If a CA is to manage a certificate, the CA must have power to revoke the certificate. If there is any question as to the certificate being compromised, then the certificate is revoked . In these cases, the certificate must be immediately invalidated. The CA is acting as a certificate cop. It will allow valid certificates to pass through and block questionable certificates.
The immediate invalidation occurs when the certificate is added to a CRL. The CRL is a list of certificates that are no longer valid. When a certificate is added to this list, it is no longer authenticated through the CA. CAs are responsible for issuing certificates and adding them to the CRL when revoked. The CA maintains the CRL and the reasons why the certificate is revoked. An organization that receives the certificate should also validate the certificate against the CRL.
This organization acts as a validator of the certificate. If the validator of the certificate is not the issuing CA, the validator is responsible for consulting the CRL to ensure that the certificate is still valid. Some systems are not totally integrated into checking the CRL from the CA and sometimes a revoked certificate may slip through the validation process. The validate () function of the Java Certificate class does not automatically consult the CRL.
Tip
A copy of the CRL needs to be downloaded periodically to validate certificates.
There are several reasons why the certificate gets added to the revocation lists. One example is if the certificate is suspected to be compromised. Another example is if the certificate has expired . Yet another example is if the CA no longer supports the user .
To get the entire lists of reasons, you examine the reason code in the X509CRLEntry . The X509CRLEntry class is a matching entry for each revoked certificate. The X509CRL class is a class that contains the entire CRL and set of the X509CRLEntry classes. These are represented in Figure 24-4.
Figure 24-4: The X509CRL and X509CRLEntry classes
There are several means for distributing the CRLs. One way is for an organization to receive an initial CRL from the CA and have the CA only update the CRL. A Delta CRL is a CRL that only needs updating; a new CRL is not required every time. A Delta CRL only needs the Delta, or updates, applied to it to become valid. The Delta CRL is useful because a new CRL does not have to be issued every time an update is needed; only the updates are needed.
Another type of CRL update is the Indirect CRL. An Indirect CRL is when a CA doesn't update the CRL directly, but another third-party organization does. This third-party organization distributes a single CRL to replace a multitude of CRLs from different CAs. Using a single CRL for an organization that uses multiple CAs is easier than trying to do a lookup on multiple CRLs from different CAs. An organization need only manage a single CRL for many different CAs that it might interface with for digital certificates.
The CRL has fields so that the validator of the X.509 certificate can query the CRL to see if a digital certificate is listed as being revoked. The Java class that is used to support this functionality is the X509CRL class. The fields in the following list do not represent the individual revoked certificates, but the main fields that are needed for the operation of the CRL itself. Several fields are needed for interfacing into the CRL. When checking the individual revoked certificate, the X509CRLEntry class will be used for getting information about the entry. Listing 24-4 demonstrates the ASN.1 notation of the CRL fields and description.
Listing 24-4: The ASN.1 notation of a CRL
CertificateList ::= SIGNED { SEQUENCE { version Version OPTIONAL, -- if present, version shall be v2 signature AlgorithmIdentifier, issuer Name, thisUpdate Time, nextUpdate Time OPTIONAL,. ISO/IEC 9594-8 : 2001 (E) revokedCertificates SEQUENCE OF SEQUENCE { serialNumber CertificateSerialNumber, revocationDate Time, crlEntryExtensions Extensions OPTIONAL } OPTIONAL, crlExtensions [0] Extensions OPTIONAL }}
Version number: This specifies the version number of the X.509 CRL. The version of the CRL is an optional field but if present, it must be v2. Based on the CRL version, the structure of the CRL changes. The method in the X509CRL class to return the version is the getVersion () method that returns an integer of 1 or 2, but should normally be 2.
Signature Algorithm Identifier: This field contains the identifier of the algorithm used to sign the CA. The X509CRL class will return a string of the OID with the getSigAlgOID () method. For example, the OID 1.2.84010040.4.3 identifies that the signature algorithm will be SHA-1 with DSA.
Signature: This field contains the CA signature bits. The X509CRL class will return a byte array of the signature with the getSignature () method.
Issuer Name: This field identifies the DN in X.500 format of the issuer entity.
This Update: This field retrieves the date that the CRL was issued. The X509CRL class method to retrieve the Date object of the next update is the getThisUpdate () method.
Next Update: This field retrieves the date of the next update of the CRL. The X509CRL class method to retrieve the Date object of the next update is the getNextUpdate () method.
CRL Entry: This is the set of revoked certificates. Each revoked certificate is in the form of the Java X509CRLEntry class. The method to return the entire set of revoked entries is the getRevokedCertificates () certificates. To get an individual X509CRLEntry , the BigInteger serial number of the revoked certificate is needed to index into the getRevokedCertificate(BigInteger serialNumber) method.
CRL Extensions: These fields were extended in version 2 of the CRL mostly to handle Delta and Indirect CRLs.
CRL Entry Extensions: These fields were in the CRL Entry in version 2 to give a reason for revoking the certificate, actions for the certificate, and when it is revoked.
CRL extension
The CRL had to be extended to handle Delta and Indirect CRLs. A CRL was given a CRL Number to keep track of whether the CRL has already been processed. If the CRL has been processed , the next subsequent CRL can be used if the current one has been totally used up for checking certificates. The Delta CRL is needed to keep track of whether the certificate is a Delta CRL or an Indirect CRL. Other modifications were made to differentiate between the key identifiers and issuer when multiple CAs are in an Indirect CRL.
Authority Key Identifier (OID 2.5.29.35): This extension can be used to differentiate between multiple CRL signing keys held by a specific CA. This field contains the unique key identifier. The use of this field is mandatory.
Issuer Alternative Name (OID 2.5.29.18): This extension associates one or more alternative name forms with the CRL issuer. If there is no DN in the subject field of a certificate, it must have one or more alternative names , and the extension flag must be critical. Otherwise if a DN is specified, the certificate is recommended to be marked non-critical.
CRL Number (OID 2.5.29.20): This extension is used to identify a particular CRL. The CRL Number is like a serial number so that if multiple CRLs are listed in an Indirect CRL, the CRL can be kept track of by this unique ID. RFC 2459 recommends its use even though the extension is normally marked non-critical.
Delta CRL Indicator (OID 2.5.29.27): This extension identifies the CRL as a delta CRL. If this extension is present, it should be marked critical.
Issuing Distribution Point (OID 2.5.29.28): This extension can be used to indicate if a CRL is an Indirect CRL. The extension will identify the CRL distribution point to receive the CRLs. This extension can further define some of the reasons for revocation of certificates and the scope of the CRL. If the extension is present, it should be set to critical.
The CRL can also be generated from the X.509 Certificate Factory as shown in Listing 24-1. The biggest differences are in the type of imported file, which now matches a CRL file, and the use of the X509CRL and X509CRLEntry classes. Listing 24-5 demonstrates reading a CRL file, the CRL entries, and modifying both (the CRL and the CRL entries) to add extensions.
Listing 24-5: The RichCRL class: Importing the CRL and CRL entries and adding extensions
package com.richware.chap24; import java.security.PublicKey; import java.security.Principal; import java.security.cert.X509Certificate; import java.security.cert.CertificateException; import java.security.cert.CertificateFactory; import java.security.cert.*; import java.io.FileInputStream; import java.io.FileNotFoundException; import java.util.*; import javax.security.auth.x500.X500Principal; import sun.security.x509.*; /** * Class RichCRL * Description: A custom demonstration of the Certificate Revocation List. * * Copyright: Copyright (c) 2002 Wiley Publishing, Inc. * @author Rich Helton <rhelton@richware.com> * @version 1.0 * DISCLAIMER: Please refer to the disclaimer at the beginning of this book. */ public class RichCRL { /** * Method main * Description: The main driver to run the methods. * * * @param args (no arguments presently). * */ public static void main(String args[]) { try { System.out.println("Starting RichCRL...."); /* * Pass in the argument of the keystore file * It will be opened in the same directoy as the application */ if (args[0] == null) { System.out.println("This application requires an input file for the location of the crl"); } String localDirectory = System.getProperty("user.dir"); System.out.println("Changing directory to Chapter 24"); System.setProperty("user.dir", localDirectory + "\com\richware\chap24\"); localDirectory = System.getProperty("user.dir"); /* * Get the local keystore that contains a trusted certificate */ String localInputFile = localDirectory + args[0]; System.out.println("Opening Chapter 24 plus the input file as an argument: " + localInputFile); /* * Import the certificate revocation list */ RichCRL myCertificate = new RichCRL(); X509CRL newcertificate = myCertificate.importCertificate(localInputFile); System.out.println("*********************CRL *************************"); System.out.println(newcertificate); System.out.println("CRL->Version Number->" + newcertificate.getVersion()); System.out .println("CRL->Signature Algorithm Identifier->" + newcertificate.getSigAlgName()); System.out.println("CRL->Issuer Name->" + newcertificate.getIssuerDN()); System.out.println("CRL->ThisUpdate->" + newcertificate.getThisUpdate()); System.out.println("CRL->NextUpdate->" + newcertificate.getNextUpdate()); /* * Get the revoked Certificates */ Set setCRLEntries = newcertificate.getRevokedCertificates(); X509CRLEntry[] newEntries = new X509CRLEntry[setCRLEntries.size()]; Iterator iter = setCRLEntries.iterator(); int current = 0; while (iter.hasNext()) { X509CRLEntry entry = (X509CRLEntry) iter.next(); System.out.println("***********CRL Entry No Extensions****************"); System.out.println(entry); System.out.println("CRL->Entry->RevocationDate->" + entry.getRevocationDate()); System.out.println("CRL->Entry->SerialNumber->" + entry.getSerialNumber()); System.out.println("CRL->Entry->HasExtensions->" + entry.hasExtensions()); /* * Are there any extensions */ if (entry.hasExtensions()) { /* * Print the extension OIDs */ Set nonCritSet = entry.getNonCriticalExtensionOIDs(); if (nonCritSet != null) { for (Iterator i = nonCritSet.iterator(); i.hasNext();) { String oid = (String) i.next(); System.out.println("Extensions in Entry" + oid); } } } /* * Else create some extensions */ else { /* * Create an CRL Extension class to contain individual extensions */ CRLExtensions extensions = new CRLExtensions(); /* * Create the CRL Reason Code Extension */ CRLReasonCodeExtension reason = new CRLReasonCodeExtension(2); extensions.set("2.5.29.21", reason); // System.out.println("CRL->Entry->New Reason Code***********"); CRLReasonCodeExtension newreason = (CRLReasonCodeExtension) extensions .get("2.5.29.21"); // System.out.println(newreason); X509CRLEntryImpl x509crlentryimpl = new X509CRLEntryImpl(entry.getSerialNumber(), entry.getRevocationDate(), extensions); newEntries[current] = (X509CRLEntry) x509crlentryimpl; } current++; } /* * Create an X500Name from the X500 Principal */ X500Principal currPrincipal = newcertificate.getIssuerX500Principal(); X500Name name = new X500Name(currPrincipal.getEncoded()); /* * Create a CRL Extension class to contain individual extensions and set it for the main CRL */ CRLExtensions crlExtensions = new CRLExtensions(); CRLNumberExtension crlNumber = new CRLNumberExtension(1); crlExtensions.set("2.5.29.20", crlNumber); /* * Create a new CRL with the extensions in the CRL Entries */ X509CRLImpl newCRL = new X509CRLImpl(name, newcertificate.getThisUpdate(), newcertificate.getNextUpdate(), newEntries, crlExtensions); System.out.println("*****************CRL with Extensions**************"); System.out.println(newCRL); /* * Iterate through the CRL entries again showing the extensions */ setCRLEntries = newCRL.getRevokedCertificates(); iter = setCRLEntries.iterator(); /* * Loop through the entries */ while (iter.hasNext()) { X509CRLEntry entry = (X509CRLEntry) iter.next(); System.out.println("*******CRL Entry After Adding Reason Extension**********"); System.out.println(entry); System.out.println("CRL->Entry->RevocationDate->" + entry.getRevocationDate()); System.out.println(entry.getSerialNumber()); System.out.println("CRL->Entry->HasExtensions->" + entry.hasExtensions()); /* * the getExtensionValue will return a null because it is not part of the * supported OIDs mentioned in the JavaDocs */ System.out .println("CRL->Entry->Reason Code from method->" + entry.getExtensionValue("2.5.29.21")); X509CRLEntryImpl x509crlentryimpl = new X509CRLEntryImpl(entry.getEncoded()); Integer reasonInt = x509crlentryimpl.getReasonCode(); /* * Print out the Reason Code */ System.out .println("CRL->Entry->Reason Code->" + RichCRL .reasonToString(reasonInt.intValue())); /* * Print out the OIDs found */ Set nonCritSet = entry.getNonCriticalExtensionOIDs(); if (nonCritSet != null) { for (Iterator i = nonCritSet.iterator(); i.hasNext();) { String oid = (String) i.next(); System.out.println("CRL->Entry->OID->" + oid); } } } /* * catches. */ } catch (Exception e) { e.printStackTrace(); } } /** * Method importCertificate * Description: Import the certificate. * * @param filename is the file to import. * * @return the certification. * */ public X509CRL importCertificate(String filename) { X509CRL cert = null; try { CertificateFactory cf = CertificateFactory.getInstance("X.509"); /* * Get the File I/O of the Certificate */ FileInputStream fr = new FileInputStream(filename); /* * Construct the certificate based on the import */ cert = (X509CRL) cf.generateCRL(fr); fr.close(); /* * catches. */ } catch (java.security.cert.CertificateException e) { e.printStackTrace(); } catch (java.security.cert.CRLException e) { e.printStackTrace(); } catch (java.io.IOException e) { e.printStackTrace(); } return cert; } /** * Method reasonToString * * * @param i defining the reason for revocation * * @return the string that maps to the integer * */ public static String reasonToString(int i) { switch (i) { case 0 : // '
package com.richware.chap24; import java.security.PublicKey; import java.security.Principal; import java.security.cert.X509Certificate; import java.security.cert.CertificateException; import java.security.cert.CertificateFactory; import java.security.cert.*; import java.io.FileInputStream; import java.io.FileNotFoundException; import java.util.*; import javax.security.auth.x500.X500Principal; import sun.security.x509.*; /** * Class RichCRL * Description: A custom demonstration of the Certificate Revocation List. * * Copyright: Copyright (c) 2002 Wiley Publishing, Inc. * @author Rich Helton <rhelton@richware.com> * @version 1.0 * DISCLAIMER: Please refer to the disclaimer at the beginning of this book. */ public class RichCRL { /** * Method main * Description: The main driver to run the methods . * * * @param args (no arguments presently). * */ public static void main(String args[]) { try { System.out.println("Starting RichCRL...."); /* * Pass in the argument of the keystore file * It will be opened in the same directoy as the application */ if (args[0] == null) { System.out.println("This application requires an input file for the location of the crl"); } String localDirectory = System.getProperty("user.dir"); System.out.println("Changing directory to Chapter 24"); System.setProperty("user.dir", localDirectory + "\\com\\richware\\chap24\\"); localDirectory = System.getProperty("user.dir"); /* * Get the local keystore that contains a trusted certificate */ String localInputFile = localDirectory + args[0]; System.out.println("Opening Chapter 24 plus the input file as an argument: " + localInputFile); /* * Import the certificate revocation list */ RichCRL myCertificate = new RichCRL(); X509CRL newcertificate = myCertificate.importCertificate(localInputFile); System.out.println("*********************CRL *************************"); System.out.println(newcertificate); System.out.println("CRL->Version Number->" + newcertificate.getVersion()); System.out .println("CRL->Signature Algorithm Identifier->" + newcertificate.getSigAlgName()); System.out.println("CRL->Issuer Name->" + newcertificate.getIssuerDN()); System.out.println("CRL->ThisUpdate->" + newcertificate.getThisUpdate()); System.out.println("CRL->NextUpdate->" + newcertificate.getNextUpdate()); /* * Get the revoked Certificates */ Set setCRLEntries = newcertificate.getRevokedCertificates(); X509CRLEntry[] newEntries = new X509CRLEntry[setCRLEntries. size ()]; Iterator iter = setCRLEntries.iterator(); int current = 0; while (iter.hasNext()) { X509CRLEntry entry = (X509CRLEntry) iter.next(); System.out.println("***********CRL Entry No Extensions****************"); System.out.println(entry); System.out.println("CRL->Entry->RevocationDate->" + entry.getRevocationDate()); System.out.println("CRL->Entry->SerialNumber->" + entry.getSerialNumber()); System.out.println("CRL->Entry->HasExtensions->" + entry.hasExtensions()); /* * Are there any extensions */ if (entry.hasExtensions()) { /* * Print the extension OIDs */ Set nonCritSet = entry.getNonCriticalExtensionOIDs(); if (nonCritSet != null) { for (Iterator i = nonCritSet.iterator(); i.hasNext();) { String oid = (String) i.next(); System.out.println("Extensions in Entry" + oid); } } } /* * Else create some extensions */ else { /* * Create an CRL Extension class to contain individual extensions */ CRLExtensions extensions = new CRLExtensions(); /* * Create the CRL Reason Code Extension */ CRLReasonCodeExtension reason = new CRLReasonCodeExtension(2); extensions.set("2.5.29.21", reason); // System.out.println("CRL->Entry->New Reason Code***********"); CRLReasonCodeExtension newreason = (CRLReasonCodeExtension) extensions .get("2.5.29.21"); // System.out.println(newreason); X509CRLEntryImpl x509crlentryimpl = new X509CRLEntryImpl(entry.getSerialNumber(), entry.getRevocationDate(), extensions); newEntries[current] = (X509CRLEntry) x509crlentryimpl; } current++; } /* * Create an X500Name from the X500 Principal */ X500Principal currPrincipal = newcertificate.getIssuerX500Principal(); X500Name name = new X500Name(currPrincipal.getEncoded()); /* * Create a CRL Extension class to contain individual extensions and set it for the main CRL */ CRLExtensions crlExtensions = new CRLExtensions(); CRLNumberExtension crlNumber = new CRLNumberExtension(1); crlExtensions.set("2.5.29.20", crlNumber); /* * Create a new CRL with the extensions in the CRL Entries */ X509CRLImpl newCRL = new X509CRLImpl(name, newcertificate.getThisUpdate(), newcertificate.getNextUpdate(), newEntries, crlExtensions); System.out.println("*****************CRL with Extensions**************"); System.out.println(newCRL); /* * Iterate through the CRL entries again showing the extensions */ setCRLEntries = newCRL.getRevokedCertificates(); iter = setCRLEntries.iterator(); /* * Loop through the entries */ while (iter.hasNext()) { X509CRLEntry entry = (X509CRLEntry) iter.next(); System.out.println("*******CRL Entry After Adding Reason Extension**********"); System.out.println(entry); System.out.println("CRL->Entry->RevocationDate->" + entry.getRevocationDate()); System.out.println(entry.getSerialNumber()); System.out.println("CRL->Entry->HasExtensions->" + entry.hasExtensions()); /* * the getExtensionValue will return a null because it is not part of the * supported OIDs mentioned in the JavaDocs */ System.out .println("CRL->Entry->Reason Code from method->" + entry.getExtensionValue("2.5.29.21")); X509CRLEntryImpl x509crlentryimpl = new X509CRLEntryImpl(entry.getEncoded()); Integer reasonInt = x509crlentryimpl.getReasonCode(); /* * Print out the Reason Code */ System.out .println("CRL->Entry->Reason Code->" + RichCRL .reasonToString(reasonInt.intValue())); /* * Print out the OIDs found */ Set nonCritSet = entry.getNonCriticalExtensionOIDs(); if (nonCritSet != null) { for (Iterator i = nonCritSet.iterator(); i.hasNext();) { String oid = (String) i.next(); System.out.println("CRL->Entry->OID->" + oid); } } } /* * catches. */ } catch (Exception e) { e.printStackTrace(); } } /** * Method importCertificate * Description: Import the certificate. * * @param filename is the file to import. * * @return the certification. * */ public X509CRL importCertificate(String filename) { X509CRL cert = null; try { CertificateFactory cf = CertificateFactory.getInstance("X.509"); /* * Get the File I/O of the Certificate */ FileInputStream fr = new FileInputStream(filename); /* * Construct the certificate based on the import */ cert = (X509CRL) cf.generateCRL(fr); fr.close(); /* * catches. */ } catch (java.security.cert.CertificateException e) { e.printStackTrace(); } catch (java.security.cert.CRLException e) { e.printStackTrace(); } catch (java.io.IOException e) { e.printStackTrace(); } return cert; } /** * Method reasonToString * * * @param i defining the reason for revocation * * @return the string that maps to the integer * */ public static String reasonToString(int i) { switch (i) { case 0 : // '\0' return "unspecified"; case 1 : // '\001' return "key compromise"; case 2 : // '\002' return "CA compromise"; case 3 : // '\003' return " affiliation changed"; case 4 : // '\004' return "superseded"; case 5 : // '\005' return "cessation of operation"; case 6 : // '\006' return "certificate hold"; case 8 : // '\b' return "remove from CRL"; case 7 : // '\007' default : return "unrecognized reason code"; } } }
