws CRLException,
NoSuchAlgorithmException,
InvalidKeyException,
NoSuchProviderException,
SignatureException
verify(PublicKey key, String sigProvider) setting the provider name to
null for relying on the default provider signature architecture.key - the public key of the CRL issuerpublic boolean isRevoked(java.math.BigInteger serialNumber)
serialNumber - the serial number of the certificate which is checked
of being revokedtrue if the certificate identified by the given serial
number is marked as revoked by this CRL, false
if notpublic RevokedCertificate containsCertificate(X509Certificate cert)
cert - the certificate to checkpublic boolean isRevoked(Certificate cert)
cert - the certificate to check forpublic RevokedCertificate containsCertificate(java.math.BigInteger serialNumber)
serialNumber - the serial number of the certificatenull if the CRL doesn't contain a certificate with this serial number,
the RevokedCertificate from the CRL otherwisepublic ASN1Object toASN1Object()
public byte[] toByteArray()
public void writeTo(java.io.OutputStream os)
throws java.io.IOException
os - the output stream to which this CRL shall be written
public void addCertificate(X509Certificate cert,
java.util.Date revocationDate)
GregorianCalendar date = (GregorianCalendar)Calendar.getInstance();
InputStream fis = new FileInputStream("cert.der");
X509Certificate cert = new X509Certificate(fis);
fis.close();
crl.addCertificate(cert, date.getTime());
cert - the X509Certificate which should be revokedrevocationDate - the revocation datepublic void addCertificate(RevokedCertificate revokedCert)
addCertificate(X509Certificate cert, Date revocationDate) which adds a X509Certificate,
this method adds a RevokedCertificate already including its revocation date, for instance:
GregorianCalendar date = (GregorianCalendar)Calendar.getInstance();
InputStream fis = new FileInputStream("cert.der");
X509Certificate cert = new X509Certificate(fis);
fis.close();
RevokedCertificate rev_cert = new RevokedCertificate(cert, date.getTime());
crl.addCertificate(rev_cert);
revokedCert - the RevokedCertificate to add to this CRLRevokedCertificatepublic java.util.Enumeration listCertificates()
public boolean removeCertificate(java.math.BigInteger serialNumber)
crl.removeCertificate(cert.getSerialNumber());
serialNumber - the serial number of the certificate which should be removedtrue if the certificate successfully has been removed
false otherwisepublic void removeAllCertificates()
public void setSignatureAlgorithm(AlgorithmID signatureAlg)
throws NoSuchAlgorithmException
try {
crl.setSignatureAlgorithm(AlgorithmID.md5WithRSAEncryption);
} catch (NoSuchAlgorithmException ex) {
System.out.println("NoSuchAlgorithmException: " + ex.getMessage());
}
signatureAlg - the AlgorithmID of the signature algorithm to be used for signingAlgorithmID
public void setSignatureAlgorithm(ObjectID signatureAlg)
throws NoSuchAlgorithmException
ObjectID sigAlgID = new ObjectID("1.2.840.113549.1.1.5", "sha1WithRSAEncryption");
try {
crl.setSignatureAlgorithm(sigAlgID);
} catch (NoSuchAlgorithmException ex) {
System.out.println("NoSuchAlgorithmException: " + ex.getMessage());
}
signatureAlg - the ObjectID of the signature algorithm to be used for signingObjectID
public void setIssuerDN(Principal issuer)
throws java.lang.IllegalArgumentException
Name issuer = new Name(); issuer.addRDN(ObjectID.country, "AT"); issuer.addRDN(ObjectID.organization ,"TU Graz"); issuer.addRDN(ObjectID.organizationalUnit ,"IAIK"); issuer.addRDN(ObjectID.commonName ,"IAIK Test CA"); crl.setIssuerDN(issuer);
issuer - the distinguished name of the issuer of the CRLgetIssuerDN()public void setThisUpdate(java.util.Date thisUpdate)
thisUpdate.
The thisUpdate time value specifies the date on which the
CRL has been issued.
For instance, set ThisUpdate to the current date by writing:
GregorianCalendar date = (GregorianCalendar)Calendar.getInstance(); crl.setThisUpdate(date.getTime());
The X.509 Certificate and CRL Profile specified in the PKIX internet draft
draft-ietf-pkix-ipki-part1-07.txt recommends to encode thisUpdate dates
through the year 2049 as UTCTime, and thisUpdate dates in 2050 or later
as GeneralizedTime.
thisUpdate - the date when this CRL has been issuedgetThisUpdate()public void setNextUpdate(java.util.Date nextUpdate)
nextUpdate.
The nextUpdate time value specifies the date on which the
next CRL will be issued.
If the next update will be done, for instance, next month, you may write:
GregorianCalendar date = (GregorianCalendar)Calendar.getInstance(); date.add(Calendar.MONTH, 1); crl.setNextUpdate(date.getTime());
The X.509 Certificate and CRL Profile specified in the PKIX internet draft
draft-ietf-pkix-ipki-part1-07.txt recommends to encode nextUpdate dates
through the year 2049 as UTCTime, and nextUpdate dates in 2050 or later
as GeneralizedTime.
nextUpdate - when the next CRL will be createdgetNextUpdate()
public byte[] getEncoded()
throws CRLException
public int getVersion()
int.
