If a CA is to manage a certificate, the CA must have power to revoke the certificate. If there is any question as to the certificate being compromised, then the certificate is revoked . In these cases, the certificate must be immediately invalidated. The CA is acting as a certificate cop. It will allow valid certificates to pass through and block questionable certificates. The immediate invalidation occurs when the certificate is added to a CRL. The CRL is a list of certificates that are no longer valid. When a certificate is added to this list, it is no longer authenticated through the CA. CAs are responsible for issuing certificates and adding them to the CRL when revoked. The CA maintains the CRL and the reasons why the certificate is revoked. An organization that receives the certificate should also validate the certificate against the CRL. This organization acts as a validator of the certificate. If the validator of the certificate is not the issuing CA, the validator is responsible for consulting the CRL to ensure that the certificate is still valid. Some systems are not totally integrated into checking the CRL from the CA and sometimes a revoked certificate may slip through the validation process. The validate () function of the Java Certificate class does not automatically consult the CRL.
There are several reasons why the certificate gets added to the revocation lists. One example is if the certificate is suspected to be compromised. Another example is if the certificate has expired . Yet another example is if the CA no longer supports the user . To get the entire lists of reasons, you examine the reason code in the X509CRLEntry . The X509CRLEntry class is a matching entry for each revoked certificate. The X509CRL class is a class that contains the entire CRL and set of the X509CRLEntry classes. These are represented in Figure 24-4. Figure 24-4: The X509CRL and X509CRLEntry classes There are several means for distributing the CRLs. One way is for an organization to receive an initial CRL from the CA and have the CA only update the CRL. A Delta CRL is a CRL that only needs updating; a new CRL is not required every time. A Delta CRL only needs the Delta, or updates, applied to it to become valid. The Delta CRL is useful because a new CRL does not have to be issued every time an update is needed; only the updates are needed. Another type of CRL update is the Indirect CRL. An Indirect CRL is when a CA doesn't update the CRL directly, but another third-party organization does. This third-party organization distributes a single CRL to replace a multitude of CRLs from different CAs. Using a single CRL for an organization that uses multiple CAs is easier than trying to do a lookup on multiple CRLs from different CAs. An organization need only manage a single CRL for many different CAs that it might interface with for digital certificates. The CRL has fields so that the validator of the X.509 certificate can query the CRL to see if a digital certificate is listed as being revoked. The Java class that is used to support this functionality is the X509CRL class. The fields in the following list do not represent the individual revoked certificates, but the main fields that are needed for the operation of the CRL itself. Several fields are needed for interfacing into the CRL. When checking the individual revoked certificate, the X509CRLEntry class will be used for getting information about the entry. Listing 24-4 demonstrates the ASN.1 notation of the CRL fields and description. Listing 24-4: The ASN.1 notation of a CRL CertificateList ::= SIGNED { SEQUENCE { version Version OPTIONAL, -- if present, version shall be v2 signature AlgorithmIdentifier, issuer Name, thisUpdate Time, nextUpdate Time OPTIONAL,. ISO/IEC 9594-8 : 2001 (E) revokedCertificates SEQUENCE OF SEQUENCE { serialNumber CertificateSerialNumber, revocationDate Time, crlEntryExtensions Extensions OPTIONAL } OPTIONAL, crlExtensions [0] Extensions OPTIONAL }}
CRL extensionThe CRL had to be extended to handle Delta and Indirect CRLs. A CRL was given a CRL Number to keep track of whether the CRL has already been processed. If the CRL has been processed , the next subsequent CRL can be used if the current one has been totally used up for checking certificates. The Delta CRL is needed to keep track of whether the certificate is a Delta CRL or an Indirect CRL. Other modifications were made to differentiate between the key identifiers and issuer when multiple CAs are in an Indirect CRL.
The CRL can also be generated from the X.509 Certificate Factory as shown in Listing 24-1. The biggest differences are in the type of imported file, which now matches a CRL file, and the use of the X509CRL and X509CRLEntry classes. Listing 24-5 demonstrates reading a CRL file, the CRL entries, and modifying both (the CRL and the CRL entries) to add extensions. Listing 24-5: The RichCRL class: Importing the CRL and CRL entries and adding extensions package com.richware.chap24; import java.security.PublicKey; import java.security.Principal; import java.security.cert.X509Certificate; import java.security.cert.CertificateException; import java.security.cert.CertificateFactory; import java.security.cert.*; import java.io.FileInputStream; import java.io.FileNotFoundException; import java.util.*; import javax.security.auth.x500.X500Principal; import sun.security.x509.*; /** * Class RichCRL * Description: A custom demonstration of the Certificate Revocation List. * * Copyright: Copyright (c) 2002 Wiley Publishing, Inc. * @author Rich Helton <rhelton@richware.com> * @version 1.0 * DISCLAIMER: Please refer to the disclaimer at the beginning of this book. */ public class RichCRL { /** * Method main * Description: The main driver to run the methods. * * * @param args (no arguments presently). * */ public static void main(String args[]) { try { System.out.println("Starting RichCRL...."); /* * Pass in the argument of the keystore file * It will be opened in the same directoy as the application */ if (args[0] == null) { System.out.println("This application requires an input file for the location of the crl"); } String localDirectory = System.getProperty("user.dir"); System.out.println("Changing directory to Chapter 24"); System.setProperty("user.dir", localDirectory + "\com\richware\chap24\"); localDirectory = System.getProperty("user.dir"); /* * Get the local keystore that contains a trusted certificate */ String localInputFile = localDirectory + args[0]; System.out.println("Opening Chapter 24 plus the input file as an argument: " + localInputFile); /* * Import the certificate revocation list */ RichCRL myCertificate = new RichCRL(); X509CRL newcertificate = myCertificate.importCertificate(localInputFile); System.out.println("*********************CRL *************************"); System.out.println(newcertificate); System.out.println("CRL->Version Number->" + newcertificate.getVersion()); System.out .println("CRL->Signature Algorithm Identifier->" + newcertificate.getSigAlgName()); System.out.println("CRL->Issuer Name->" + newcertificate.getIssuerDN()); System.out.println("CRL->ThisUpdate->" + newcertificate.getThisUpdate()); System.out.println("CRL->NextUpdate->" + newcertificate.getNextUpdate()); /* * Get the revoked Certificates */ Set setCRLEntries = newcertificate.getRevokedCertificates(); X509CRLEntry[] newEntries = new X509CRLEntry[setCRLEntries.size()]; Iterator iter = setCRLEntries.iterator(); int current = 0; while (iter.hasNext()) { X509CRLEntry entry = (X509CRLEntry) iter.next(); System.out.println("***********CRL Entry No Extensions****************"); System.out.println(entry); System.out.println("CRL->Entry->RevocationDate->" + entry.getRevocationDate()); System.out.println("CRL->Entry->SerialNumber->" + entry.getSerialNumber()); System.out.println("CRL->Entry->HasExtensions->" + entry.hasExtensions()); /* * Are there any extensions */ if (entry.hasExtensions()) { /* * Print the extension OIDs */ Set nonCritSet = entry.getNonCriticalExtensionOIDs(); if (nonCritSet != null) { for (Iterator i = nonCritSet.iterator(); i.hasNext();) { String oid = (String) i.next(); System.out.println("Extensions in Entry" + oid); } } } /* * Else create some extensions */ else { /* * Create an CRL Extension class to contain individual extensions */ CRLExtensions extensions = new CRLExtensions(); /* * Create the CRL Reason Code Extension */ CRLReasonCodeExtension reason = new CRLReasonCodeExtension(2); extensions.set("2.5.29.21", reason); // System.out.println("CRL->Entry->New Reason Code***********"); CRLReasonCodeExtension newreason = (CRLReasonCodeExtension) extensions .get("2.5.29.21"); // System.out.println(newreason); X509CRLEntryImpl x509crlentryimpl = new X509CRLEntryImpl(entry.getSerialNumber(), entry.getRevocationDate(), extensions); newEntries[current] = (X509CRLEntry) x509crlentryimpl; } current++; } /* * Create an X500Name from the X500 Principal */ X500Principal currPrincipal = newcertificate.getIssuerX500Principal(); X500Name name = new X500Name(currPrincipal.getEncoded()); /* * Create a CRL Extension class to contain individual extensions and set it for the main CRL */ CRLExtensions crlExtensions = new CRLExtensions(); CRLNumberExtension crlNumber = new CRLNumberExtension(1); crlExtensions.set("2.5.29.20", crlNumber); /* * Create a new CRL with the extensions in the CRL Entries */ X509CRLImpl newCRL = new X509CRLImpl(name, newcertificate.getThisUpdate(), newcertificate.getNextUpdate(), newEntries, crlExtensions); System.out.println("*****************CRL with Extensions**************"); System.out.println(newCRL); /* * Iterate through the CRL entries again showing the extensions */ setCRLEntries = newCRL.getRevokedCertificates(); iter = setCRLEntries.iterator(); /* * Loop through the entries */ while (iter.hasNext()) { X509CRLEntry entry = (X509CRLEntry) iter.next(); System.out.println("*******CRL Entry After Adding Reason