' return "unspecified"; case 1 : // '
package com.richware.chap24; import java.security.PublicKey; import java.security.Principal; import java.security.cert.X509Certificate; import java.security.cert.CertificateException; import java.security.cert.CertificateFactory; import java.security.cert.*; import java.io.FileInputStream; import java.io.FileNotFoundException; import java.util.*; import javax.security.auth.x500.X500Principal; import sun.security.x509.*; /** * Class RichCRL * Description: A custom demonstration of the Certificate Revocation List. * * Copyright: Copyright (c) 2002 Wiley Publishing, Inc. * @author Rich Helton <rhelton@richware.com> * @version 1.0 * DISCLAIMER: Please refer to the disclaimer at the beginning of this book. */ public class RichCRL { /** * Method main * Description: The main driver to run the methods . * * * @param args (no arguments presently). * */ public static void main(String args[]) { try { System.out.println("Starting RichCRL...."); /* * Pass in the argument of the keystore file * It will be opened in the same directoy as the application */ if (args[0] == null) { System.out.println("This application requires an input file for the location of the crl"); } String localDirectory = System.getProperty("user.dir"); System.out.println("Changing directory to Chapter 24"); System.setProperty("user.dir", localDirectory + "\\com\\richware\\chap24\\"); localDirectory = System.getProperty("user.dir"); /* * Get the local keystore that contains a trusted certificate */ String localInputFile = localDirectory + args[0]; System.out.println("Opening Chapter 24 plus the input file as an argument: " + localInputFile); /* * Import the certificate revocation list */ RichCRL myCertificate = new RichCRL(); X509CRL newcertificate = myCertificate.importCertificate(localInputFile); System.out.println("*********************CRL *************************"); System.out.println(newcertificate); System.out.println("CRL->Version Number->" + newcertificate.getVersion()); System.out .println("CRL->Signature Algorithm Identifier->" + newcertificate.getSigAlgName()); System.out.println("CRL->Issuer Name->" + newcertificate.getIssuerDN()); System.out.println("CRL->ThisUpdate->" + newcertificate.getThisUpdate()); System.out.println("CRL->NextUpdate->" + newcertificate.getNextUpdate()); /* * Get the revoked Certificates */ Set setCRLEntries = newcertificate.getRevokedCertificates(); X509CRLEntry[] newEntries = new X509CRLEntry[setCRLEntries. size ()]; Iterator iter = setCRLEntries.iterator(); int current = 0; while (iter.hasNext()) { X509CRLEntry entry = (X509CRLEntry) iter.next(); System.out.println("***********CRL Entry No Extensions****************"); System.out.println(entry); System.out.println("CRL->Entry->RevocationDate->" + entry.getRevocationDate()); System.out.println("CRL->Entry->SerialNumber->" + entry.getSerialNumber()); System.out.println("CRL->Entry->HasExtensions->" + entry.hasExtensions()); /* * Are there any extensions */ if (entry.hasExtensions()) { /* * Print the extension OIDs */ Set nonCritSet = entry.getNonCriticalExtensionOIDs(); if (nonCritSet != null) { for (Iterator i = nonCritSet.iterator(); i.hasNext();) { String oid = (String) i.next(); System.out.println("Extensions in Entry" + oid); } } } /* * Else create some extensions */ else { /* * Create an CRL Extension class to contain individual extensions */ CRLExtensions extensions = new CRLExtensions(); /* * Create the CRL Reason Code Extension */ CRLReasonCodeExtension reason = new CRLReasonCodeExtension(2); extensions.set("2.5.29.21", reason); // System.out.println("CRL->Entry->New Reason Code***********"); CRLReasonCodeExtension newreason = (CRLReasonCodeExtension) extensions .get("2.5.29.21"); // System.out.println(newreason); X509CRLEntryImpl x509crlentryimpl = new X509CRLEntryImpl(entry.getSerialNumber(), entry.getRevocationDate(), extensions); newEntries[current] = (X509CRLEntry) x509crlentryimpl; } current++; } /* * Create an X500Name from the X500 Principal */ X500Principal currPrincipal = newcertificate.getIssuerX500Principal(); X500Name name = new X500Name(currPrincipal.getEncoded()); /* * Create a CRL Extension class to contain individual extensions and set it for the main CRL */ CRLExtensions crlExtensions = new CRLExtensions(); CRLNumberExtension crlNumber = new CRLNumberExtension(1); crlExtensions.set("2.5.29.20", crlNumber); /* * Create a new CRL with the extensions in the CRL Entries */ X509CRLImpl newCRL = new X509CRLImpl(name, newcertificate.getThisUpdate(), newcertificate.getNextUpdate(), newEntries, crlExtensions); System.out.println("*****************CRL with Extensions**************"); System.out.println(newCRL); /* * Iterate through the CRL entries again showing the extensions */ setCRLEntries = newCRL.getRevokedCertificates(); iter = setCRLEntries.iterator(); /* * Loop through the entries */ while (iter.hasNext()) { X509CRLEntry entry = (X509CRLEntry) iter.next(); System.out.println("*******CRL Entry After Adding Reason Extension**********"); System.out.println(entry); System.out.println("CRL->Entry->RevocationDate->" + entry.getRevocationDate()); System.out.println(entry.getSerialNumber()); System.out.println("CRL->Entry->HasExtensions->" + entry.hasExtensions()); /* * the getExtensionValue will return a null because it is not part of the * supported OIDs mentioned in the JavaDocs */ System.out .println("CRL->Entry->Reason Code from method->" + entry.getExtensionValue("2.5.29.21")); X509CRLEntryImpl x509crlentryimpl = new X509CRLEntryImpl(entry.getEncoded()); Integer reasonInt = x509crlentryimpl.getReasonCode(); /* * Print out the Reason Code */ System.out .println("CRL->Entry->Reason Code->" + RichCRL .reasonToString(reasonInt.intValue())); /* * Print out the OIDs found */ Set nonCritSet = entry.getNonCriticalExtensionOIDs(); if (nonCritSet != null) { for (Iterator i = nonCritSet.iterator(); i.hasNext();) { String oid = (String) i.next(); System.out.println("CRL->Entry->OID->" + oid); } } } /* * catches. */ } catch (Exception e) { e.printStackTrace(); } } /** * Method importCertificate * Description: Import the certificate. * * @param filename is the file to import. * * @return the certification. * */ public X509CRL importCertificate(String filename) { X509CRL cert = null; try { CertificateFactory cf = CertificateFactory.getInstance("X.509"); /* * Get the File I/O of the Certificate */ FileInputStream fr = new FileInputStream(filename); /* * Construct the certificate based on the import */ cert = (X509CRL) cf.generateCRL(fr); fr.close(); /* * catches. */ } catch (java.security.cert.CertificateException e) { e.printStackTrace(); } catch (java.security.cert.CRLException e) { e.printStackTrace(); } catch (java.io.IOException e) { e.printStackTrace(); } return cert; } /** * Method reasonToString * * * @param i defining the reason for revocation * * @return the string that maps to the integer * */ public static String reasonToString(int i) { switch (i) { case 0 : // '\0' return "unspecified"; case 1 : // '\001' return "key compromise"; case 2 : // '\002' return "CA compromise"; case 3 : // '\003' return " affiliation changed"; case 4 : // '\004' return "superseded"; case 5 : // '\005' return "cessation of operation"; case 6 : // '\006' return "certificate hold"; case 8 : // '\b' return "remove from CRL"; case 7 : // '\007' default : return "unrecognized reason code"; } } }
1' return "key compromise"; case 2 : // '
package com.richware.chap24; import java.security.PublicKey; import java.security.Principal; import java.security.cert.X509Certificate; import java.security.cert.CertificateException; import java.security.cert.CertificateFactory; import java.security.cert.*; import java.io.FileInputStream; import java.io.FileNotFoundException; import java.util.*; import javax.security.auth.x500.X500Principal; import sun.security.x509.