The version number may specify a v1 or v2 CRL.
ASN.1 definition:
Version ::= INTEGER { v1(0), v2(1), v3(2) }
v3 only appears for consistency reasons
intpublic AlgorithmID getSignatureAlgorithm()
AlgorithmIDpublic Principal getIssuerDN()
Principal.
A Distinguished Name is used to specify a path within a X.500 directory information tree.
A distinguished name is defined as a sequence of relative distinguished names:
Name ::= CHOICE { RDNSequence }
RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
RelativeDistinguishedName ::= SET OF AttributeTypeAndValue
AttributeTypeAndValue ::= SEQUENCE {
type AttributeType,
value AttributeValue }
AttributeType ::= OBJECT IDENTIFIER
AttributeValue ::= ANY
The AttributeType generally will be of ASN.1 type DirectoryString
which either may be a PrintableString, TeletexString, BMPString, or an
UniversalString. A name may consist of, for instance, the following Attribute Type/Value
"pairs" defining a path through a X.500 directory tree:
country: "AT" locality: "Graz" organization: "TU Graz" organizationalUnit: "IAIK" commonName: "IAIK TestCA"The issuer identity also may be specified by an
issuerAltName extension (e.g.
as an e-mail address). If the issuer identity only is specified by an
issuerAltName extension, the issuer name field may be left
an empty SEQUENCE and the issuerAltName extension has to be marked to be critical
(see PKIX internet draft
draft-ietf-pkix-ipki-part1-07.txt).PrincipalsetIssuerDN(java.security.Principal)public java.util.Date getThisUpdate()
thisUpdate.
The thisUpdate time value specifies the date on which the
CRL has been issued.
ASN.1 definition:
thisUpdate Time
Time ::= CHOICE {
utcTime UTCTime,
generalTime GeneralizedTime }
The X.509 Certificate and CRL Profile specified in the PKIX internet draft
draft-ietf-pkix-ipki-part1-07.txt recommends to encode thisUpdate dates
through the year 2049 as UTCTime, and thisUpdate dates in 2050 or later
as GeneralizedTime.
setThisUpdate(java.util.Date)public java.util.Date getNextUpdate()
nextUpdate.
The nextUpdate time value specifies the date on which the
next CRL will be issued.
ASN.1 definition:
nextUpdate Time OPTIONAL
Time ::= CHOICE {
utcTime UTCTime,
generalTime GeneralizedTime }
The PKIX internet draft
draft-ietf-pkix-ipki-part1-07.txt CRL profile requires the inclusion of the
nextUpdate field in CRLs issued by confroming CAs, although it
is marked as OPTIONAL in the ASN.1 definition above.
The X.509 Certificate and CRL Profile specified in the PKIX internet draft
draft-ietf-pkix-ipki-part1-07.txt recommends to encode nextUpdate dates
through the year 2049 as UTCTime, and nextUpdate dates in 2050 or later
as GeneralizedTime.
setNextUpdate(java.util.Date)public X509CRLEntry getRevokedCertificate(java.math.BigInteger serialNumber)
serialNumber - the serial number to be searched fornull otherwisepublic java.util.Set getRevokedCertificates()
null if there are no certificates revoked by
this CRL
public byte[] getTBSCertList()
throws CRLException
TBSCertList inherent to this CRL as DER encoded ASN.1 structure.
The TBSCertList specifies the (distinguished) name of the issuer,
the issue date of the CRL, the date when the next CRL will be issued, and optionally
lists of revoked certificates (identified by their serial numbers) and CRL extensions.
The list of revoked certificates is classified as being optional, since a CA may not
have revoked any issued certificate when publishing a CRL:
TBSCertList ::= SEQUENCE {
version Version OPTIONAL,
-- if present, must be v2
signature AlgorithmIdentifier,
issuer Name,
thisUpdate Time,
nextUpdate Time OPTIONAL,
revokedCertificates SEQUENCE OF SEQUENCE {
userCertificate CertificateSerialNumber,
revocationDate Time,
crlEntryExtensions Extensions OPTIONAL
-- if present, must be v2
} OPTIONAL,
crlExtensions [0] EXPLICIT Extensions OPTIONAL
-- if present, must be v2
}
where:
Version ::= INTEGER { v1(0), v2(1), v3(2) }
-- v3 does not apply to CRLs but appears for consistency
-- with definition of Version for certs
AlgorithmIdentifier ::= SEQUENCE {
algorithm OBJECT IDENTIFIER,
parameters ANY DEFINED BY algorithm OPTIONAL }
-- contains a value of the type
-- registered for use with the
-- algorithm object identifier value
Name ::= CHOICE { RDNSequence }
RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
RelativeDistinguishedName ::= SET OF AttributeTypeAndValue
AttributeTypeAndValue ::= SEQUENCE {
type AttributeType,
value AttributeValue }
AttributeType ::= OBJECT IDENTIFIER
AttributeValue ::= ANY -- Directory string type --
DirectoryString ::= CHOICE {
teletexString TeletexString (SIZE (1..maxSize),
printableString PrintableString (SIZE (1..maxSize)),
universalString UniversalString (SIZE (1..maxSize)),
bmpString BMPString (SIZE(1..maxSIZE))
}
Time ::= CHOICE {
utcTime UTCTime,
generalTime GeneralizedTime }
CertificateSerialNumber ::= INTEGER
Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
Extension ::= SEQUENCE {
extnID OBJECT IDENTIFIER,
critical BOOLEAN DEFAULT FALSE,
extnValue OCTET STRING }
The CRL issuing CA computes the digital signature upon the ASN.1
DER encoded TBSCertList structure.