Extension**********"); System.out.println(entry); System.out.println("CRL->Entry->RevocationDate->" + entry.getRevocationDate()); System.out.println(entry.getSerialNumber()); System.out.println("CRL->Entry->HasExtensions->" + entry.hasExtensions()); /* * the getExtensionValue will return a null because it is not part of the * supported OIDs mentioned in the JavaDocs */ System.out .println("CRL->Entry->Reason Code from method->" + entry.getExtensionValue("2.5.29.21")); X509CRLEntryImpl x509crlentryimpl = new X509CRLEntryImpl(entry.getEncoded()); Integer reasonInt = x509crlentryimpl.getReasonCode(); /* * Print out the Reason Code */ System.out .println("CRL->Entry->Reason Code->" + RichCRL .reasonToString(reasonInt.intValue())); /* * Print out the OIDs found */ Set nonCritSet = entry.getNonCriticalExtensionOIDs(); if (nonCritSet != null) { for (Iterator i = nonCritSet.iterator(); i.hasNext();) { String oid = (String) i.next(); System.out.println("CRL->Entry->OID->" + oid); } } } /* * catches. */ } catch (Exception e) { e.printStackTrace(); } } /** * Method importCertificate * Description: Import the certificate. * * @param filename is the file to import. * * @return the certification. * */ public X509CRL importCertificate(String filename) { X509CRL cert = null; try { CertificateFactory cf = CertificateFactory.getInstance("X.509"); /* * Get the File I/O of the Certificate */ FileInputStream fr = new FileInputStream(filename); /* * Construct the certificate based on the import */ cert = (X509CRL) cf.generateCRL(fr); fr.close(); /* * catches. */ } catch (java.security.cert.CertificateException e) { e.printStackTrace(); } catch (java.security.cert.CRLException e) { e.printStackTrace(); } catch (java.io.IOException e) { e.printStackTrace(); } return cert; } /** * Method reasonToString * * * @param i defining the reason for revocation * * @return the string that maps to the integer * */ public static String reasonToString(int i) { switch (i) { case 0 : // 'package com.richware.chap24; import java.security.PublicKey; import java.security.Principal; import java.security.cert.X509Certificate; import java.security.cert.CertificateException; import java.security.cert.CertificateFactory; import java.security.cert.*; import java.io.FileInputStream; import java.io.FileNotFoundException; import java.util.*; import javax.security.auth.x500.X500Principal; import sun.security.x509.*; /** * Class RichCRL * Description: A custom demonstration of the Certificate Revocation List. * * Copyright: Copyright (c) 2002 Wiley Publishing, Inc. * @author Rich Helton <rhelton@richware.com> * @version 1.0 * DISCLAIMER: Please refer to the disclaimer at the beginning of this book. */ public class RichCRL { /** * Method main * Description: The main driver to run the methods . * * * @param args (no arguments presently). * */ public static void main(String args[]) { try { System.out.println("Starting RichCRL...."); /* * Pass in the argument of the keystore file * It will be opened in the same directoy as the application */ if (args[0] == null) { System.out.println("This application requires an input file for the location of the crl"); } String localDirectory = System.getProperty("user.dir"); System.out.println("Changing directory to Chapter 24"); System.setProperty("user.dir", localDirectory + "\\com\\richware\\chap24\\"); localDirectory = System.getProperty("user.dir"); /* * Get the local keystore that contains a trusted certificate */ String localInputFile = localDirectory + args[0]; System.out.println("Opening Chapter 24 plus the input file as an argument: " + localInputFile); /* * Import the certificate revocation list */ RichCRL myCertificate = new RichCRL(); X509CRL newcertificate = myCertificate.importCertificate(localInputFile); System.out.println("*********************CRL *************************"); System.out.println(newcertificate); System.out.println("CRL->Version Number->" + newcertificate.getVersion()); System.out .println("CRL->Signature Algorithm Identifier->" + newcertificate.getSigAlgName()); System.out.println("CRL->Issuer Name->" + newcertificate.getIssuerDN()); System.out.println("CRL->ThisUpdate->" + newcertificate.getThisUpdate()); System.out.println("CRL->NextUpdate->" + newcertificate.getNextUpdate()); /* * Get the revoked Certificates */ Set setCRLEntries = newcertificate.getRevokedCertificates(); X509CRLEntry[] newEntries = new X509CRLEntry[setCRLEntries. size ()]; Iterator iter = setCRLEntries.iterator(); int current = 0; while (iter.hasNext()) { X509CRLEntry entry = (X509CRLEntry) iter.next(); System.out.println("***********CRL Entry No Extensions****************"); System.out.println(entry); System.out.println("CRL->Entry->RevocationDate->" + entry.getRevocationDate()); System.out.println("CRL->Entry->SerialNumber->" + entry.getSerialNumber()); System.out.println("CRL->Entry->HasExtensions->" + entry.hasExtensions()); /* * Are there any extensions */ if (entry.hasExtensions()) { /* * Print the extension OIDs */ Set nonCritSet = entry.getNonCriticalExtensionOIDs(); if (nonCritSet != null) { for (Iterator i = nonCritSet.iterator(); i.hasNext();) { String oid = (String) i.next(); System.out.println("Extensions in Entry" + oid); } } } /* * Else create some extensions */ else { /* * Create an CRL Extension class to contain individual extensions */ CRLExtensions extensions = new CRLExtensions(); /* * Create the CRL Reason Code Extension */ CRLReasonCodeExtension reason = new CRLReasonCodeExtension(2); extensions.set("2.5.29.21", reason); // System.out.println("CRL->Entry->New Reason Code***********"); CRLReasonCodeExtension newreason = (CRLReasonCodeExtension) extensions .get("2.5.29.21"); // System.out.println(newreason); X509CRLEntryImpl x509crlentryimpl = new X509CRLEntryImpl(entry.getSerialNumber(), entry.getRevocationDate(), extensions); newEntries[current] = (X509CRLEntry) x509crlentryimpl; } current++; } /* * Create an X500Name from the X500 Principal */ X500Principal currPrincipal = newcertificate.getIssuerX500Principal(); X500Name name = new X500Name(currPrincipal.getEncoded()); /* * Create a CRL Extension class to contain individual extensions and set it for the main CRL */ CRLExtensions crlExtensions = new CRLExtensions(); CRLNumberExtension crlNumber = new CRLNumberExtension(1); crlExtensions.set("2.5.29.20", crlNumber); /* * Create a new CRL with the extensions in the CRL Entries */ X509CRLImpl newCRL = new X509CRLImpl(name, newcertificate.getThisUpdate(), newcertificate.getNextUpdate(), newEntries, crlExtensions); System.out.println("*****************CRL with Extensions**************"); System.out.println(newCRL); /* * Iterate through the CRL entries again showing the extensions */ setCRLEntries = newCRL.getRevokedCertificates(); iter = setCRLEntries.iterator(); /* * Loop through the entries */ while (iter.hasNext()) { X509CRLEntry entry = (X509CRLEntry) iter.next(); System.out.println("*******CRL Entry After Adding Reason Extension**********"); System.out.println(entry); System.out.println("CRL->Entry->RevocationDate->" + entry.getRevocationDate()); System.out.println(entry.getSerialNumber()); System.out.println("CRL->Entry->HasExtensions->" + entry.hasExtensions()); /* * the getExtensionValue will return a null because it is not part of the * supported OIDs mentioned in the JavaDocs */ System.out .println("CRL->Entry->Reason Code from method->" + entry.getExtensionValue("2.5.29.21")); X509CRLEntryImpl x509crlentryimpl = new X509CRLEntryImpl(entry.getEncoded()); Integer reasonInt = x509crlentryimpl.getReasonCode(); /* * Print out the Reason Code */ System.out .println("CRL->Entry->Reason Code->" + RichCRL .reasonToString(reasonInt.intValue())); /* * Print out the OIDs found */ Set nonCritSet = entry.getNonCriticalExtensionOIDs(); if (nonCritSet != null) { for (Iterator i = nonCritSet.iterator(); i.hasNext();) { String oid = (String) i.next(); System.out.println("CRL->Entry->OID->" + oid); } } } /* * catches. */ } catch (Exception e) { e.printStackTrace(); } } /** * Method importCertificate * Description: Import the certificate. * * @param filename is the file to import. * * @return the certification. * */ public X509CRL importCertificate(String filename) { X509CRL cert = null; try { CertificateFactory cf = CertificateFactory.getInstance("X.509"); /* * Get the File I/O of the Certificate */ FileInputStream fr = new FileInputStream(filename); /* * Construct the certificate based on the import */ cert = (X509CRL) cf.generateCRL(fr); fr.close(); /* * catches. */ } catch (java.security.cert.CertificateException e) { e.printStackTrace(); } catch (java.security.cert.CRLException e) { e.printStackTrace(); } catch (java.io.IOException e) { e.printStackTrace(); } return cert; } /** * Method reasonToString * * * @param i defining the reason for revocation * * @return the string that maps to the integer * */ public static String reasonToString(int i) { switch (i) { case 0 : // '\0' return "unspecified"; case 1 : // '\001' return "key compromise"; case 2 : // '\002' return "CA compromise"; case 3 : // '\003' return " affiliation changed"; case 4 : // '\004' return "superseded"; case 5 : // '\005' return "cessation of operation"; case 6 : // '\006' return "certificate hold"; case 8 : // '\b' return "remove from CRL"; case 7 : // '\007' default : return "unrecognized reason code"; } } }' return "unspecified"; case 1 : // 'package com.richware.chap24; import java.security.PublicKey; import java.security.Principal; import java.security.cert.X509Certificate; import java.security.cert.CertificateException; import java.security.cert.CertificateFactory; import java.security.cert.*; import java.io.FileInputStream; import java.io.FileNotFoundException; import java.util.*; import javax.security.auth.x500.X500Principal; import sun.security.x509.