*; /** * Class RichCRL * Description: A custom demonstration of the Certificate Revocation List. * * Copyright: Copyright (c) 2002 Wiley Publishing, Inc. * @author Rich Helton <rhelton@richware.com> * @version 1.0 * DISCLAIMER: Please refer to the disclaimer at the beginning of this book. */ public class RichCRL { /** * Method main * Description: The main driver to run the methods . * * * @param args (no arguments presently). * */ public static void main(String args[]) { try { System.out.println("Starting RichCRL...."); /* * Pass in the argument of the keystore file * It will be opened in the same directoy as the application */ if (args[0] == null) { System.out.println("This application requires an input file for the location of the crl"); } String localDirectory = System.getProperty("user.dir"); System.out.println("Changing directory to Chapter 24"); System.setProperty("user.dir", localDirectory + "\\com\\richware\\chap24\\"); localDirectory = System.getProperty("user.dir"); /* * Get the local keystore that contains a trusted certificate */ String localInputFile = localDirectory + args[0]; System.out.println("Opening Chapter 24 plus the input file as an argument: " + localInputFile); /* * Import the certificate revocation list */ RichCRL myCertificate = new RichCRL(); X509CRL newcertificate = myCertificate.importCertificate(localInputFile); System.out.println("*********************CRL *************************"); System.out.println(newcertificate); System.out.println("CRL->Version Number->" + newcertificate.getVersion()); System.out .println("CRL->Signature Algorithm Identifier->" + newcertificate.getSigAlgName()); System.out.println("CRL->Issuer Name->" + newcertificate.getIssuerDN()); System.out.println("CRL->ThisUpdate->" + newcertificate.getThisUpdate()); System.out.println("CRL->NextUpdate->" + newcertificate.getNextUpdate()); /* * Get the revoked Certificates */ Set setCRLEntries = newcertificate.getRevokedCertificates(); X509CRLEntry[] newEntries = new X509CRLEntry[setCRLEntries. size ()]; Iterator iter = setCRLEntries.iterator(); int current = 0; while (iter.hasNext()) { X509CRLEntry entry = (X509CRLEntry) iter.next(); System.out.println("***********CRL Entry No Extensions****************"); System.out.println(entry); System.out.println("CRL->Entry->RevocationDate->" + entry.getRevocationDate()); System.out.println("CRL->Entry->SerialNumber->" + entry.getSerialNumber()); System.out.println("CRL->Entry->HasExtensions->" + entry.hasExtensions()); /* * Are there any extensions */ if (entry.hasExtensions()) { /* * Print the extension OIDs */ Set nonCritSet = entry.getNonCriticalExtensionOIDs(); if (nonCritSet != null) { for (Iterator i = nonCritSet.iterator(); i.hasNext();) { String oid = (String) i.next(); System.out.println("Extensions in Entry" + oid); } } } /* * Else create some extensions */ else { /* * Create an CRL Extension class to contain individual extensions */ CRLExtensions extensions = new CRLExtensions(); /* * Create the CRL Reason Code Extension */ CRLReasonCodeExtension reason = new CRLReasonCodeExtension(2); extensions.set("2.5.29.21", reason); // System.out.println("CRL->Entry->New Reason Code***********"); CRLReasonCodeExtension newreason = (CRLReasonCodeExtension) extensions .get("2.5.29.21"); // System.out.println(newreason); X509CRLEntryImpl x509crlentryimpl = new X509CRLEntryImpl(entry.getSerialNumber(), entry.getRevocationDate(), extensions); newEntries[current] = (X509CRLEntry) x509crlentryimpl; } current++; } /* * Create an X500Name from the X500 Principal */ X500Principal currPrincipal = newcertificate.getIssuerX500Principal(); X500Name name = new X500Name(currPrincipal.getEncoded()); /* * Create a CRL Extension class to contain individual extensions and set it for the main CRL */ CRLExtensions crlExtensions = new CRLExtensions(); CRLNumberExtension crlNumber = new CRLNumberExtension(1); crlExtensions.set("2.5.29.20", crlNumber); /* * Create a new CRL with the extensions in the CRL Entries */ X509CRLImpl newCRL = new X509CRLImpl(name, newcertificate.getThisUpdate(), newcertificate.getNextUpdate(), newEntries, crlExtensions); System.out.println("*****************CRL with Extensions**************"); System.out.println(newCRL); /* * Iterate through the CRL entries again showing the extensions */ setCRLEntries = newCRL.getRevokedCertificates(); iter = setCRLEntries.iterator(); /* * Loop through the entries */ while (iter.hasNext()) { X509CRLEntry entry = (X509CRLEntry) iter.next(); System.out.println("*******CRL Entry After Adding Reason Extension**********"); System.out.println(entry); System.out.println("CRL->Entry->RevocationDate->" + entry.getRevocationDate()); System.out.println(entry.getSerialNumber()); System.out.println("CRL->Entry->HasExtensions->" + entry.hasExtensions()); /* * the getExtensionValue will return a null because it is not part of the * supported OIDs mentioned in the JavaDocs */ System.out .println("CRL->Entry->Reason Code from method->" + entry.getExtensionValue("2.5.29.21")); X509CRLEntryImpl x509crlentryimpl = new X509CRLEntryImpl(entry.getEncoded()); Integer reasonInt = x509crlentryimpl.getReasonCode(); /* * Print out the Reason Code */ System.out .println("CRL->Entry->Reason Code->" + RichCRL .reasonToString(reasonInt.intValue())); /* * Print out the OIDs found */ Set nonCritSet = entry.getNonCriticalExtensionOIDs(); if (nonCritSet != null) { for (Iterator i = nonCritSet.iterator(); i.hasNext();) { String oid = (String) i.next(); System.out.println("CRL->Entry->OID->" + oid); } } } /* * catches. */ } catch (Exception e) { e.printStackTrace(); } } /** * Method importCertificate * Description: Import the certificate. * * @param filename is the file to import. * * @return the certification. * */ public X509CRL importCertificate(String filename) { X509CRL cert = null; try { CertificateFactory cf = CertificateFactory.getInstance("X.509"); /* * Get the File I/O of the Certificate */ FileInputStream fr = new FileInputStream(filename); /* * Construct the certificate based on the import */ cert = (X509CRL) cf.generateCRL(fr); fr.close(); /* * catches. */ } catch (java.security.cert.CertificateException e) { e.printStackTrace(); } catch (java.security.cert.CRLException e) { e.printStackTrace(); } catch (java.io.IOException e) { e.printStackTrace(); } return cert; } /** * Method reasonToString * * * @param i defining the reason for revocation * * @return the string that maps to the integer * */ public static String reasonToString(int i) { switch (i) { case 0 : // '\0' return "unspecified"; case 1 : // '\001' return "key compromise"; case 2 : // '\002' return "CA compromise"; case 3 : // '\003' return " affiliation changed"; case 4 : // '\004' return "superseded"; case 5 : // '\005' return "cessation of operation"; case 6 : // '\006' return "certificate hold"; case 8 : // '\b' return "remove from CRL"; case 7 : // '\007' default : return "unrecognized reason code"; } } }
2' return "CA compromise"; case 3 : // '
package com.richware.chap24; import java.security.PublicKey; import java.security.Principal; import java.security.cert.X509Certificate; import java.security.cert.CertificateException; import java.security.cert.CertificateFactory; import java.security.cert.*; import java.io.FileInputStream; import java.io.FileNotFoundException; import java.util.*; import javax.security.auth.x500.X500Principal; import sun.security.x509.*; /** * Class RichCRL * Description: A custom demonstration of the Certificate Revocation List. * * Copyright: Copyright (c) 2002 Wiley Publishing, Inc. * @author Rich Helton <rhelton@richware.com> * @version 1.0 * DISCLAIMER: Please refer to the disclaimer at the beginning of this book. */ public class RichCRL { /** * Method main * Description: The main driver to run the methods . * * * @param args (no arguments presently). * */ public static void main(String args[]) { try { System.out.println("Starting RichCRL...."); /* * Pass in the argument of the keystore file * It will be opened in the same directoy as the application */ if (args[0] == null) { System.out.println("This application requires an input file for the location of the crl"); } String localDirectory = System.getProperty("user.dir"); System.out.println("Changing directory to Chapter 24"); System.setProperty("user.dir", localDirectory + "\\com\\richware\\chap24\\"); localDirectory = System.getProperty("user.dir"); /* * Get the local keystore that contains a trusted certificate */ String localInputFile = localDirectory + args[0]; System.out.println("Opening Chapter 24 plus the input file as an argument: " + localInputFile); /* * Import the certificate revocation list */ RichCRL myCertificate = new RichCRL(); X509CRL newcertificate = myCertificate.importCertificate(localInputFile); System.out.println("*********************CRL *************************"); System.out.println(newcertificate); System.out.println("CRL->Version Number->" + newcertificate.getVersion()); System.out .println("CRL->Signature Algorithm Identifier->" + newcertificate.getSigAlgName()); System.out.println("CRL->Issuer Name->" + newcertificate.getIssuerDN()); System.out.println("CRL->ThisUpdate->" + newcertificate.getThisUpdate()); System.out.println("CRL->NextUpdate->" + newcertificate.getNextUpdate()); /* * Get the revoked Certificates */ Set setCRLEntries = newcertificate.getRevokedCertificates(); X509CRLEntry[] newEntries = new X509CRLEntry[setCRLEntries. size ()]; Iterator iter = setCRLEntries.iterator(); int current = 0; while (iter.hasNext()) { X509CRLEntry entry = (X509CRLEntry) iter.next(); System.out.println("***********CRL Entry No Extensions****************"); System.out.println(entry); System.out.println("CRL->Entry->RevocationDate->" + entry.getRevocationDate()); System.out.println("CRL->Entry->SerialNumber->" + entry.getSerialNumber()); System.out.println("CRL->Entry->HasExtensions->" + entry.hasExtensions()); /* * Are there any extensions */ if (entry.hasExtensions()) { /* * Print the extension OIDs */ Set nonCritSet = entry.getNonCriticalExtensionOIDs(); if (nonCritSet != null) { for (Iterator i = nonCritSet.iterator(); i.hasNext();) { String oid = (String) i.next(); System.out.println("Extensions in Entry" + oid); } } } /* * Else create some extensions */ else { /* * Create an CRL Extension class to contain individual extensions */ CRLExtensions extensions = new CRLExtensions(); /* * Create the CRL Reason Code Extension */ CRLReasonCodeExtension reason = new CRLReasonCodeExtension(2); extensions.set("2.5.29.21", reason); // System.out.println("CRL->Entry->New Reason Code***********"); CRLReasonCodeExtension newreason = (CRLReasonCodeExtension) extensions .get("2.5.29.21"); // System.out.println(newreason); X509CRLEntryImpl x509crlentryimpl = new X509CRLEntryImpl(entry.getSerialNumber(), entry.getRevocationDate(), extensions); newEntries[current] = (X509CRLEntry) x509crlentryimpl; } current++; } /* * Create an X500Name from the X500 Principal */ X500Principal currPrincipal = newcertificate.getIssuerX500Principal(); X500Name name = new X500Name(currPrincipal.getEncoded()); /* * Create a CRL Extension class to contain individual extensions and set it for the main CRL */ CRLExtensions crlExtensions = new CRLExtensions(); CRLNumberExtension crlNumber = new CRLNumberExtension(1); crlExtensions.set("2.5.29.20", crlNumber); /* * Create a new CRL with the extensions in the CRL Entries */ X509CRLImpl newCRL = new X509CRLImpl(name, newcertificate.getThisUpdate(), newcertificate.getNextUpdate(), newEntries, crlExtensions); System.out.println("*****************CRL with Extensions**************"); System.out.println(newCRL); /* * Iterate through the CRL entries again showing the extensions */ setCRLEntries = newCRL.getRevokedCertificates(); iter = setCRLEntries.iterator(); /* * Loop through the entries */ while (iter.hasNext()) { X509CRLEntry entry = (X509CRLEntry) iter.next(); System.out.println("*******CRL Entry After Adding Reason Extension**********"); System.out.println(entry); System.out.println("CRL->Entry->RevocationDate->" + entry.getRevocationDate()); System.out.println(entry.getSerialNumber()); System.out.println("CRL->Entry->HasExtensions->" + entry.hasExtensions()); /* * the getExtensionValue will return a null because