TBSCertList
structure inherent to this CRLpublic byte[] getSignature()
public java.lang.String getSigAlgName()
public java.lang.String getSigAlgOID()
ObjectID,
AlgorithmIDpublic byte[] getSigAlgParams()
null if there are no parameters usedpublic java.util.Set getCriticalExtensionOIDs()
nullgetNonCriticalExtensionOIDs()public java.util.Set getNonCriticalExtensionOIDs()
getCriticalExtensionOIDs()public byte[] getExtensionValue(java.lang.String oid)
The oid string is represented by a set of positive whole numbers
separated by periods, e.g. "2.5.29.20" for the CrlNumber extension.
In ASN.1, the Extensions field is defined as a SEQUENCE of Extension:
Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
Extension ::= SEQUENCE {
extnID OBJECT IDENTIFIER,
critical BOOLEAN DEFAULT FALSE,
extnValue OCTET STRING }
where critical specifies whether an extension has to be treated
as being critical or not; the default value is FALSE. An extension can be identified by
its object identifier, given in the extnID field. The value of the extension
is represented as ASN.1 OCTET STRING data structure in the extnValue
field.
Attention! The byte value returned by this method does not represent the DER encoding of the extnValue (OCTET_STRING) from above; rather it represents the DER encoding of the specific extension´s ASN.1 representation itsself. So, for example, when asking for a ReasonCode extension, the DER encoding of the corresponding ASN.1 Enumerated value will be returned:
CRLReason ::= ENUMERATED {
unspecified (0),
keyCompromise (1),
cACompromise (2),
affiliationChanged (3),
superseded (4),
cessationOfOperation (5),
certificateHold (6),
removeFromCRL (8) }
oid - the Object Identifier value of the extension to be queried fornull if it is not present
public void addExtension(V3Extension e)
throws X509ExtensionException
The extension to be added shall be an implemented V3Extension.
Extensions are managed by the X509Extensions class which maintaines two hashtables, one
for recording critical extensions, and the other for non-critical extensions.
This method only calls the addExtension method of the X509Extensions class for
putting the given extension into the proper hashtable. Note that only the DER
encoded extension value is written to the hashtable using the OID of the extension
as key. If an extension with the same object ID already exists, it is replaced.
For instance:
X509CRL crl = new X509CRL(); ... CRLNumber crl_number = new CRLNumber(BigInteger.valueOf(4234234)); crl.addExtension(crl_number);
For reading back some extension from one of the hashtables, use the
getExtension(ObjectID)
method. Only at this time actually the appropriate implementation class is
created and initialized through the DER encoded extension value derived from
the corresponding hashtable.
e - the X509v2 CRL extension to add to the list of extensionsV3Extensionpublic boolean removeExtension(ObjectID oid)
objectID - the object ID of the extension to removetrue if the extension successfully has been removed
false otherwisepublic void removeAllExtensions()
public java.util.Enumeration listExtensions()
The returned enumeration may contain unknown extensions (instances of
UnknownExtension
if there are any extensions included in this certificate, for which there
exists no registered implementation, and it may contain error extensions
(instances of ErrorExtension) indicating extensions which cannot be
parsed properly because of some kind of error.
Notice that this method only calls the listExtensions
method of the X509Extensions
class for actually instantiating implementations for the included extensions and
initializing them with the appertaining extension values previously written to
proper hashtables. If any extension cannot be parsed properly, an
ErrorExtension is created from it and written to the enumeration list
returned by this method.
null if there are no
extensions present at allpublic boolean hasExtensions()
true if there are extensions, false if notpublic boolean hasUnsupportedCriticalExtension()
public int countExtensions()
public V3Extension getExtension(ObjectID oid)
throws X509ExtensionInitException
This method only calls the getExtension
method of the X509Extensions class for actually instantiating an implementation
for the requested extension and initializing it with the appertaining extension
value previously written to a proper hashtable. If the extension cannot be initialized
for some reason, an X509ExtensionInitException is thrown. If the requested extension is
an unknown extension, which is not supported by a registered implementation,
this method creates and returns an UnknownExtension which may be queried for obtaining as much information
as possible about the unknown extension.
objectID - the object ID of the extensionnull if the requested
extension is not presentX509Extensions.getExtension(iaik.asn1.ObjectID)public byte[] getFingerprint()
public java.lang.String toString()
public java.lang.String toString(boolean detailed)
detailed - whether or not to give detailed information about the CRL.
|
||||||||||
| PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
| SUMMARY: INNER | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD | |||||||||