*; /** * Class RichCRL * Description: A custom demonstration of the Certificate Revocation List. * * Copyright: Copyright (c) 2002 Wiley Publishing, Inc. * @author Rich Helton <rhelton@richware.com> * @version 1.0 * DISCLAIMER: Please refer to the disclaimer at the beginning of this book. */ public class RichCRL { /** * Method main * Description: The main driver to run the methods . * * * @param args (no arguments presently). * */ public static void main(String args[]) { try { System.out.println("Starting RichCRL...."); /* * Pass in the argument of the keystore file * It will be opened in the same directoy as the application */ if (args[0] == null) { System.out.println("This application requires an input file for the location of the crl"); } String localDirectory = System.getProperty("user.dir"); System.out.println("Changing directory to Chapter 24"); System.setProperty("user.dir", localDirectory + "\\com\\richware\\chap24\\"); localDirectory = System.getProperty("user.dir"); /* * Get the local keystore that contains a trusted certificate */ String localInputFile = localDirectory + args[0]; System.out.println("Opening Chapter 24 plus the input file as an argument: " + localInputFile); /* * Import the certificate revocation list */ RichCRL myCertificate = new RichCRL(); X509CRL newcertificate = myCertificate.importCertificate(localInputFile); System.out.println("*********************CRL *************************"); System.out.println(newcertificate); System.out.println("CRL->Version Number->" + newcertificate.getVersion()); System.out .println("CRL->Signature Algorithm Identifier->" + newcertificate.getSigAlgName()); System.out.println("CRL->Issuer Name->" + newcertificate.getIssuerDN()); System.out.println("CRL->ThisUpdate->" + newcertificate.getThisUpdate()); System.out.println("CRL->NextUpdate->" + newcertificate.getNextUpdate()); /* * Get the revoked Certificates */ Set setCRLEntries = newcertificate.getRevokedCertificates(); X509CRLEntry[] newEntries = new X509CRLEntry[setCRLEntries. size ()]; Iterator iter = setCRLEntries.iterator(); int current = 0; while (iter.hasNext()) { X509CRLEntry entry = (X509CRLEntry) iter.next(); System.out.println("***********CRL Entry No Extensions****************"); System.out.println(entry); System.out.println("CRL->Entry->RevocationDate->" + entry.getRevocationDate()); System.out.println("CRL->Entry->SerialNumber->" + entry.getSerialNumber()); System.out.println("CRL->Entry->HasExtensions->" + entry.hasExtensions()); /* * Are there any extensions */ if (entry.hasExtensions()) { /* * Print the extension OIDs */ Set nonCritSet = entry.getNonCriticalExtensionOIDs(); if (nonCritSet != null) { for (Iterator i = nonCritSet.iterator(); i.hasNext();) { String oid = (String) i.next(); System.out.println("Extensions in Entry" + oid); } } } /* * Else create some extensions */ else { /* * Create an CRL Extension class to contain individual extensions */ CRLExtensions extensions = new CRLExtensions(); /* * Create the CRL Reason Code Extension */ CRLReasonCodeExtension reason = new CRLReasonCodeExtension(2); extensions.set("2.5.29.21", reason); // System.out.println("CRL->Entry->New Reason Code***********"); CRLReasonCodeExtension newreason = (CRLReasonCodeExtension) extensions .get("2.5.29.21"); // System.out.println(newreason); X509CRLEntryImpl x509crlentryimpl = new X509CRLEntryImpl(entry.getSerialNumber(), entry.getRevocationDate(), extensions); newEntries[current] = (X509CRLEntry) x509crlentryimpl; } current++; } /* * Create an X500Name from the X500 Principal */ X500Principal currPrincipal = newcertificate.getIssuerX500Principal(); X500Name name = new X500Name(currPrincipal.getEncoded()); /* * Create a CRL Extension class to contain individual extensions and set it for the main CRL */ CRLExtensions crlExtensions = new CRLExtensions(); CRLNumberExtension crlNumber = new CRLNumberExtension(1); crlExtensions.set("2.5.29.20", crlNumber); /* * Create a new CRL with the extensions in the CRL Entries */ X509CRLImpl newCRL = new X509CRLImpl(name, newcertificate.getThisUpdate(), newcertificate.getNextUpdate(), newEntries, crlExtensions); System.out.println("*****************CRL with Extensions**************"); System.out.println(newCRL); /* * Iterate through the CRL entries again showing the extensions */ setCRLEntries = newCRL.getRevokedCertificates(); iter = setCRLEntries.iterator(); /* * Loop through the entries */ while (iter.hasNext()) { X509CRLEntry entry = (X509CRLEntry) iter.next(); System.out.println("*******CRL Entry After Adding Reason Extension**********"); System.out.println(entry); System.out.println("CRL->Entry->RevocationDate->" + entry.getRevocationDate()); System.out.println(entry.getSerialNumber()); System.out.println("CRL->Entry->HasExtensions->" + entry.hasExtensions()); /* * the getExtensionValue will return a null because it is not part of the * supported OIDs mentioned in the JavaDocs */ System.out .println("CRL->Entry->Reason Code from method->" + entry.getExtensionValue("2.5.29.21")); X509CRLEntryImpl x509crlentryimpl = new X509CRLEntryImpl(entry.getEncoded()); Integer reasonInt = x509crlentryimpl.getReasonCode(); /* * Print out the Reason Code */ System.out .println("CRL->Entry->Reason Code->" + RichCRL .reasonToString(reasonInt.intValue())); /* * Print out the OIDs found */ Set nonCritSet = entry.getNonCriticalExtensionOIDs(); if (nonCritSet != null) { for (Iterator i = nonCritSet.iterator(); i.hasNext();) { String oid = (String) i.next(); System.out.println("CRL->Entry->OID->" + oid); } } } /* * catches. */ } catch (Exception e) { e.printStackTrace(); } } /** * Method importCertificate * Description: Import the certificate. * * @param filename is the file to import. * * @return the certification. * */ public X509CRL importCertificate(String filename) { X509CRL cert = null; try { CertificateFactory cf = CertificateFactory.getInstance("X.509"); /* * Get the File I/O of the Certificate */ FileInputStream fr = new FileInputStream(filename); /* * Construct the certificate based on the import */ cert = (X509CRL) cf.generateCRL(fr); fr.close(); /* * catches. */ } catch (java.security.cert.CertificateException e) { e.printStackTrace(); } catch (java.security.cert.CRLException e) { e.printStackTrace(); } catch (java.io.IOException e) { e.printStackTrace(); } return cert; } /** * Method reasonToString * * * @param i defining the reason for revocation * * @return the string that maps to the integer * */ public static String reasonToString(int i) { switch (i) { case 0 : // '\0' return "unspecified"; case 1 : // '\001' return "key compromise"; case 2 : // '\002' return "CA compromise"; case 3 : // '\003' return " affiliation changed"; case 4 : // '\004' return "superseded"; case 5 : // '\005' return "cessation of operation"; case 6 : // '\006' return "certificate hold"; case 8 : // '\b' return "remove from CRL"; case 7 : // '\007' default : return "unrecognized reason code"; } } }1' return "key compromise"; case 2 : // 'package com.richware.chap24; import java.security.PublicKey; import java.security.Principal; import java.security.cert.X509Certificate; import java.security.cert.CertificateException; import java.security.cert.CertificateFactory; import java.security.cert.*; import java.io.FileInputStream; import java.io.FileNotFoundException; import java.util.*; import javax.security.auth.x500.X500Principal; import sun.security.x509.*; /** * Class RichCRL * Description: A custom demonstration of the Certificate Revocation List. * * Copyright: Copyright (c) 2002 Wiley Publishing, Inc. * @author Rich Helton <rhelton@richware.com> * @version 1.0 * DISCLAIMER: Please refer to the disclaimer at the beginning of this book. */ public class RichCRL { /** * Method main * Description: The main driver to run the methods . * * * @param args (no arguments presently). * */ public static void main(String args[]) { try { System.out.println("Starting RichCRL...."); /* * Pass in the argument of the keystore file * It will be opened in the same directoy as the application */ if (args[0] == null) { System.out.println("This application requires an input file for the location of the crl"); } String localDirectory = System.getProperty("user.dir"); System.out.println("Changing directory to Chapter 24"); System.setProperty("user.dir", localDirectory + "\\com\\richware\\chap24\\"); localDirectory = System.getProperty("user.dir"); /* * Get the local keystore that contains a trusted certificate */ String localInputFile = localDirectory + args[0]; System.out.println("Opening Chapter 24 plus the input file as an argument: " + localInputFile); /* * Import the certificate revocation list */ RichCRL myCertificate = new RichCRL(); X509CRL newcertificate = myCertificate.importCertificate(localInputFile); System.out.println("*********************CRL *************************"); System.out.println(newcertificate); System.out.println("CRL->Version Number->" + newcertificate.getVersion()); System.out .println("CRL->Signature Algorithm Identifier->" + newcertificate.getSigAlgName()); System.out.println("CRL->Issuer Name->" + newcertificate.getIssuerDN()); System.out.println("CRL->ThisUpdate->" + newcertificate.getThisUpdate()); System.out.println("CRL->NextUpdate->" + newcertificate.getNextUpdate()); /* * Get the revoked Certificates */ Set setCRLEntries = newcertificate.getRevokedCertificates(); X509CRLEntry[] newEntries = new X509CRLEntry[setCRLEntries. size ()]; Iterator iter = setCRLEntries.iterator(); int current = 0; while (iter.hasNext()) { X509CRLEntry entry = (X509CRLEntry) iter.next(); System.out.println("***********CRL Entry No Extensions****************"); System.out.println(entry); System.out.println("CRL->Entry->RevocationDate->" + entry.getRevocationDate()); System.out.println("CRL->Entry->SerialNumber->" + entry.getSerialNumber()); System.out.println("CRL->Entry->HasExtensions->" + entry.hasExtensions()); /* * Are there any extensions */ if (entry.hasExtensions()) { /* * Print the extension OIDs */ Set nonCritSet = entry.getNonCriticalExtensionOIDs(); if (nonCritSet != null) { for (Iterator i = nonCritSet.iterator(); i.hasNext();) { String oid = (String) i.next(); System.out.println("Extensions in Entry" + oid); } } } /* * Else create some extensions */ else { /* * Create an CRL Extension class to contain individual extensions */ CRLExtensions extensions = new CRLExtensions(); /* * Create the CRL