it is not part of the * supported OIDs mentioned in the JavaDocs */ System.out .println("CRL->Entry->Reason Code from method->" + entry.getExtensionValue("2.5.29.21")); X509CRLEntryImpl x509crlentryimpl = new X509CRLEntryImpl(entry.getEncoded()); Integer reasonInt = x509crlentryimpl.getReasonCode(); /* * Print out the Reason Code */ System.out .println("CRL->Entry->Reason Code->" + RichCRL .reasonToString(reasonInt.intValue())); /* * Print out the OIDs found */ Set nonCritSet = entry.getNonCriticalExtensionOIDs(); if (nonCritSet != null) { for (Iterator i = nonCritSet.iterator(); i.hasNext();) { String oid = (String) i.next(); System.out.println("CRL->Entry->OID->" + oid); } } } /* * catches. */ } catch (Exception e) { e.printStackTrace(); } } /** * Method importCertificate * Description: Import the certificate. * * @param filename is the file to import. * * @return the certification. * */ public X509CRL importCertificate(String filename) { X509CRL cert = null; try { CertificateFactory cf = CertificateFactory.getInstance("X.509"); /* * Get the File I/O of the Certificate */ FileInputStream fr = new FileInputStream(filename); /* * Construct the certificate based on the import */ cert = (X509CRL) cf.generateCRL(fr); fr.close(); /* * catches. */ } catch (java.security.cert.CertificateException e) { e.printStackTrace(); } catch (java.security.cert.CRLException e) { e.printStackTrace(); } catch (java.io.IOException e) { e.printStackTrace(); } return cert; } /** * Method reasonToString * * * @param i defining the reason for revocation * * @return the string that maps to the integer * */ public static String reasonToString(int i) { switch (i) { case 0 : // '\0' return "unspecified"; case 1 : // '\001' return "key compromise"; case 2 : // '\002' return "CA compromise"; case 3 : // '\003' return " affiliation changed"; case 4 : // '\004' return "superseded"; case 5 : // '\005' return "cessation of operation"; case 6 : // '\006' return "certificate hold"; case 8 : // '\b' return "remove from CRL"; case 7 : // '\007' default : return "unrecognized reason code"; } } }
3' return "affiliation changed"; case 4 : // '
package com.richware.chap24; import java.security.PublicKey; import java.security.Principal; import java.security.cert.X509Certificate; import java.security.cert.CertificateException; import java.security.cert.CertificateFactory; import java.security.cert.*; import java.io.FileInputStream; import java.io.FileNotFoundException; import java.util.*; import javax.security.auth.x500.X500Principal; import sun.security.x509.*; /** * Class RichCRL * Description: A custom demonstration of the Certificate Revocation List. * * Copyright: Copyright (c) 2002 Wiley Publishing, Inc. * @author Rich Helton <rhelton@richware.com> * @version 1.0 * DISCLAIMER: Please refer to the disclaimer at the beginning of this book. */ public class RichCRL { /** * Method main * Description: The main driver to run the methods . * * * @param args (no arguments presently). * */ public static void main(String args[]) { try { System.out.println("Starting RichCRL...."); /* * Pass in the argument of the keystore file * It will be opened in the same directoy as the application */ if (args[0] == null) { System.out.println("This application requires an input file for the location of the crl"); } String localDirectory = System.getProperty("user.dir"); System.out.println("Changing directory to Chapter 24"); System.setProperty("user.dir", localDirectory + "\\com\\richware\\chap24\\"); localDirectory = System.getProperty("user.dir"); /* * Get the local keystore that contains a trusted certificate */ String localInputFile = localDirectory + args[0]; System.out.println("Opening Chapter 24 plus the input file as an argument: " + localInputFile); /* * Import the certificate revocation list */ RichCRL myCertificate = new RichCRL(); X509CRL newcertificate = myCertificate.importCertificate(localInputFile); System.out.println("*********************CRL *************************"); System.out.println(newcertificate); System.out.println("CRL->Version Number->" + newcertificate.getVersion()); System.out .println("CRL->Signature Algorithm Identifier->" + newcertificate.getSigAlgName()); System.out.println("CRL->Issuer Name->" + newcertificate.getIssuerDN()); System.out.println("CRL->ThisUpdate->" + newcertificate.getThisUpdate()); System.out.println("CRL->NextUpdate->" + newcertificate.getNextUpdate()); /* * Get the revoked Certificates */ Set setCRLEntries = newcertificate.getRevokedCertificates(); X509CRLEntry[] newEntries = new X509CRLEntry[setCRLEntries. size ()]; Iterator iter = setCRLEntries.iterator(); int current = 0; while (iter.hasNext()) { X509CRLEntry entry = (X509CRLEntry) iter.next(); System.out.println("***********CRL Entry No Extensions****************"); System.out.println(entry); System.out.println("CRL->Entry->RevocationDate->" + entry.getRevocationDate()); System.out.println("CRL->Entry->SerialNumber->" + entry.getSerialNumber()); System.out.println("CRL->Entry->HasExtensions->" + entry.hasExtensions()); /* * Are there any extensions */ if (entry.hasExtensions()) { /* * Print the extension OIDs */ Set nonCritSet = entry.getNonCriticalExtensionOIDs(); if (nonCritSet != null) { for (Iterator i = nonCritSet.iterator(); i.hasNext();) { String oid = (String) i.next(); System.out.println("Extensions in Entry" + oid); } } } /* * Else create some extensions */ else { /* * Create an CRL Extension class to contain individual extensions */ CRLExtensions extensions = new CRLExtensions(); /* * Create the CRL Reason Code Extension */ CRLReasonCodeExtension reason = new CRLReasonCodeExtension(2); extensions.set("2.5.29.21", reason); // System.out.println("CRL->Entry->New Reason Code***********"); CRLReasonCodeExtension newreason = (CRLReasonCodeExtension) extensions .get("2.5.29.21"); // System.out.println(newreason); X509CRLEntryImpl x509crlentryimpl = new X509CRLEntryImpl(entry.getSerialNumber(), entry.getRevocationDate(), extensions); newEntries[current] = (X509CRLEntry) x509crlentryimpl; } current++; } /* * Create an X500Name from the X500 Principal */ X500Principal currPrincipal = newcertificate.getIssuerX500Principal(); X500Name name = new X500Name(currPrincipal.getEncoded()); /* * Create a CRL Extension class to contain individual extensions and set it for the main CRL */ CRLExtensions crlExtensions = new CRLExtensions(); CRLNumberExtension crlNumber = new CRLNumberExtension(1); crlExtensions.set("2.5.29.20", crlNumber); /* * Create a new CRL with the extensions in the CRL Entries */ X509CRLImpl newCRL = new X509CRLImpl(name, newcertificate.getThisUpdate(), newcertificate.getNextUpdate(), newEntries, crlExtensions); System.out.println("*****************CRL with Extensions**************"); System.out.println(newCRL); /* * Iterate through the CRL entries again showing the extensions */ setCRLEntries = newCRL.getRevokedCertificates(); iter = setCRLEntries.iterator(); /* * Loop through the entries */ while (iter.hasNext()) { X509CRLEntry entry = (X509CRLEntry) iter.next(); System.out.println("*******CRL Entry After Adding Reason Extension**********"); System.out.println(entry); System.out.println("CRL->Entry->RevocationDate->" + entry.getRevocationDate()); System.out.println(entry.getSerialNumber()); System.out.println("CRL->Entry->HasExtensions->" + entry.hasExtensions()); /* * the getExtensionValue will return a null because it is not part of the * supported OIDs mentioned in the JavaDocs */ System.out .println("CRL->Entry->Reason Code from method->" + entry.getExtensionValue("2.5.29.21")); X509CRLEntryImpl x509crlentryimpl = new X509CRLEntryImpl(entry.getEncoded()); Integer reasonInt = x509crlentryimpl.getReasonCode(); /* * Print out the Reason Code */ System.out .println("CRL->Entry->Reason Code->" + RichCRL .reasonToString(reasonInt.intValue())); /* * Print out the OIDs found */ Set nonCritSet = entry.getNonCriticalExtensionOIDs(); if (nonCritSet != null) { for (Iterator i = nonCritSet.iterator(); i.hasNext();) { String oid = (String) i.next(); System.out.println("CRL->Entry->OID->" + oid); } } } /* * catches. */ } catch (Exception e) { e.printStackTrace(); } } /** * Method importCertificate * Description: Import the certificate. * * @param filename is the file to import. * * @return the certification. * */ public X509CRL importCertificate(String filename) { X509CRL cert = null; try { CertificateFactory cf = CertificateFactory.getInstance("X.509"); /* * Get the File I/O of the Certificate */ FileInputStream fr = new FileInputStream(filename); /* * Construct the certificate based on the import */ cert = (X509CRL) cf.generateCRL(fr); fr.close(); /* * catches. */ } catch (java.security.cert.CertificateException e) { e.printStackTrace(); } catch (java.security.cert.CRLException e) { e.printStackTrace(); } catch (java.io.IOException e) { e.printStackTrace(); } return cert; } /** * Method reasonToString * * * @param i defining the reason for revocation * * @return the string that maps to the integer * */ public static String reasonToString(int i) { switch (i) { case 0 : // '\0' return "unspecified"; case 1 : // '\001' return "key compromise"; case 2 : // '\002' return "CA compromise"; case 3 : // '\003' return " affiliation changed"; case 4 : // '\004' return "superseded"; case 5 : // '\005' return "cessation of operation"; case 6 : // '\006' return "certificate hold"; case 8 : // '\b' return "remove from CRL"; case 7 : // '\007' default : return "unrecognized reason code"; } } }
4' return "superseded"; case 5 : // '
package com.richware.chap24; import java.security.PublicKey; import java.security.Principal; import java.security.cert.X509Certificate; import java.security.cert.CertificateException; import java.security.cert.CertificateFactory; import java.security.cert.*; import java.io.FileInputStream; import java.io.FileNotFoundException; import java.util.*; import javax.security.auth.x500.X500Principal; import sun.security.x509.*; /** * Class RichCRL * Description: A custom demonstration of the Certificate Revocation List. * * Copyright: Copyright (c) 2002 Wiley Publishing, Inc. * @author Rich Helton <rhelton@richware.com> * @version 1.0 * DISCLAIMER: Please refer to the disclaimer at the beginning of this book. */ public class RichCRL { /** * Method main * Description: The main driver to run the methods . * * * @param args (no arguments presently). * */ public static void main(String args[]) { try { System.out.println("Starting RichCRL...."); /* * Pass in the argument of the keystore file * It will be opened in the same directoy as the application */ if (args[0] == null) { System.out.println("This application requires an input file for the location of the crl"); } String localDirectory = System.getProperty("user.dir"); System.out.println("Changing directory to Chapter 24"); System.setProperty("user.dir", localDirectory + "\\com\\richware\\chap24\\"); localDirectory = System.getProperty("user.dir"); /* * Get the local keystore that contains a trusted certificate */ String localInputFile = localDirectory + args[0]; System.out.println("Opening Chapter 24 plus the input file as an argument: " + localInputFile); /* * Import the certificate revocation list */ RichCRL myCertificate = new RichCRL(); X509CRL newcertificate = myCertificate.importCertificate(localInputFile); System.out.println("*********************CRL *************************"); System.out.println(newcertificate); System.out.println("CRL->Version Number->" + newcertificate.getVersion()); System.out .println("CRL->Signature Algorithm Identifier->" + newcertificate.getSigAlgName()); System.out.println("CRL->Issuer Name->" + newcertificate.getIssuerDN()); System.out.println("CRL->ThisUpdate->" + newcertificate.getThisUpdate()); System.out.println("CRL->NextUpdate->" + newcertificate.getNextUpdate()); /* * Get the revoked Certificates */ Set setCRLEntries = newcertificate.getRevokedCertificates(); X509CRLEntry[] newEntries = new X509CRLEntry[setCRLEntries. size ()]; Iterator iter = setCRLEntries.iterator(); int current = 0; while (iter.hasNext()) { X509CRLEntry entry = (X509CRLEntry) iter.next(); System.out.println("***********CRL Entry No Extensions****************"); System.out.println(entry); System.out.println("CRL->Entry->RevocationDate->" + entry.getRevocationDate()); System.out.println("CRL->Entry->SerialNumber->" + entry.getSerialNumber()); System.out.println("CRL->Entry->HasExtensions->" + entry.hasExtensions()); /* * Are there any extensions */ if (entry.hasExtensions()) { /* * Print the extension OIDs */ Set nonCritSet = entry.getNonCriticalExtensionOIDs(); if (nonCritSet != null) { for (Iterator i = nonCritSet.iterator(); i.hasNext();) { String oid = (String) i.next(); System.out.println("Extensions in Entry" + oid); } } } /* * Else create some extensions */ else { /* * Create an CRL Extension class to contain individual extensions */ CRLExtensions extensions = new CRLExtensions(); /* * Create the CRL Reason Code Extension */ CRLReasonCodeExtension reason = new CRLReasonCodeExtension(2); extensions.set("2.5.29.21", reason); // System.out.println("CRL->Entry->New Reason Code***********"); CRLReasonCodeExtension newreason = (CRLReasonCodeExtension) extensions .get("2.5.29.21"); // System.out.println(newreason); X509CRLEntryImpl x509crlentryimpl = new X509CRLEntryImpl(entry.getSerialNumber(), entry.getRevocationDate(), extensions); newEntries[current] = (X509CRLEntry) x509crlentryimpl; } current++; } /* * Create an X500Name from the X500 Principal */ X500Principal currPrincipal = newcertificate.getIssuerX500Principal(); X500Name name = new X500Name(currPrincipal.getEncoded()); /* * Create a CRL Extension class to contain individual extensions and set it for the main CRL */ CRLExtensions crlExtensions = new CRLExtensions(); CRLNumberExtension crlNumber = new CRLNumberExtension(1); crlExtensions.set("2.5.29.20", crlNumber); /* * Create a new CRL with the extensions in the CRL Entries */ X509CRLImpl newCRL = new X509CRLImpl(name, newcertificate.getThisUpdate(), newcertificate.getNextUpdate(), newEntries, crlExtensions); System.out.println("*****************CRL with Extensions**************"); System.out.println(newCRL); /* * Iterate through the CRL entries again showing the extensions */ setCRLEntries = newCRL.getRevokedCertificates(); iter = setCRLEntries.iterator(); /* * Loop through the entries */ while (iter.hasNext()) { X509CRLEntry entry = (X509CRLEntry) iter.next(); System.out.println("*******CRL Entry After Adding Reason Extension**********"); System.out.println(entry); System.out.println("CRL->Entry->RevocationDate->" + entry.getRevocationDate()); System.out.println(entry.getSerialNumber()); System.out.println("CRL->Entry->HasExtensions->" + entry.hasExtensions()); /* * the getExtensionValue will return a null because it is not part of the * supported OIDs mentioned in the JavaDocs */ System.out .println("CRL->Entry->Reason Code from method->" + entry.getExtensionValue("2.5.29.21")); X509CRLEntryImpl x509crlentryimpl = new X509CRLEntryImpl(entry.getEncoded()); Integer reasonInt = x509crlentryimpl.getReasonCode(); /* * Print out the Reason Code */ System.out .println("CRL->Entry->Reason Code->" + RichCRL .reasonToString(reasonInt.intValue())); /* * Print out the OIDs found */ Set nonCritSet = entry.getNonCriticalExtensionOIDs(); if (nonCritSet != null) { for (Iterator i = nonCritSet.iterator(); i.hasNext();) { String oid = (String) i.next(); System.out.println("CRL->Entry->OID->" + oid); } } } /* * catches. */ } catch (Exception e) { e.printStackTrace(); } } /** * Method importCertificate * Description: Import the certificate. * * @param filename is the file to import. * * @return the certification. * */ public X509CRL importCertificate(String filename) { X509CRL cert = null; try { CertificateFactory cf = CertificateFactory.getInstance("X.509"); /* * Get the File I/O of the Certificate */ FileInputStream fr = new FileInputStream(filename); /* * Construct the certificate based on the import */ cert = (X509CRL) cf.generateCRL(fr); fr.close(); /* * catches. */ } catch (java.security.cert.CertificateException e) { e.printStackTrace(); } catch (java.security.cert.CRLException e) { e.printStackTrace(); } catch (java.io.IOException e) { e.printStackTrace(); } return cert; } /** * Method reasonToString * * * @param i defining the reason for revocation * * @return the string that maps to the integer * */ public static String reasonToString(int i) { switch (i) { case 0 : // '\0' return "unspecified"; case 1 : // '\001' return "key compromise"; case 2 : // '\002' return "CA compromise"; case 3 : // '\003' return " affiliation changed"; case 4 : // '\004' return "superseded"; case 5 : // '\005' return "cessation of operation"; case 6 : // '\006' return "certificate hold"; case 8 : // '\b' return "remove from CRL"; case 7 : // '\007' default : return "unrecognized reason code"; } } }
5' return "cessation of operation"; case 6 : // '
package com.richware.chap24; import java.security.PublicKey; import java.security.Principal; import java.security.cert.X509Certificate; import java.security.cert.CertificateException; import java.security.cert.CertificateFactory; import java.security.cert.*; import java.io.FileInputStream; import java.io.FileNotFoundException; import java.util.*; import javax.security.auth.x500.X500Principal; import sun.security.x509.*; /** * Class RichCRL * Description: A custom demonstration of the Certificate Revocation List. * * Copyright: Copyright (c) 2002 Wiley Publishing, Inc. * @author Rich Helton <rhelton@richware.com> * @version 1.0 * DISCLAIMER: Please refer to the disclaimer at the beginning of this book. */ public class RichCRL { /** * Method main * Description: The main driver to run the methods . * * * @param args (no arguments presently). * */ public static void main(String args[]) { try { System.out.println("Starting RichCRL...."); /* * Pass in the argument of the keystore file * It will be opened in the same directoy as the application */ if (args[0] == null) { System.out.println("This application requires an input file for the location of the crl"); } String localDirectory = System.getProperty("user.dir"); System.out.println("Changing directory to Chapter 24"); System.setProperty("user.dir", localDirectory + "\\com\\richware\\chap24\\"); localDirectory = System.getProperty("user.dir"); /* * Get the local keystore that contains a trusted certificate */ String localInputFile = localDirectory + args[0]; System.out.println("Opening Chapter 24 plus the input file as an argument: " + localInputFile); /* * Import the certificate revocation list */ RichCRL myCertificate = new RichCRL(); X509CRL newcertificate = myCertificate.importCertificate(localInputFile); System.out.println("*********************CRL *************************"); System.out.println(newcertificate); System.out.println("CRL->Version Number->" + newcertificate.getVersion()); System.out .println("CRL->Signature Algorithm Identifier->" + newcertificate.getSigAlgName()); System.out.println("CRL->Issuer Name->" + newcertificate.getIssuerDN()); System.out.println("CRL->ThisUpdate->" + newcertificate.getThisUpdate()); System.out.println("CRL->NextUpdate->" + newcertificate.getNextUpdate()); /* * Get the revoked Certificates */ Set setCRLEntries = newcertificate.getRevokedCertificates(); X509CRLEntry[] newEntries = new X509CRLEntry[setCRLEntries. size ()]; Iterator iter = setCRLEntries.iterator(); int current = 0; while (iter.hasNext()) { X509CRLEntry entry = (X509CRLEntry) iter.next(); System.out.println("***********CRL Entry No Extensions****************"); System.out.println(entry); System.out.println("CRL->Entry->RevocationDate->" + entry.getRevocationDate()); System.out.println("CRL->Entry->SerialNumber->" + entry.getSerialNumber()); System.out.println("CRL->Entry->HasExtensions->" + entry.hasExtensions()); /* * Are there any extensions */ if (entry.hasExtensions()) { /* * Print the extension OIDs */ Set nonCritSet = entry.getNonCriticalExtensionOIDs(); if (nonCritSet != null) { for (Iterator i = nonCritSet.iterator(); i.hasNext();) { String oid = (String) i.next(); System.out.println("Extensions in Entry" + oid); } } } /* * Else create some extensions */ else { /* * Create an CRL Extension class to contain individual extensions */ CRLExtensions extensions = new CRLExtensions(); /* * Create the CRL Reason Code Extension */ CRLReasonCodeExtension reason = new CRLReasonCodeExtension(2); extensions.set("2.5.29.21", reason); // System.out.println("CRL->Entry->New Reason Code***********"); CRLReasonCodeExtension newreason = (CRLReasonCodeExtension) extensions .get("2.5.29.21"); // System.out.println(newreason); X509CRLEntryImpl x509crlentryimpl = new X509CRLEntryImpl(entry.getSerialNumber(), entry.getRevocationDate(), extensions); newEntries[current] = (X509CRLEntry) x509crlentryimpl; } current++; } /* * Create an X500Name from the X500 Principal */ X500Principal currPrincipal = newcertificate.getIssuerX500Principal(); X500Name name = new X500Name(currPrincipal.getEncoded()); /* * Create a CRL Extension class to contain individual extensions and set it for the main CRL */ CRLExtensions crlExtensions = new CRLExtensions(); CRLNumberExtension crlNumber = new CRLNumberExtension(1); crlExtensions.set("2.5.29.20", crlNumber); /* * Create a new CRL with the extensions in the CRL Entries */ X509CRLImpl