Reason Code Extension */ CRLReasonCodeExtension reason = new CRLReasonCodeExtension(2); extensions.set("2.5.29.21", reason); // System.out.println("CRL->Entry->New Reason Code***********"); CRLReasonCodeExtension newreason = (CRLReasonCodeExtension) extensions .get("2.5.29.21"); // System.out.println(newreason); X509CRLEntryImpl x509crlentryimpl = new X509CRLEntryImpl(entry.getSerialNumber(), entry.getRevocationDate(), extensions); newEntries[current] = (X509CRLEntry) x509crlentryimpl; } current++; } /* * Create an X500Name from the X500 Principal */ X500Principal currPrincipal = newcertificate.getIssuerX500Principal(); X500Name name = new X500Name(currPrincipal.getEncoded()); /* * Create a CRL Extension class to contain individual extensions and set it for the main CRL */ CRLExtensions crlExtensions = new CRLExtensions(); CRLNumberExtension crlNumber = new CRLNumberExtension(1); crlExtensions.set("2.5.29.20", crlNumber); /* * Create a new CRL with the extensions in the CRL Entries */ X509CRLImpl newCRL = new X509CRLImpl(name, newcertificate.getThisUpdate(), newcertificate.getNextUpdate(), newEntries, crlExtensions); System.out.println("*****************CRL with Extensions**************"); System.out.println(newCRL); /* * Iterate through the CRL entries again showing the extensions */ setCRLEntries = newCRL.getRevokedCertificates(); iter = setCRLEntries.iterator(); /* * Loop through the entries */ while (iter.hasNext()) { X509CRLEntry entry = (X509CRLEntry) iter.next(); System.out.println("*******CRL Entry After Adding Reason Extension**********"); System.out.println(entry); System.out.println("CRL->Entry->RevocationDate->" + entry.getRevocationDate()); System.out.println(entry.getSerialNumber()); System.out.println("CRL->Entry->HasExtensions->" + entry.hasExtensions()); /* * the getExtensionValue will return a null because it is not part of the * supported OIDs mentioned in the JavaDocs */ System.out .println("CRL->Entry->Reason Code from method->" + entry.getExtensionValue("2.5.29.21")); X509CRLEntryImpl x509crlentryimpl = new X509CRLEntryImpl(entry.getEncoded()); Integer reasonInt = x509crlentryimpl.getReasonCode(); /* * Print out the Reason Code */ System.out .println("CRL->Entry->Reason Code->" + RichCRL .reasonToString(reasonInt.intValue())); /* * Print out the OIDs found */ Set nonCritSet = entry.getNonCriticalExtensionOIDs(); if (nonCritSet != null) { for (Iterator i = nonCritSet.iterator(); i.hasNext();) { String oid = (String) i.next(); System.out.println("CRL->Entry->OID->" + oid); } } } /* * catches. */ } catch (Exception e) { e.printStackTrace(); } } /** * Method importCertificate * Description: Import the certificate. * * @param filename is the file to import. * * @return the certification. * */ public X509CRL importCertificate(String filename) { X509CRL cert = null; try { CertificateFactory cf = CertificateFactory.getInstance("X.509"); /* * Get the File I/O of the Certificate */ FileInputStream fr = new FileInputStream(filename); /* * Construct the certificate based on the import */ cert = (X509CRL) cf.generateCRL(fr); fr.close(); /* * catches. */ } catch (java.security.cert.CertificateException e) { e.printStackTrace(); } catch (java.security.cert.CRLException e) { e.printStackTrace(); } catch (java.io.IOException e) { e.printStackTrace(); } return cert; } /** * Method reasonToString * * * @param i defining the reason for revocation * * @return the string that maps to the integer * */ public static String reasonToString(int i) { switch (i) { case 0 : // '\0' return "unspecified"; case 1 : // '\001' return "key compromise"; case 2 : // '\002' return "CA compromise"; case 3 : // '\003' return " affiliation changed"; case 4 : // '\004' return "superseded"; case 5 : // '\005' return "cessation of operation"; case 6 : // '\006' return "certificate hold"; case 8 : // '\b' return "remove from CRL"; case 7 : // '\007' default : return "unrecognized reason code"; } } }2' return "CA compromise"; case 3 : // 'package com.richware.chap24; import java.security.PublicKey; import java.security.Principal; import java.security.cert.X509Certificate; import java.security.cert.CertificateException; import java.security.cert.CertificateFactory; import java.security.cert.*; import java.io.FileInputStream; import java.io.FileNotFoundException; import java.util.*; import javax.security.auth.x500.X500Principal; import sun.security.x509.*; /** * Class RichCRL * Description: A custom demonstration of the Certificate Revocation List. * * Copyright: Copyright (c) 2002 Wiley Publishing, Inc. * @author Rich Helton <rhelton@richware.com> * @version 1.0 * DISCLAIMER: Please refer to the disclaimer at the beginning of this book. */ public class RichCRL { /** * Method main * Description: The main driver to run the methods . * * * @param args (no arguments presently). * */ public static void main(String args[]) { try { System.out.println("Starting RichCRL...."); /* * Pass in the argument of the keystore file * It will be opened in the same directoy as the application */ if (args[0] == null) { System.out.println("This application requires an input file for the location of the crl"); } String localDirectory = System.getProperty("user.dir"); System.out.println("Changing directory to Chapter 24"); System.setProperty("user.dir", localDirectory + "\\com\\richware\\chap24\\"); localDirectory = System.getProperty("user.dir"); /* * Get the local keystore that contains a trusted certificate */ String localInputFile = localDirectory + args[0]; System.out.println("Opening Chapter 24 plus the input file as an argument: " + localInputFile); /* * Import the certificate revocation list */ RichCRL myCertificate = new RichCRL(); X509CRL newcertificate = myCertificate.importCertificate(localInputFile); System.out.println("*********************CRL *************************"); System.out.println(newcertificate); System.out.println("CRL->Version Number->" + newcertificate.getVersion()); System.out .println("CRL->Signature Algorithm Identifier->" + newcertificate.getSigAlgName()); System.out.println("CRL->Issuer Name->" + newcertificate.getIssuerDN()); System.out.println("CRL->ThisUpdate->" + newcertificate.getThisUpdate()); System.out.println("CRL->NextUpdate->" + newcertificate.getNextUpdate()); /* * Get the revoked Certificates */ Set setCRLEntries = newcertificate.getRevokedCertificates(); X509CRLEntry[] newEntries = new X509CRLEntry[setCRLEntries. size ()]; Iterator iter = setCRLEntries.iterator(); int current = 0; while (iter.hasNext()) { X509CRLEntry entry = (X509CRLEntry) iter.next(); System.out.println("***********CRL Entry No Extensions****************"); System.out.println(entry); System.out.println("CRL->Entry->RevocationDate->" + entry.getRevocationDate()); System.out.println("CRL->Entry->SerialNumber->" + entry.getSerialNumber()); System.out.println("CRL->Entry->HasExtensions->" + entry.hasExtensions()); /* * Are there any extensions */ if (entry.hasExtensions()) { /* * Print the extension OIDs */ Set nonCritSet = entry.getNonCriticalExtensionOIDs(); if (nonCritSet != null) { for (Iterator i = nonCritSet.iterator(); i.hasNext();) { String oid = (String) i.next(); System.out.println("Extensions in Entry" + oid); } } } /* * Else create some extensions */ else { /* * Create an CRL Extension class to contain individual extensions */ CRLExtensions extensions = new CRLExtensions(); /* * Create the CRL Reason Code Extension */ CRLReasonCodeExtension reason = new CRLReasonCodeExtension(2); extensions.set("2.5.29.21", reason); // System.out.println("CRL->Entry->New Reason Code***********"); CRLReasonCodeExtension newreason = (CRLReasonCodeExtension) extensions .get("2.5.29.21"); // System.out.println(newreason); X509CRLEntryImpl x509crlentryimpl = new X509CRLEntryImpl(entry.getSerialNumber(), entry.getRevocationDate(), extensions); newEntries[current] = (X509CRLEntry) x509crlentryimpl; } current++; } /* * Create an X500Name from the X500 Principal */ X500Principal currPrincipal = newcertificate.getIssuerX500Principal(); X500Name name = new X500Name(currPrincipal.getEncoded()); /* * Create a CRL Extension class to contain individual extensions and set it for the main CRL */ CRLExtensions crlExtensions = new CRLExtensions(); CRLNumberExtension crlNumber = new CRLNumberExtension(1); crlExtensions.set("2.5.29.20", crlNumber); /* * Create a new CRL with the extensions in the CRL Entries */ X509CRLImpl newCRL = new X509CRLImpl(name, newcertificate.getThisUpdate(), newcertificate.getNextUpdate(), newEntries, crlExtensions); System.out.println("*****************CRL with Extensions**************"); System.out.println(newCRL); /* * Iterate through the CRL entries again showing the extensions */ setCRLEntries = newCRL.getRevokedCertificates(); iter = setCRLEntries.iterator(); /* * Loop through the entries */ while (iter.hasNext()) { X509CRLEntry entry = (X509CRLEntry) iter.next(); System.out.println("*******CRL Entry After Adding Reason Extension**********"); System.out.println(entry); System.out.println("CRL->Entry->RevocationDate->" + entry.getRevocationDate()); System.out.println(entry.getSerialNumber()); System.out.println("CRL->Entry->HasExtensions->" + entry.hasExtensions()); /* * the getExtensionValue will return a null because it is not part of the * supported OIDs mentioned in the JavaDocs */ System.out .println("CRL->Entry->Reason Code from method->" + entry.getExtensionValue("2.5.29.21")); X509CRLEntryImpl x509crlentryimpl = new X509CRLEntryImpl(entry.getEncoded()); Integer reasonInt = x509crlentryimpl.getReasonCode(); /* * Print out the Reason Code */ System.out .println("CRL->Entry->Reason Code->" + RichCRL .reasonToString(reasonInt.intValue())); /* * Print out the OIDs found */ Set nonCritSet = entry.getNonCriticalExtensionOIDs(); if (nonCritSet != null) { for (Iterator i = nonCritSet.iterator(); i.hasNext();) { String oid = (String) i.next(); System.out.println("CRL->Entry->OID->" + oid); } } } /* * catches. */ } catch (Exception e) { e.printStackTrace(); } } /** * Method importCertificate * Description: Import the certificate. * * @param filename is the file to import. * * @return the certification. * */ public X509CRL importCertificate(String filename) { X509CRL cert = null; try { CertificateFactory cf = CertificateFactory.getInstance("X.509"); /* * Get the File I/O of the Certificate */ FileInputStream fr = new FileInputStream(filename); /* * Construct the certificate based on the import */ cert = (X509CRL) cf.generateCRL(fr); fr.close(); /* * catches. */ } catch (java.security.cert.CertificateException e) { e.printStackTrace(); } catch (java.security.cert.CRLException e) { e.printStackTrace(); } catch (java.io.IOException e) { e.printStackTrace(); } return cert; } /** * Method reasonToString * * * @param i defining the reason for revocation * * @return the string that maps to the integer * */ public static String reasonToString(int i) { switch (i) { case 0 : // '\0' return "unspecified"; case 1 : // '\001' return "key compromise"; case 2 : // '\002' return "CA compromise"; case 3 : // '\003' return " affiliation changed"; case 4 : // '\004' return "superseded"; case 5 : // '\005' return "cessation of operation"; case 6 : // '\006' return "certificate hold"; case 8 : // '\b' return "remove from CRL"; case 7 : // '\007' default : return "unrecognized reason code"; } } }3' return "affiliation changed"; case 4 : // 'package com.richware.chap24; import java.security.PublicKey; import java.security.Principal; import java.security.cert.X509Certificate; import java.security.cert.CertificateException; import java.security.cert.CertificateFactory; import java.security.cert.*; import java.io.FileInputStream; import java.io.FileNotFoundException; import java.util.*; import javax.security.auth.x500.X500Principal; import sun.security.x509.*; /** * Class RichCRL * Description: A custom demonstration of the Certificate Revocation List. * * Copyright: Copyright (c) 2002 Wiley Publishing, Inc. * @author Rich Helton <rhelton@richware.com> * @version 1.0 * DISCLAIMER: Please refer to the disclaimer at the beginning of this book. */ public class RichCRL { /** * Method main * Description: The main driver to run the methods . * * * @param args (no arguments presently). * */ public static void main(String args[]) { try { System.out.println("Starting RichCRL...."); /* * Pass in the argument of the keystore file * It will be opened in the same directoy as the application */ if (args[0] == null) { System.out.println("This application requires an input file for the location of the crl"); } String localDirectory = System.getProperty("user.dir"); System.out.println("Changing directory to Chapter 24"); System.setProperty("user.dir", localDirectory + "\\com\\richware\\chap24\\"); localDirectory = System.getProperty("user.dir"); /* * Get the local keystore that contains a trusted certificate */ String localInputFile = localDirectory + args[0]; System.out.println("Opening Chapter 24 plus the input file as an argument: " + localInputFile); /* * Import the certificate revocation list */ RichCRL myCertificate = new RichCRL(); X509CRL newcertificate = myCertificate.importCertificate(localInputFile); System.out.println("*********************CRL *************************"); System.out.println(newcertificate); System.out.println("CRL->Version Number->" + newcertificate.getVersion()); System.out .println("CRL->Signature Algorithm Identifier->" + newcertificate.getSigAlgName()); System.out.println("CRL->Issuer Name->" + newcertificate.getIssuerDN()); System.out.println("CRL->ThisUpdate->" + newcertificate.getThisUpdate()); System.out.println("CRL->NextUpdate->" + newcertificate.getNextUpdate()); /* * Get the revoked Certificates */ Set setCRLEntries = newcertificate.getRevokedCertificates(); X509CRLEntry[] newEntries = new X509CRLEntry[setCRLEntries. size ()]; Iterator iter = setCRLEntries.iterator(); int current = 0; while (iter.hasNext()) { X509CRLEntry entry = (X509CRLEntry) iter.next(); System.out.println("***********CRL Entry No Extensions****************"); System.out.println(entry); System.out.println("CRL->Entry->RevocationDate->" + entry.getRevocationDate()); System.out.println("CRL->Entry->SerialNumber->" + entry.getSerialNumber()); System.out.println("CRL->Entry->HasExtensions->" + entry.hasExtensions()); /* * Are there any extensions */ if (entry.hasExtensions()) { /* * Print the extension OIDs */ Set nonCritSet = entry.getNonCriticalExtensionOIDs(); if (nonCritSet != null) { for (Iterator i = nonCritSet.iterator(); i.hasNext();) { String oid = (String) i.next(); System.out.println("Extensions in Entry" + oid); } } } /* * Else create some extensions */ else { /* * Create an CRL Extension class to contain individual extensions */ CRLExtensions extensions = new CRLExtensions(); /* * Create the CRL Reason Code Extension */ CRLReasonCodeExtension reason = new CRLReasonCodeExtension(2); extensions.set("2.5.29.21", reason); // System.out.println("CRL->Entry->New Reason Code***********"); CRLReasonCodeExtension newreason = (CRLReasonCodeExtension) extensions .get("2.5.29.21"); // System.out.println(newreason); X509CRLEntryImpl x509crlentryimpl = new X509CRLEntryImpl(entry.getSerialNumber(), entry.getRevocationDate(), extensions); newEntries[current] = (X509CRLEntry) x509crlentryimpl; } current++; } /* * Create an X500Name from the X500 Principal */ X500Principal currPrincipal = newcertificate.getIssuerX500Principal(); X500Name name = new X500Name(currPrincipal.getEncoded()); /* * Create a CRL Extension class to contain individual extensions and set it for the main CRL */ CRLExtensions crlExtensions = new CRLExtensions(); CRLNumberExtension crlNumber = new CRLNumberExtension(1); crlExtensions.set("2.5.29.20", crlNumber); /* * Create a new CRL with the extensions in the CRL Entries */ X509CRLImpl newCRL = new X509CRLImpl(name, newcertificate.getThisUpdate(), newcertificate.getNextUpdate(), newEntries, crlExtensions); System.out.println("*****************CRL with Extensions**************"); System.out.println(newCRL); /* * Iterate through the CRL entries again showing the extensions */ setCRLEntries = newCRL.getRevokedCertificates(); iter = setCRLEntries.iterator(); /* * Loop through the entries */ while (iter.hasNext()) { X509CRLEntry entry = (X509CRLEntry) iter.next(); System.out.println("*******CRL Entry After Adding Reason Extension**********"); System.out.println(entry); System.out.println("CRL->Entry->RevocationDate->" + entry.getRevocationDate()); System.out.println(entry.getSerialNumber()); System.out.println("CRL->Entry->HasExtensions->" + entry.hasExtensions()); /* * the getExtensionValue will return a null because it is not part of the * supported OIDs mentioned in the JavaDocs */ System.out .println("CRL->Entry->Reason Code from method->" + entry.getExtensionValue("2.5.29.21")); X509CRLEntryImpl x509crlentryimpl = new X509CRLEntryImpl(entry.getEncoded()); Integer reasonInt = x509crlentryimpl.getReasonCode(); /* * Print out the Reason Code */ System.out .println("CRL->Entry->Reason Code->" + RichCRL .reasonToString(reasonInt.intValue())); /* * Print out the OIDs found */ Set nonCritSet = entry.getNonCriticalExtensionOIDs(); if (nonCritSet != null) { for (Iterator i = nonCritSet.iterator(); i.hasNext();) { String oid = (String) i.next(); System.out.println("CRL->Entry->OID->" + oid); } } } /* * catches. */ } catch (Exception e) { e.printStackTrace(); } } /** * Method importCertificate * Description: Import the certificate. * * @param filename is the file to import. * * @return the certification. * */ public X509CRL importCertificate(String filename) { X509CRL cert = null; try { CertificateFactory cf = CertificateFactory.getInstance("X.509"); /* * Get the File I/O of the Certificate */ FileInputStream fr = new FileInputStream(filename); /* * Construct the certificate based on the import */ cert = (X509CRL) cf.generateCRL(fr); fr.close(); /* * catches. */ } catch (java.security.cert.CertificateException e) { e.printStackTrace(); } catch (java.security.cert.CRLException e) { e.printStackTrace(); } catch (java.io.IOException e) { e.printStackTrace(); } return cert; } /** * Method reasonToString * * * @param i defining the reason for revocation * * @return the string that maps to the integer * */ public static String reasonToString(int i) { switch (i) { case 0 : // '\0' return "unspecified"; case 1 : // '\001' return "key compromise"; case 2 : // '\002' return "CA compromise"; case 3 : // '\003' return " affiliation changed"; case 4 : // '\004' return "superseded"; case 5 : // '\005' return "cessation of operation"; case 6 : // '\006' return "certificate hold"; case 8 : // '\b' return "remove from CRL"; case 7 : // '\007' default : return "unrecognized reason code"; } } }4' return "superseded"; case 5 : // 'package com.richware.chap24; import java.security.PublicKey; import java.security.Principal; import java.security.cert.X509Certificate; import java.security.cert.CertificateException; import java.security.cert.CertificateFactory; import java.security.cert.*; import java.io.FileInputStream; import java.io.FileNotFoundException; import java.util.*; import javax.security.auth.x500.X500Principal; import sun.security.x509.