newCRL = new X509CRLImpl(name, newcertificate.getThisUpdate(), newcertificate.getNextUpdate(), newEntries, crlExtensions); System.out.println("*****************CRL with Extensions**************"); System.out.println(newCRL); /* * Iterate through the CRL entries again showing the extensions */ setCRLEntries = newCRL.getRevokedCertificates(); iter = setCRLEntries.iterator(); /* * Loop through the entries */ while (iter.hasNext()) { X509CRLEntry entry = (X509CRLEntry) iter.next(); System.out.println("*******CRL Entry After Adding Reason Extension**********"); System.out.println(entry); System.out.println("CRL->Entry->RevocationDate->" + entry.getRevocationDate()); System.out.println(entry.getSerialNumber()); System.out.println("CRL->Entry->HasExtensions->" + entry.hasExtensions()); /* * the getExtensionValue will return a null because it is not part of the * supported OIDs mentioned in the JavaDocs */ System.out .println("CRL->Entry->Reason Code from method->" + entry.getExtensionValue("2.5.29.21")); X509CRLEntryImpl x509crlentryimpl = new X509CRLEntryImpl(entry.getEncoded()); Integer reasonInt = x509crlentryimpl.getReasonCode(); /* * Print out the Reason Code */ System.out .println("CRL->Entry->Reason Code->" + RichCRL .reasonToString(reasonInt.intValue())); /* * Print out the OIDs found */ Set nonCritSet = entry.getNonCriticalExtensionOIDs(); if (nonCritSet != null) { for (Iterator i = nonCritSet.iterator(); i.hasNext();) { String oid = (String) i.next(); System.out.println("CRL->Entry->OID->" + oid); } } } /* * catches. */ } catch (Exception e) { e.printStackTrace(); } } /** * Method importCertificate * Description: Import the certificate. * * @param filename is the file to import. * * @return the certification. * */ public X509CRL importCertificate(String filename) { X509CRL cert = null; try { CertificateFactory cf = CertificateFactory.getInstance("X.509"); /* * Get the File I/O of the Certificate */ FileInputStream fr = new FileInputStream(filename); /* * Construct the certificate based on the import */ cert = (X509CRL) cf.generateCRL(fr); fr.close(); /* * catches. */ } catch (java.security.cert.CertificateException e) { e.printStackTrace(); } catch (java.security.cert.CRLException e) { e.printStackTrace(); } catch (java.io.IOException e) { e.printStackTrace(); } return cert; } /** * Method reasonToString * * * @param i defining the reason for revocation * * @return the string that maps to the integer * */ public static String reasonToString(int i) { switch (i) { case 0 : // '\0' return "unspecified"; case 1 : // '\001' return "key compromise"; case 2 : // '\002' return "CA compromise"; case 3 : // '\003' return " affiliation changed"; case 4 : // '\004' return "superseded"; case 5 : // '\005' return "cessation of operation"; case 6 : // '\006' return "certificate hold"; case 8 : // '\b' return "remove from CRL"; case 7 : // '\007' default : return "unrecognized reason code"; } } }
6' return "certificate hold"; case 8 : // '\b' return "remove from CRL"; case 7 : // '
package com.richware.chap24; import java.security.PublicKey; import java.security.Principal; import java.security.cert.X509Certificate; import java.security.cert.CertificateException; import java.security.cert.CertificateFactory; import java.security.cert.*; import java.io.FileInputStream; import java.io.FileNotFoundException; import java.util.*; import javax.security.auth.x500.X500Principal; import sun.security.x509.*; /** * Class RichCRL * Description: A custom demonstration of the Certificate Revocation List. * * Copyright: Copyright (c) 2002 Wiley Publishing, Inc. * @author Rich Helton <rhelton@richware.com> * @version 1.0 * DISCLAIMER: Please refer to the disclaimer at the beginning of this book. */ public class RichCRL { /** * Method main * Description: The main driver to run the methods . * * * @param args (no arguments presently). * */ public static void main(String args[]) { try { System.out.println("Starting RichCRL...."); /* * Pass in the argument of the keystore file * It will be opened in the same directoy as the application */ if (args[0] == null) { System.out.println("This application requires an input file for the location of the crl"); } String localDirectory = System.getProperty("user.dir"); System.out.println("Changing directory to Chapter 24"); System.setProperty("user.dir", localDirectory + "\\com\\richware\\chap24\\"); localDirectory = System.getProperty("user.dir"); /* * Get the local keystore that contains a trusted certificate */ String localInputFile = localDirectory + args[0]; System.out.println("Opening Chapter 24 plus the input file as an argument: " + localInputFile); /* * Import the certificate revocation list */ RichCRL myCertificate = new RichCRL(); X509CRL newcertificate = myCertificate.importCertificate(localInputFile); System.out.println("*********************CRL *************************"); System.out.println(newcertificate); System.out.println("CRL->Version Number->" + newcertificate.getVersion()); System.out .println("CRL->Signature Algorithm Identifier->" + newcertificate.getSigAlgName()); System.out.println("CRL->Issuer Name->" + newcertificate.getIssuerDN()); System.out.println("CRL->ThisUpdate->" + newcertificate.getThisUpdate()); System.out.println("CRL->NextUpdate->" + newcertificate.getNextUpdate()); /* * Get the revoked Certificates */ Set setCRLEntries = newcertificate.getRevokedCertificates(); X509CRLEntry[] newEntries = new X509CRLEntry[setCRLEntries. size ()]; Iterator iter = setCRLEntries.iterator(); int current = 0; while (iter.hasNext()) { X509CRLEntry entry = (X509CRLEntry) iter.next(); System.out.println("***********CRL Entry No Extensions****************"); System.out.println(entry); System.out.println("CRL->Entry->RevocationDate->" + entry.getRevocationDate()); System.out.println("CRL->Entry->SerialNumber->" + entry.getSerialNumber()); System.out.println("CRL->Entry->HasExtensions->" + entry.hasExtensions()); /* * Are there any extensions */ if (entry.hasExtensions()) { /* * Print the extension OIDs */ Set nonCritSet = entry.getNonCriticalExtensionOIDs(); if (nonCritSet != null) { for (Iterator i = nonCritSet.iterator(); i.hasNext();) { String oid = (String) i.next(); System.out.println("Extensions in Entry" + oid); } } } /* * Else create some extensions */ else { /* * Create an CRL Extension class to contain individual extensions */ CRLExtensions extensions = new CRLExtensions(); /* * Create the CRL Reason Code Extension */ CRLReasonCodeExtension reason = new CRLReasonCodeExtension(2); extensions.set("2.5.29.21", reason); // System.out.println("CRL->Entry->New Reason Code***********"); CRLReasonCodeExtension newreason = (CRLReasonCodeExtension) extensions .get("2.5.29.21"); // System.out.println(newreason); X509CRLEntryImpl x509crlentryimpl = new X509CRLEntryImpl(entry.getSerialNumber(), entry.getRevocationDate(), extensions); newEntries[current] = (X509CRLEntry) x509crlentryimpl; } current++; } /* * Create an X500Name from the X500 Principal */ X500Principal currPrincipal = newcertificate.getIssuerX500Principal(); X500Name name = new X500Name(currPrincipal.getEncoded()); /* * Create a CRL Extension class to contain individual extensions and set it for the main CRL */ CRLExtensions crlExtensions = new CRLExtensions(); CRLNumberExtension crlNumber = new CRLNumberExtension(1); crlExtensions.set("2.5.29.20", crlNumber); /* * Create a new CRL with the extensions in the CRL Entries */ X509CRLImpl newCRL = new X509CRLImpl(name, newcertificate.getThisUpdate(), newcertificate.getNextUpdate(), newEntries, crlExtensions); System.out.println("*****************CRL with Extensions**************"); System.out.println(newCRL); /* * Iterate through the CRL entries again showing the extensions */ setCRLEntries = newCRL.getRevokedCertificates(); iter = setCRLEntries.iterator(); /* * Loop through the entries */ while (iter.hasNext()) { X509CRLEntry entry = (X509CRLEntry) iter.next(); System.out.println("*******CRL Entry After Adding Reason Extension**********"); System.out.println(entry); System.out.println("CRL->Entry->RevocationDate->" + entry.getRevocationDate()); System.out.println(entry.getSerialNumber()); System.out.println("CRL->Entry->HasExtensions->" + entry.hasExtensions()); /* * the getExtensionValue will return a null because it is not part of the * supported OIDs mentioned in the JavaDocs */ System.out .println("CRL->Entry->Reason Code from method->" + entry.getExtensionValue("2.5.29.21")); X509CRLEntryImpl x509crlentryimpl = new X509CRLEntryImpl(entry.getEncoded()); Integer reasonInt = x509crlentryimpl.getReasonCode(); /* * Print out the Reason Code */ System.out .println("CRL->Entry->Reason Code->" + RichCRL .reasonToString(reasonInt.intValue())); /* * Print out the OIDs found */ Set nonCritSet = entry.getNonCriticalExtensionOIDs(); if (nonCritSet != null) { for (Iterator i = nonCritSet.iterator(); i.hasNext();) { String oid = (String) i.next(); System.out.println("CRL->Entry->OID->" + oid); } } } /* * catches. */ } catch (Exception e) { e.printStackTrace(); } } /** * Method importCertificate * Description: Import the certificate. * * @param filename is the file to import. * * @return the certification. * */ public X509CRL importCertificate(String filename) { X509CRL cert = null; try { CertificateFactory cf = CertificateFactory.getInstance("X.509"); /* * Get the File I/O of the Certificate */ FileInputStream fr = new FileInputStream(filename); /* * Construct the certificate based on the import */ cert = (X509CRL) cf.generateCRL(fr); fr.close(); /* * catches. */ } catch (java.security.cert.CertificateException e) { e.printStackTrace(); } catch (java.security.cert.CRLException e) { e.printStackTrace(); } catch (java.io.IOException e) { e.printStackTrace(); } return cert; } /** * Method reasonToString * * * @param i defining the reason for revocation * * @return the string that maps to the integer * */ public static String reasonToString(int i) { switch (i) { case 0 : // '\0' return "unspecified"; case 1 : // '\001' return "key compromise"; case 2 : // '\002' return "CA compromise"; case 3 : // '\003' return " affiliation changed"; case 4 : // '\004' return "superseded"; case 5 : // '\005' return "cessation of operation"; case 6 : // '\006' return "certificate hold"; case 8 : // '\b' return "remove from CRL"; case 7 : // '\007' default : return "unrecognized reason code"; } } }
In the Java code from Listing 24-5, I imported a VeriSign CRL. VeriSign is one of the leading CAs, found at www.verisign.com . After importing the CRL, the code is able to add a reason code to each of the three CRL entries for revoked certificates. The application produced the output found in Listing 24-6.
Listing 24-6: The output for Listing 24-5
>java com.richware.chap24.RichCRL rich.crl Starting RichCRL.... Changing directory to Chapter 24 Opening Chapter 24 plus the input file as an argument: C:\ com\richware\chap24\rich.crl *********************CRL ************************* X.509 CRL v2 Signature Algorithm: MD2withRSA, OID=1.2.840.113549.1.1.2 Issuer: OU=VeriSign Commercial Software Publishers CA, O="VeriSign, Inc.", L=Int ernet This Update: Fri Mar 23 17:00:00 MST 2001 Next Update: Wed Jan 07 16:59:59 MST 2004 Revoked Certificates: 3 [1] SerialNumber: [ 1b5190f7 3724399c 9254cd42 4637996a ] On: Mon Jan 29 17: 01:24 MST 2001 [2] SerialNumber: [ 77e65a43 59935d5f 7a75801a cdadc222 ] On: Wed Aug 30 18: 00:56 MDT 2000 [3] SerialNumber: [ 750e40ff 97f047ed f556c708 4eb1abfd ] On: Tue Jan 30 17: 00:49 MST 2001 CRL Extensions: 2 [1]: ObjectId: 2.5.29.15 Criticality=false KeyUsage [ DigitalSignature Key_Encipherment ] [2]: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[ CA:false PathLen: undefined ] Signature: 0000: 18 2C E8 FC 16 6D 91 4A 3D 88 54 48 5D B8 11 BF .,...m.J=.TH]... 0010: 64 BB F9 DA 59 19 DD 0E 65 AB C0 0C FA 67 7E 21 d...Y...e....g.! 0020: 1E 83 0E CF 9B 89 8A CF 0C 4B C1 39 9D E7 6A AC Ftj.b".........! 0040: 3D 7E A7 AA 5E CD 22 15 E6 0C 75 8E 6E AD F1 84 =...^."...u.n... 0050: E4 22 B4 30 6F FB 64 8F D7 80 43 F5 19 18 66 1D .".0o.d...C...f. 0060: 72 A3 E3 94 82 28 52 A0 06 4E B1 C8 92 0C 97 BE r....(R..N...... 0070: 15 07 AB 7A C9 EA 08 67 43 4D 51 63 3B 9C 9C CD ...z...gCMQc;... CRL->Version Number->2 CRL->Signature Algorithm Identifier->MD2withRSA CRL->Issuer Name->OU=VeriSign Commercial Software Publishers CA, O="VeriSign, In c.", L=Internet CRL->ThisUpdate->Fri Mar 23 17:00:00 MST 2001 CRL->NextUpdate->Wed Jan 07 16:59:59 MST 2004 ***********CRL Entry No Extensions**************** SerialNumber: [ 750e40ff 97f047ed f556c708 4eb1abfd ] On: Tue Jan 30 17:00:4 9 MST 2001 CRL->Entry->RevocationDate->Tue Jan 30 17:00:49 MST 2001 CRL->Entry->SerialNumber->155593685987273437918165853798327757821 CRL->Entry->HasExtensions->false ***********CRL Entry No Extensions**************** SerialNumber: [ 1b5190f7 3724399c 9254cd42 4637996a ] On: Mon Jan 29 17:01:2 4 MST 2001 CRL->Entry->RevocationDate->Mon Jan 29 17:01:24 MST 2001 CRL->Entry->SerialNumber->36312672185138585402952177650507422058 CRL->Entry->HasExtensions->false ***********CRL Entry No Extensions**************** SerialNumber: [ 77e65a43 59935d5f 7a75801a cdadc222 ] On: Wed Aug 30 18:00:5 6 MDT 2000 CRL->Entry->RevocationDate->Wed Aug 30 18:00:56 MDT 2000 CRL->Entry->SerialNumber->159374190528741535247094583731252216354 CRL->Entry->HasExtensions->false *****************CRL with Extensions************** X.509 CRL v2 Issuer: OU=VeriSign Commercial Software Publishers CA, O="VeriSign, Inc.", L=Int ernet This Update: Fri Mar 23 17:00:00 MST 2001 Next Update: Wed Jan 07 16:59:59 MST 2004 Revoked Certificates: 3 [1] SerialNumber: [ 1b5190f7 3724399c 9254cd42 4637996a ] On: Mon Jan 29 17: 01:24 MST 2001 CRL Entry Extensions: 1 [1]: ObjectId: 2.5.29.21 Criticality=false Reason Code: CA Compromise [2] SerialNumber: [ 77e65a43 59935d5f 7a75801a cdadc222 ] On: Wed Aug 30 18: 00:56 MDT 2000 CRL Entry Extensions: 1 [1]: ObjectId: 2.5.29.21 Criticality=false Reason Code: CA Compromise [3] SerialNumber: [ 750e40ff 97f047ed f556c708 4eb1abfd ] On: Tue Jan 30 17: 00:49 MST 2001 CRL Entry Extensions: 1 [1]: ObjectId: 2.5.29.21 Criticality=false Reason Code: CA Compromise CRL Extensions: 1 [1]: ObjectId: 2.5.29.20 Criticality=false CRL Number: 01 NOT signed yet *******CRL Entry After Adding Reason Extension********** SerialNumber: [ 750e40ff 97f047ed f556c708 4eb1abfd ] On: Tue Jan 30 17:00:4 9 MST 2001 CRL Entry Extensions: 1 [1]: ObjectId: 2.5.29.21 Criticality=false Reason Code: CA Compromise CRL->Entry->RevocationDate->Tue Jan 30 17:00:49 MST 2001 155593685987273437918165853798327757821 CRL->Entry->HasExtensions->true CRL->Entry->Reason Code from method->null CRL->Entry->Reason Code->CA compromise CRL->Entry->OID->2.5.29.21 *******CRL Entry After Adding Reason Extension********** SerialNumber: [ 1b5190f7 3724399c 9254cd42 4637996a ] On: Mon Jan 29 17:01:2 4 MST 2001 CRL Entry Extensions: 1 [1]: ObjectId: 2.5.29.21 Criticality=false Reason Code: CA Compromise CRL->Entry->RevocationDate->Mon Jan 29 17:01:24 MST 2001 36312672185138585402952177650507422058 CRL->Entry->HasExtensions->true CRL->Entry->Reason Code from method->null CRL->Entry->Reason Code->CA compromise CRL->Entry->OID->2.5.29.21 *******CRL Entry After Adding Reason Extension********** SerialNumber: [ 77e65a43 59935d5f 7a75801a cdadc222 ] On: Wed Aug 30 18:00:5 6 MDT 2000 CRL Entry Extensions: 1 [1]: ObjectId: 2.5.29.21 Criticality=false Reason Code: CA Compromise CRL->Entry->RevocationDate->Wed Aug 30 18:00:56 MDT 2000 159374190528741535247094583731252216354 CRL->Entry->HasExtensions->true CRL->Entry->Reason Code from method->null CRL->Entry->Reason Code->CA compromise CRL->Entry->OID->2.5.29.21
CRL entry
Now that the CRL and the CRL extensions have been discussed, the information in the CRL entry needs to be examined. The CRL entry is the entry for a revoked certificate. The CRL contains a set of all the CRL entries, also known as revoked certificates . Each entry represents the individual revoked certificate. The Java class that represents an individual entry in the CRL for a revoked certificate is the X509CRLEntry class. From the X509CRL class, the getRevokedCertificates () method will return the set of X509Entry classes that are found in the X509CRL . Each X509Entry object in the returned set matches an individual revoked certificate.
The object of the X509Entry has methods for reading the information about the revoked certificate. Some of the information that can be read in the X509Entry includes the serial number of the revoked certificate, the date that the certificate was revoked, and any extensions. An example of information in the extension is the reason the certificate was revoked from the CA. The RFC 2549 displays the ASN.1 notation that demonstrates what fields are parts of the CRL entry. The CRL entry is displayed in Listing 24-7.
Listing 24-7: The CRL entry
revokedCertificates SEQUENCE OF SEQUENCE { userCertificate CertificateSerialNumber, revocationDate ChoiceOfTime, crlEntryExtensions Extensions OPTIONAL -- if present, must be v2 } OPTIONAL CertificateSerialNumber ::= INTEGER Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension Extension ::= SEQUENCE { extnId OBJECT IDENTIFIER, critical BOOLEAN DEFAULT FALSE, extnValue OCTET STRING -- contains a DER encoding of a value -- of the type registered for use with -- the extnId object identifier value }
The CRL entry from Listing 24-7 shows that there are only three fields. The revoked certificate contains the serial number of the certificate, the date for being revoked, and the CRL entry extensions:
userCertificate: This field is the serial number of the certificate that is assigned by the issuer of the CRL. The serial number represents a BigInteger data type in Java and is returned in the X509CRLEntry class by the getSerialNumber () method.
revocationDate: This field contains the beginning date of the revocation for the CRL entry. The revocation date represents a Date data type in Java and is returned in the X509CRLEntry class by the getRevocationDate () method.
crlEntryExtension: This field is the matching CRL Entry Extension.
The purpose of the extensions for each revoked certificate in version 2 of the CRL was simply to extend the reasons for the revocation. It might be that the reason for revocation would be duplicated without knowing the reason for the revocation and information from the CA for holding instructions. If the private key of the issuer was compromised and the certificate was revoked, the issuer might continue to use the private key. The issuer needs to be notified that the key has been compromised. The reason code gives a description of why the certificate was revoked, and it helps inform the parties of issues with the revoked certificate.
The idea is to give enough information to help discover weaknesses with the security and any holes found in the PKI. The organization should be made aware of why some of the digital certificates are no longer in use. The organization should contact the appropriate CA if it feels that further action is needed on the CA's part. If the reason code is that the CA is compromised, the organization should determine with the CA that there are no security breaches.
The hold instructions are actions for the organization to take from the CA to work with any issues of a revoked certificate. The hold instructions are a list of OIDs that the organization looks up for the actions it must take. This OID is information between the CA and the organization using the digital certificates. The OID could be instructions for the organization to call the CA immediately because a security breach has been discovered . It is very important for an organization to understand why some of the certificates were revoked to ensure that the security services are still secure. Here are the fields and their definitions:
Reason Code (OID 2.5.29.21): This extension specifies the reason for certificate revocation. The reason code is always marked non-critical. Valid entries include the following along with the represented integer for the code.
Tip
A sample for examining the reason code is shown in Listing 24-5.
unspecified (integer 0): There was no reason given from the CA for why the certificate was revoked.
keyCompromise (integer 1): The CA believes that the private key of the certificate subject has been compromised. This reason code is applicable to end-entity certificates.
cACompromise (integer 2): The private key of a CA is believed to have been compromised. This reason code is used when revoking CA certificates.
affiliationChanged (integer 3): The name of the subject or other information in the certificate has been changed. This reason code does not imply that the private key has been compromised.
superseded (integer 4): The certificate has been superseded by a newer certificate. This reason code does not imply that the private key has been compromised.
cessationOfOperation (integer 5): The certificate is no longer required for the purpose for which it was issued. This reason code does not imply that the private key has been compromised.
certificateHold (integer 6): The certificate has effectively been suspended or put on hold. If this reason code is used, the HoldInstructionCode extension may be specified. Certificates that have been suspended may later be revoked or released and the entry removed from the CRL.
removeFromCRL (integer 8): This reason code is explicitly used for the delta CRLs to indicate that a certificate has expired or has been released from the hold state.
privilegeWithdrawn (integer 9): A privilege that was specified within a certificate has been withdrawn.
aACompromised (integer 10): Indicates that the AA validated in the certificate has been compromised.
Hold Instruction Code (OID 2.5.29.21): This non-critical extension supports the temporary suspension of a certificate. It contains the OID that describes the action to be taken if the extension exists.
Certificate Issuers (OID 2.5.29.21): This extension identifies the name of the certificate issuer associated with an Indirect CRL. This should be made critical.
Invalidity Date (OID 2.5.29.21): This non-critical extension contains a date/time value showing when a suspected or known compromise of the private key occurred.