*; /** * Class RichCRL * Description: A custom demonstration of the Certificate Revocation List. * * Copyright: Copyright (c) 2002 Wiley Publishing, Inc. * @author Rich Helton <rhelton@richware.com> * @version 1.0 * DISCLAIMER: Please refer to the disclaimer at the beginning of this book. */ public class RichCRL { /** * Method main * Description: The main driver to run the methods . * * * @param args (no arguments presently). * */ public static void main(String args[]) { try { System.out.println("Starting RichCRL...."); /* * Pass in the argument of the keystore file * It will be opened in the same directoy as the application */ if (args[0] == null) { System.out.println("This application requires an input file for the location of the crl"); } String localDirectory = System.getProperty("user.dir"); System.out.println("Changing directory to Chapter 24"); System.setProperty("user.dir", localDirectory + "\\com\\richware\\chap24\\"); localDirectory = System.getProperty("user.dir"); /* * Get the local keystore that contains a trusted certificate */ String localInputFile = localDirectory + args[0]; System.out.println("Opening Chapter 24 plus the input file as an argument: " + localInputFile); /* * Import the certificate revocation list */ RichCRL myCertificate = new RichCRL(); X509CRL newcertificate = myCertificate.importCertificate(localInputFile); System.out.println("*********************CRL *************************"); System.out.println(newcertificate); System.out.println("CRL->Version Number->" + newcertificate.getVersion()); System.out .println("CRL->Signature Algorithm Identifier->" + newcertificate.getSigAlgName()); System.out.println("CRL->Issuer Name->" + newcertificate.getIssuerDN()); System.out.println("CRL->ThisUpdate->" + newcertificate.getThisUpdate()); System.out.println("CRL->NextUpdate->" + newcertificate.getNextUpdate()); /* * Get the revoked Certificates */ Set setCRLEntries = newcertificate.getRevokedCertificates(); X509CRLEntry[] newEntries = new X509CRLEntry[setCRLEntries. size ()]; Iterator iter = setCRLEntries.iterator(); int current = 0; while (iter.hasNext()) { X509CRLEntry entry = (X509CRLEntry) iter.next(); System.out.println("***********CRL Entry No Extensions****************"); System.out.println(entry); System.out.println("CRL->Entry->RevocationDate->" + entry.getRevocationDate()); System.out.println("CRL->Entry->SerialNumber->" + entry.getSerialNumber()); System.out.println("CRL->Entry->HasExtensions->" + entry.hasExtensions()); /* * Are there any extensions */ if (entry.hasExtensions()) { /* * Print the extension OIDs */ Set nonCritSet = entry.getNonCriticalExtensionOIDs(); if (nonCritSet != null) { for (Iterator i = nonCritSet.iterator(); i.hasNext();) { String oid = (String) i.next(); System.out.println("Extensions in Entry" + oid); } } } /* * Else create some extensions */ else { /* * Create an CRL Extension class to contain individual extensions */ CRLExtensions extensions = new CRLExtensions(); /* * Create the CRL Reason Code Extension */ CRLReasonCodeExtension reason = new CRLReasonCodeExtension(2); extensions.set("2.5.29.21", reason); // System.out.println("CRL->Entry->New Reason Code***********"); CRLReasonCodeExtension newreason = (CRLReasonCodeExtension) extensions .get("2.5.29.21"); // System.out.println(newreason); X509CRLEntryImpl x509crlentryimpl = new X509CRLEntryImpl(entry.getSerialNumber(), entry.getRevocationDate(), extensions); newEntries[current] = (X509CRLEntry) x509crlentryimpl; } current++; } /* * Create an X500Name from the X500 Principal */ X500Principal currPrincipal = newcertificate.getIssuerX500Principal(); X500Name name = new X500Name(currPrincipal.getEncoded()); /* * Create a CRL Extension class to contain individual extensions and set it for the main CRL */ CRLExtensions crlExtensions = new CRLExtensions(); CRLNumberExtension crlNumber = new CRLNumberExtension(1); crlExtensions.set("2.5.29.20", crlNumber); /* * Create a new CRL with the extensions in the CRL Entries */ X509CRLImpl newCRL = new X509CRLImpl(name, newcertificate.getThisUpdate(), newcertificate.getNextUpdate(), newEntries, crlExtensions); System.out.println("*****************CRL with Extensions**************"); System.out.println(newCRL); /* * Iterate through the CRL entries again showing the extensions */ setCRLEntries = newCRL.getRevokedCertificates(); iter = setCRLEntries.iterator(); /* * Loop through the entries */ while (iter.hasNext()) { X509CRLEntry entry = (X509CRLEntry) iter.next(); System.out.println("*******CRL Entry After Adding Reason Extension**********"); System.out.println(entry); System.out.println("CRL->Entry->RevocationDate->" + entry.getRevocationDate()); System.out.println(entry.getSerialNumber()); System.out.println("CRL->Entry->HasExtensions->" + entry.hasExtensions()); /* * the getExtensionValue will return a null because it is not part of the * supported OIDs mentioned in the JavaDocs */ System.out .println("CRL->Entry->Reason Code from method->" + entry.getExtensionValue("2.5.29.21")); X509CRLEntryImpl x509crlentryimpl = new X509CRLEntryImpl(entry.getEncoded()); Integer reasonInt = x509crlentryimpl.getReasonCode(); /* * Print out the Reason Code */ System.out .println("CRL->Entry->Reason Code->" + RichCRL .reasonToString(reasonInt.intValue())); /* * Print out the OIDs found */ Set nonCritSet = entry.getNonCriticalExtensionOIDs(); if (nonCritSet != null) { for (Iterator i = nonCritSet.iterator(); i.hasNext();) { String oid = (String) i.next(); System.out.println("CRL->Entry->OID->" + oid); } } } /* * catches. */ } catch (Exception e) { e.printStackTrace(); } } /** * Method importCertificate * Description: Import the certificate. * * @param filename is the file to import. * * @return the certification. * */ public X509CRL importCertificate(String filename) { X509CRL cert = null; try { CertificateFactory cf = CertificateFactory.getInstance("X.509"); /* * Get the File I/O of the Certificate */ FileInputStream fr = new FileInputStream(filename); /* * Construct the certificate based on the import */ cert = (X509CRL) cf.generateCRL(fr); fr.close(); /* * catches. */ } catch (java.security.cert.CertificateException e) { e.printStackTrace(); } catch (java.security.cert.CRLException e) { e.printStackTrace(); } catch (java.io.IOException e) { e.printStackTrace(); } return cert; } /** * Method reasonToString * * * @param i defining the reason for revocation * * @return the string that maps to the integer * */ public static String reasonToString(int i) { switch (i) { case 0 : // '\0' return "unspecified"; case 1 : // '\001' return "key compromise"; case 2 : // '\002' return "CA compromise"; case 3 : // '\003' return " affiliation changed"; case 4 : // '\004' return "superseded"; case 5 : // '\005' return "cessation of operation"; case 6 : // '\006' return "certificate hold"; case 8 : // '\b' return "remove from CRL"; case 7 : // '\007' default : return "unrecognized reason code"; } } }5' return "cessation of operation"; case 6 : // 'package com.richware.chap24; import java.security.PublicKey; import java.security.Principal; import java.security.cert.X509Certificate; import java.security.cert.CertificateException; import java.security.cert.CertificateFactory; import java.security.cert.*; import java.io.FileInputStream; import java.io.FileNotFoundException; import java.util.*; import javax.security.auth.x500.X500Principal; import sun.security.x509.*; /** * Class RichCRL * Description: A custom demonstration of the Certificate Revocation List. * * Copyright: Copyright (c) 2002 Wiley Publishing, Inc. * @author Rich Helton <rhelton@richware.com> * @version 1.0 * DISCLAIMER: Please refer to the disclaimer at the beginning of this book. */ public class RichCRL { /** * Method main * Description: The main driver to run the methods . * * * @param args (no arguments presently). * */ public static void main(String args[]) { try { System.out.println("Starting RichCRL...."); /* * Pass in the argument of the keystore file * It will be opened in the same directoy as the application */ if (args[0] == null) { System.out.println("This application requires an input file for the location of the crl"); } String localDirectory = System.getProperty("user.dir"); System.out.println("Changing directory to Chapter 24"); System.setProperty("user.dir", localDirectory + "\\com\\richware\\chap24\\"); localDirectory = System.getProperty("user.dir"); /* * Get the local keystore that contains a trusted certificate */ String localInputFile = localDirectory + args[0]; System.out.println("Opening Chapter 24 plus the input file as an argument: " + localInputFile); /* * Import the certificate revocation list */ RichCRL myCertificate = new RichCRL(); X509CRL newcertificate = myCertificate.importCertificate(localInputFile); System.out.println("*********************CRL *************************"); System.out.println(newcertificate); System.out.println("CRL->Version Number->" + newcertificate.getVersion()); System.out .println("CRL->Signature Algorithm Identifier->" + newcertificate.getSigAlgName()); System.out.println("CRL->Issuer Name->" + newcertificate.getIssuerDN()); System.out.println("CRL->ThisUpdate->" + newcertificate.getThisUpdate()); System.out.println("CRL->NextUpdate->" + newcertificate.getNextUpdate()); /* * Get the revoked Certificates */ Set setCRLEntries = newcertificate.getRevokedCertificates(); X509CRLEntry[] newEntries = new X509CRLEntry[setCRLEntries. size ()]; Iterator iter = setCRLEntries.iterator(); int current = 0; while (iter.hasNext()) { X509CRLEntry entry = (X509CRLEntry) iter.next(); System.out.println("***********CRL Entry No Extensions****************"); System.out.println(entry); System.out.println("CRL->Entry->RevocationDate->" + entry.getRevocationDate()); System.out.println("CRL->Entry->SerialNumber->" + entry.getSerialNumber()); System.out.println("CRL->Entry->HasExtensions->" + entry.hasExtensions()); /* * Are there any extensions */ if (entry.hasExtensions()) { /* * Print the extension OIDs */ Set nonCritSet = entry.getNonCriticalExtensionOIDs(); if (nonCritSet != null) { for (Iterator i = nonCritSet.iterator(); i.hasNext();) { String oid = (String) i.next(); System.out.println("Extensions in Entry" + oid); } } } /* * Else create some extensions */ else { /* * Create an CRL Extension class to contain individual extensions */ CRLExtensions extensions = new CRLExtensions(); /* * Create the CRL Reason Code Extension */ CRLReasonCodeExtension reason = new CRLReasonCodeExtension(2); extensions.set("2.5.29.21", reason); // System.out.println("CRL->Entry->New Reason Code***********"); CRLReasonCodeExtension newreason = (CRLReasonCodeExtension) extensions .get("2.5.29.21"); // System.out.println(newreason); X509CRLEntryImpl x509crlentryimpl = new X509CRLEntryImpl(entry.getSerialNumber(), entry.getRevocationDate(), extensions); newEntries[current] = (X509CRLEntry) x509crlentryimpl; } current++; } /* * Create an X500Name from the X500 Principal */ X500Principal currPrincipal = newcertificate.getIssuerX500Principal(); X500Name name = new X500Name(currPrincipal.getEncoded()); /* * Create a CRL Extension class to contain individual extensions and set it for the main CRL */ CRLExtensions crlExtensions = new CRLExtensions(); CRLNumberExtension crlNumber = new CRLNumberExtension(1); crlExtensions.set("2.5.29.20", crlNumber); /* * Create a new CRL with the extensions in the CRL Entries */ X509CRLImpl newCRL = new X509CRLImpl(name, newcertificate.getThisUpdate(), newcertificate.getNextUpdate(), newEntries, crlExtensions); System.out.println("*****************CRL with Extensions**************"); System.out.println(newCRL); /* * Iterate through the CRL entries again showing the extensions */ setCRLEntries = newCRL.getRevokedCertificates(); iter = setCRLEntries.iterator(); /* * Loop through the entries */ while (iter.hasNext()) { X509CRLEntry entry = (X509CRLEntry) iter.next(); System.out.println("*******CRL Entry After Adding Reason Extension**********"); System.out.println(entry); System.out.println("CRL->Entry->RevocationDate->" + entry.getRevocationDate()); System.out.println(entry.getSerialNumber()); System.out.println("CRL->Entry->HasExtensions->" + entry.hasExtensions()); /* * the getExtensionValue will return a null because it is not part of the * supported OIDs mentioned in the JavaDocs */ System.out .println("CRL->Entry->Reason Code from method->" + entry.getExtensionValue("2.5.29.21")); X509CRLEntryImpl x509crlentryimpl = new X509CRLEntryImpl(entry.getEncoded()); Integer reasonInt = x509crlentryimpl.getReasonCode(); /* * Print out the Reason Code */ System.out .println("CRL->Entry->Reason Code->" + RichCRL .reasonToString(reasonInt.intValue())); /* * Print out the OIDs found */ Set nonCritSet = entry.getNonCriticalExtensionOIDs(); if (nonCritSet != null) { for (Iterator i = nonCritSet.iterator(); i.hasNext();) { String oid = (String) i.next(); System.out.println("CRL->Entry->OID->" + oid); } } } /* * catches. */ } catch (Exception e) { e.printStackTrace(); } } /** * Method importCertificate * Description: Import the certificate. * * @param filename is the file to import. * * @return the certification. * */ public X509CRL importCertificate(String filename) { X509CRL cert = null; try { CertificateFactory cf = CertificateFactory.getInstance("X.509"); /* * Get the File I/O of the Certificate */ FileInputStream fr = new FileInputStream(filename); /* * Construct the certificate based on the import */ cert = (X509CRL) cf.generateCRL(fr); fr.close(); /* * catches. */ } catch (java.security.cert.CertificateException e) { e.printStackTrace(); } catch (java.security.cert.CRLException e) { e.printStackTrace(); } catch (java.io.IOException e) { e.printStackTrace(); } return cert; } /** * Method reasonToString * * * @param i defining the reason for revocation * * @return the string that maps to the integer * */ public static String reasonToString(int i) { switch (i) { case 0 : // '\0' return "unspecified"; case 1 : // '\001' return "key compromise"; case 2 : // '\002' return "CA compromise"; case 3 : // '\003' return " affiliation changed"; case 4 : // '\004' return "superseded"; case 5 : // '\005' return "cessation of operation"; case 6 : // '\006' return "certificate hold"; case 8 : // '\b' return "remove from CRL"; case 7 : // '\007' default : return "unrecognized reason code"; } } }6' return "certificate hold"; case 8 : // '\b' return "remove from CRL"; case 7 : // 'package com.richware.chap24; import java.security.PublicKey; import java.security.Principal; import java.security.cert.X509Certificate; import java.security.cert.CertificateException; import java.security.cert.CertificateFactory; import java.security.cert.*; import java.io.FileInputStream; import java.io.FileNotFoundException; import java.util.*; import javax.security.auth.x500.X500Principal; import sun.security.x509.*; /** * Class RichCRL * Description: A custom demonstration of the Certificate Revocation List. * * Copyright: Copyright (c) 2002 Wiley Publishing, Inc. * @author Rich Helton <rhelton@richware.com> * @version 1.0 * DISCLAIMER: Please refer to the disclaimer at the beginning of this book. */ public class RichCRL { /** * Method main * Description: The main driver to run the methods . * * * @param args (no arguments presently). * */ public static void main(String args[]) { try { System.out.println("Starting RichCRL...."); /* * Pass in the argument of the keystore file * It will be opened in the same directoy as the application */ if (args[0] == null) { System.out.println("This application requires an input file for the location of the crl"); } String localDirectory = System.getProperty("user.dir"); System.out.println("Changing directory to Chapter 24"); System.setProperty("user.dir", localDirectory + "\\com\\richware\\chap24\\"); localDirectory = System.getProperty("user.dir"); /* * Get the local keystore that contains a trusted certificate */ String localInputFile = localDirectory + args[0]; System.out.println("Opening Chapter 24 plus the input file as an argument: " + localInputFile); /* * Import the certificate revocation list */ RichCRL myCertificate = new RichCRL(); X509CRL newcertificate = myCertificate.importCertificate(localInputFile); System.out.println("*********************CRL *************************"); System.out.println(newcertificate); System.out.println("CRL->Version Number->" + newcertificate.getVersion()); System.out .println("CRL->Signature Algorithm Identifier->" + newcertificate.getSigAlgName()); System.out.println("CRL->Issuer Name->" + newcertificate.getIssuerDN()); System.out.println("CRL->ThisUpdate->" + newcertificate.getThisUpdate()); System.out.println("CRL->NextUpdate->" + newcertificate.getNextUpdate()); /* * Get the revoked Certificates */ Set setCRLEntries = newcertificate.getRevokedCertificates(); X509CRLEntry[] newEntries = new X509CRLEntry[setCRLEntries. size ()]; Iterator iter = setCRLEntries.iterator(); int current = 0; while (iter.hasNext()) { X509CRLEntry entry = (X509CRLEntry) iter.next(); System.out.println("***********CRL Entry No Extensions****************"); System.out.println(entry); System.out.println("CRL->Entry->RevocationDate->" + entry.getRevocationDate()); System.out.println("CRL->Entry->SerialNumber->" + entry.getSerialNumber()); System.out.println("CRL->Entry->HasExtensions->" + entry.hasExtensions()); /* * Are there any extensions */ if (entry.hasExtensions()) { /* * Print the extension OIDs */ Set nonCritSet = entry.getNonCriticalExtensionOIDs(); if (nonCritSet != null) { for (Iterator i = nonCritSet.iterator(); i.hasNext();) { String oid = (String) i.next(); System.out.println("Extensions in Entry" + oid); } } } /* * Else create some extensions */ else { /* * Create an CRL Extension class to contain individual extensions */ CRLExtensions extensions = new CRLExtensions(); /* * Create the CRL Reason Code Extension */ CRLReasonCodeExtension reason = new CRLReasonCodeExtension(2); extensions.set("2.5.29.21", reason); // System.out.println("CRL->Entry->New Reason Code***********"); CRLReasonCodeExtension newreason = (CRLReasonCodeExtension) extensions .get("2.5.29.21"); // System.out.println(newreason); X509CRLEntryImpl x509crlentryimpl = new X509CRLEntryImpl(entry.getSerialNumber(), entry.getRevocationDate(), extensions); newEntries[current] = (X509CRLEntry) x509crlentryimpl; } current++; } /* * Create an X500Name from the X500 Principal */ X500Principal currPrincipal = newcertificate.getIssuerX500Principal(); X500Name name = new X500Name(currPrincipal.getEncoded()); /* * Create a CRL Extension class to contain individual extensions and set it for the main CRL */ CRLExtensions crlExtensions = new CRLExtensions(); CRLNumberExtension crlNumber = new CRLNumberExtension(1); crlExtensions.set("2.5.29.20", crlNumber); /* * Create a new CRL with the extensions in the CRL Entries */ X509CRLImpl newCRL = new X509CRLImpl(name, newcertificate.getThisUpdate(), newcertificate.getNextUpdate(), newEntries, crlExtensions); System.out.println("*****************CRL with Extensions**************"); System.out.println(newCRL); /* * Iterate through the CRL entries again showing the extensions */ setCRLEntries = newCRL.getRevokedCertificates(); iter = setCRLEntries.iterator(); /* * Loop through the entries */ while (iter.hasNext()) { X509CRLEntry entry = (X509CRLEntry) iter.next(); System.out.println("*******CRL Entry After Adding Reason Extension**********"); System.out.println(entry); System.out.println("CRL->Entry->RevocationDate->" + entry.getRevocationDate()); System.out.println(entry.getSerialNumber()); System.out.println("CRL->Entry->HasExtensions->" + entry.hasExtensions()); /* * the getExtensionValue will return a null because it is not part of the * supported OIDs mentioned in the JavaDocs */ System.out .println("CRL->Entry->Reason Code from method->" + entry.getExtensionValue("2.5.29.21")); X509CRLEntryImpl x509crlentryimpl = new X509CRLEntryImpl(entry.getEncoded()); Integer reasonInt = x509crlentryimpl.getReasonCode(); /* * Print out the Reason Code */ System.out .println("CRL->Entry->Reason Code->" + RichCRL .reasonToString(reasonInt.intValue())); /* * Print out the OIDs found */ Set nonCritSet = entry.getNonCriticalExtensionOIDs(); if (nonCritSet != null) { for (Iterator i = nonCritSet.iterator(); i.hasNext();) { String oid = (String) i.next(); System.out.println("CRL->Entry->OID->" + oid); } } } /* * catches. */ } catch (Exception e) { e.printStackTrace(); } } /** * Method importCertificate * Description: Import the certificate. * * @param filename is the file to import. * * @return the certification. * */ public X509CRL importCertificate(String filename) { X509CRL cert = null; try { CertificateFactory cf = CertificateFactory.getInstance("X.509"); /* * Get the File I/O of the Certificate */ FileInputStream fr = new FileInputStream(filename); /* * Construct the certificate based on the import */ cert = (X509CRL) cf.generateCRL(fr); fr.close(); /* * catches. */ } catch (java.security.cert.CertificateException e) { e.printStackTrace(); } catch (java.security.cert.CRLException e) { e.printStackTrace(); } catch (java.io.IOException e) { e.printStackTrace(); } return cert; } /** * Method reasonToString * * * @param i defining the reason for revocation * * @return the string that maps to the integer * */ public static String reasonToString(int i) { switch (i) { case 0 : // '\0' return "unspecified"; case 1 : // '\001' return "key compromise"; case 2 : // '\002' return "CA compromise"; case 3 : // '\003' return " affiliation changed"; case 4 : // '\004' return "superseded"; case 5 : // '\005' return "cessation of operation"; case 6 : // '\006' return "certificate hold"; case 8 : // '\b' return "remove from CRL"; case 7 : // '\007' default : return "unrecognized reason code"; } } }7' default : return "unrecognized reason code"; } } } In the Java code from Listing 24-5, I imported a VeriSign CRL. VeriSign is one of the leading CAs, found at www.verisign.com . After importing the CRL, the code is able to add a reason code to each of the three CRL entries for revoked certificates. The application produced the output found in Listing 24-6. Listing 24-6: The output for Listing 24-5 >java com.richware.chap24.RichCRL rich.crl Starting RichCRL.... Changing directory to Chapter 24 Opening Chapter 24 plus the input file as an argument: C:\ com\richware\chap24\rich.crl *********************CRL ************************* X.509 CRL v2 Signature Algorithm: MD2withRSA, OID=1.2.840.113549.1.1.2 Issuer: OU=VeriSign Commercial Software Publishers CA, O="VeriSign, Inc.", L=Int ernet This Update: Fri Mar 23 17:00:00 MST 2001 Next Update: Wed Jan 07 16:59:59 MST 2004 Revoked Certificates: 3 [1] SerialNumber: [ 1b5190f7 3724399c 9254cd42 4637996a ] On: Mon Jan 29 17: 01:24 MST 2001 [2] SerialNumber: [ 77e65a43 59935d5f 7a75801a cdadc222 ] On: Wed Aug 30 18: 00:56 MDT 2000 [3] SerialNumber: [ 750e40ff 97f047ed f556c708 4eb1abfd ] On: Tue Jan 30 17: 00:49 MST 2001 CRL Extensions: 2 [1]: ObjectId: 2.5.29.15 Criticality=false KeyUsage [ DigitalSignature Key_Encipherment ] [2]: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[ CA:false PathLen: undefined ] Signature: 0000: 18 2C E8 FC 16 6D 91 4A 3D 88 54 48 5D B8 11 BF .,...m.J=.TH]... 0010: 64 BB F9 DA 59 19 DD 0E 65 AB C0 0C FA 67 7E 21 d...Y...e....g.! 0020: 1E 83 0E CF 9B 89 8A CF 0C 4B C1 39 9D E7 6A AC Ftj.b".........! 0040: 3D 7E A7 AA 5E CD 22 15 E6 0C 75 8E 6E AD F1 84 =...^."...u.n... 0050: E4 22 B4 30 6F FB 64 8F D7 80 43 F5 19 18 66 1D .".0o.d...C...f. 0060: 72 A3 E3 94 82 28 52 A0 06 4E B1 C8 92 0C 97 BE r....(R..N...... 0070: 15 07 AB 7A C9 EA 08 67 43 4D 51 63 3B 9C 9C CD ...z...gCMQc;... CRL->Version Number->2 CRL->Signature Algorithm Identifier->MD2withRSA CRL->Issuer Name->OU=VeriSign Commercial Software Publishers CA, O="VeriSign, In c.", L=Internet CRL->ThisUpdate->Fri Mar 23 17:00:00 MST 2001 CRL->NextUpdate->Wed Jan 07 16:59:59 MST 2004 ***********CRL Entry No Extensions**************** SerialNumber: [ 750e40ff 97f047ed f556c708 4eb1abfd ] On: Tue Jan 30 17:00:4 9 MST 2001 CRL->Entry->RevocationDate->Tue Jan 30 17:00:49 MST 2001 CRL->Entry->SerialNumber->155593685987273437918165853798327757821 CRL->Entry->HasExtensions->false ***********CRL Entry No Extensions**************** SerialNumber: [ 1b5190f7 3724399c 9254cd42 4637996a ] On: Mon Jan 29 17:01:2 4 MST 2001 CRL->Entry->RevocationDate->Mon Jan 29 17:01:24 MST 2001 CRL->Entry->SerialNumber->36312672185138585402952177650507422058 CRL->Entry->HasExtensions->false ***********CRL Entry No Extensions**************** SerialNumber: [ 77e65a43 59935d5f 7a75801a cdadc222 ] On: Wed Aug 30 18:00:5 6 MDT 2000 CRL->Entry->RevocationDate->Wed Aug 30 18:00:56 MDT 2000 CRL->Entry->SerialNumber->159374190528741535247094583731252216354 CRL->Entry->HasExtensions->false *****************CRL with Extensions************** X.509 CRL v2 Issuer: OU=VeriSign Commercial Software Publishers CA, O="VeriSign, Inc.", L=Int ernet This Update: Fri Mar 23 17:00:00 MST 2001 Next Update: Wed Jan 07 16:59:59 MST 2004 Revoked Certificates: 3 [1] SerialNumber: [ 1b5190f7 3724399c 9254cd42 4637996a ] On: Mon Jan 29 17: 01:24 MST 2001 CRL Entry Extensions: 1 [1]: ObjectId: 2.5.29.21 Criticality=false Reason Code: CA Compromise [2] SerialNumber: [ 77e65a43 59935d5f 7a75801a cdadc222 ] On: Wed Aug 30 18: 00:56 MDT 2000 CRL Entry Extensions: 1 [1]: ObjectId: 2.5.29.21 Criticality=false Reason Code: CA Compromise [3] SerialNumber: [ 750e40ff 97f047ed f556c708 4eb1abfd ] On: Tue Jan 30 17: 00:49 MST 2001 CRL Entry Extensions: 1 [1]: ObjectId: 2.5.29.21 Criticality=false Reason Code: CA Compromise CRL Extensions: 1 [1]: ObjectId: 2.5.29.20 Criticality=false CRL Number: 01 NOT signed yet *******CRL Entry After Adding Reason Extension********** SerialNumber: [ 750e40ff 97f047ed f556c708 4eb1abfd ] On: Tue Jan 30 17:00:4 9 MST 2001 CRL Entry Extensions: 1 [1]: ObjectId: 2.5.29.21 Criticality=false Reason Code: CA Compromise CRL->Entry->RevocationDate->Tue Jan 30 17:00:49 MST 2001 155593685987273437918165853798327757821 CRL->Entry->HasExtensions->true CRL->Entry->Reason Code from method->null CRL->Entry->Reason Code->CA compromise CRL->Entry->OID->2.5.29.21 *******CRL Entry After Adding Reason Extension********** SerialNumber: [ 1b5190f7 3724399c 9254cd42 4637996a ] On: Mon Jan 29 17:01:2 4 MST 2001 CRL Entry Extensions: 1 [1]: ObjectId: 2.5.29.21 Criticality=false Reason Code: CA Compromise CRL->Entry->RevocationDate->Mon Jan 29 17:01:24 MST 2001 36312672185138585402952177650507422058 CRL->Entry->HasExtensions->true CRL->Entry->Reason Code from method->null CRL->Entry->Reason Code->CA compromise CRL->Entry->OID->2.5.29.21 *******CRL Entry After Adding Reason Extension********** SerialNumber: [ 77e65a43 59935d5f 7a75801a cdadc222 ] On: Wed Aug 30 18:00:5 6 MDT 2000 CRL Entry Extensions: 1 [1]: ObjectId: 2.5.29.21 Criticality=false Reason Code: CA Compromise CRL->Entry->RevocationDate->Wed Aug 30 18:00:56 MDT 2000 159374190528741535247094583731252216354 CRL->Entry->HasExtensions->true CRL->Entry->Reason Code from method->null CRL->Entry->Reason Code->CA compromise CRL->Entry->OID->2.5.29.21 CRL entryNow that the CRL and the CRL extensions have been discussed, the information in the CRL entry needs to be examined. The CRL entry is the entry for a revoked certificate. The CRL contains a set of all the CRL entries, also known as revoked certificates . Each entry represents the individual revoked certificate. The Java class that represents an individual entry in the CRL for a revoked certificate is the X509CRLEntry class. From the X509CRL class, the getRevokedCertificates () method will return the set of X509Entry classes that are found in the X509CRL . Each X509Entry object in the returned set matches an individual revoked certificate. The object of the X509Entry has methods for reading the information about the revoked certificate. Some of the information that can be read in the X509Entry includes the serial number of the revoked certificate, the date that the certificate was revoked, and any extensions. An example of information in the extension is the reason the certificate was revoked from the CA. The RFC 2549 displays the ASN.1 notation that demonstrates what fields are parts of the CRL entry. The CRL entry is displayed in Listing 24-7. Listing 24-7: The CRL entry revokedCertificates SEQUENCE OF SEQUENCE { userCertificate CertificateSerialNumber, revocationDate ChoiceOfTime, crlEntryExtensions Extensions OPTIONAL -- if present, must be v2 } OPTIONAL CertificateSerialNumber ::= INTEGER Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension Extension ::= SEQUENCE { extnId OBJECT IDENTIFIER, critical BOOLEAN DEFAULT FALSE, extnValue OCTET STRING -- contains a DER encoding of a value -- of the type registered for use with -- the extnId object identifier value } The CRL entry from Listing 24-7 shows that there are only three fields. The revoked certificate contains the serial number of the certificate, the date for being revoked, and the CRL entry extensions:
The purpose of the extensions for each revoked certificate in version 2 of the CRL was simply to extend the reasons for the revocation. It might be that the reason for revocation would be duplicated without knowing the reason for the revocation and information from the CA for holding instructions. If the private key of the issuer was compromised and the certificate was revoked, the issuer might continue to use the private key. The issuer needs to be notified that the key has been compromised. The reason code gives a description of why the certificate was revoked, and it helps inform the parties of issues with the revoked certificate. The idea is to give enough information to help discover weaknesses with the security and any holes found in the PKI. The organization should be made aware of why some of the digital certificates are no longer in use. The organization should contact the appropriate CA if it feels that further action is needed on the CA's part. If the reason code is that the CA is compromised, the organization should determine with the CA that there are no security breaches. The hold instructions are actions for the organization to take from the CA to work with any issues of a revoked certificate. The hold instructions are a list of OIDs that the organization looks up for the actions it must take. This OID is information between the CA and the organization using the digital certificates. The OID could be instructions for the organization to call the CA immediately because a security breach has been discovered . It is very important for an organization to understand why some of the certificates were revoked to ensure that the security services are still secure. Here are the fields and their definitions:
Java Security Solutions ISBN: 0764549286
EAN: 2147483647 Year: 2001
Pages: 222 Authors: Rich Helton, Johennie Helton
flylib.com © 2008-2017. If you may any questions please contact us: flylib@qtcs.net |