Examples of java.security.cert.CRL

• java.security.cert.CRL
  This class is an abstraction of certificate revocation lists (CRLs) that have different formats but important common uses. For example, all CRLs share the functionality of listing revoked certificates, and can be queried on whether or not they list a given certificate.

  Specialized CRL types can be defined by subclassing off of this abstract class. @author Hemma Prafullchandra @version 1.14, 04/21/06 @see X509CRL @see CertificateFactory @since 1.2

        {
            CertificateFactory cf = CertificateFactory.getInstance("X.509",
                "BC");
            while (it.hasNext())
            {
                CRL crl = cf.generateCRL(new ByteArrayInputStream((byte[])it
                    .next()));
                if (xselector.match(crl))
                {
                    crlSet.add(crl);
                }

            if (crls.isEmpty())
              throw new CertPathValidatorException("no CRLs for issuer");
            boolean certOk = false;
            for (Iterator it = crls.iterator(); it.hasNext();)
              {
                CRL crl = (CRL) it.next();
                if (! (crl instanceof X509CRL))
                  continue;
                X509CRL xcrl = (X509CRL) crl;
                if (! checkCRL(xcrl, p, now, p[i], pubKey, certStores))
                  continue;
                if (xcrl.isRevoked(p[i - 1]))
                  throw new CertPathValidatorException("certificate is revoked");
                else
                  certOk = true;
              }
            if (! certOk)
              throw new CertPathValidatorException(
                  "certificate's validity could not be determined");
          }
      }
    rootNode.setReadOnly();
    // Now ensure that the first certificate in the chain was issued
    // by a trust anchor.
    Exception cause = null;
    Set anchors = ((PKIXParameters) params).getTrustAnchors();
    for (Iterator i = anchors.iterator(); i.hasNext();)
      {
        TrustAnchor anchor = (TrustAnchor) i.next();
        X509Certificate anchorCert = null;
        PublicKey anchorKey = null;
        if (anchor.getTrustedCert() != null)
          {
            anchorCert = anchor.getTrustedCert();
            anchorKey = anchorCert.getPublicKey();
          }
        else
          anchorKey = anchor.getCAPublicKey();
        if (anchorKey == null)
          continue;
        try
          {
            if (anchorCert != null)
              anchorCert.checkValidity(now);
            p[p.length - 1].verify(anchorKey);
            if (anchorCert != null && anchorCert.getBasicConstraints() >= 0
                && anchorCert.getBasicConstraints() < p.length)
              continue;

            if (((PKIXParameters) params).isRevocationEnabled())
              {
                X509CRLSelectorImpl selector = new X509CRLSelectorImpl();
                if (anchorCert != null)
                  try
                    {
                      selector.addIssuerName(anchorCert.getSubjectDN());
                    }
                  catch (IOException ioe)
                    {
                    }
                else
                  selector.addIssuerName(anchor.getCAName());
                List certStores = ((PKIXParameters) params).getCertStores();
                List crls = new LinkedList();
                for (Iterator it = certStores.iterator(); it.hasNext();)
                  {
                    CertStore cs = (CertStore) it.next();
                    try
                      {
                        Collection c = cs.getCRLs(selector);
                        crls.addAll(c);
                      }
                    catch (CertStoreException cse)
                      {
                      }
                  }
                if (crls.isEmpty())
                  continue;
                for (Iterator it = crls.iterator(); it.hasNext();)
                  {
                    CRL crl = (CRL) it.next();
                    if (! (crl instanceof X509CRL))
                      continue;
                    X509CRL xcrl = (X509CRL) crl;
                    try
                      {

        val2 = ber.read();
        List crls = new LinkedList();
        while (val2 != BER.END_OF_SEQUENCE &&
               (val.getLength() > 0 && val.getLength() > count))
          {
            CRL crl = x509.generateCRL(new ByteArrayInputStream(val2.getEncoded()));
            if (Configuration.DEBUG)
              log.fine("    CRL: " + crl);
            crls.add(crl);
            count += val2.getEncodedLength();
            ber.skip(val2.getLength());

            this.urlString = urlString;
        }

        public synchronized boolean checkCRL(X509Certificate cert)
            throws CertificateException {
            CRL crl = null;
            long now = System.currentTimeMillis();
            if (now - creationTime > 24 * 60 * 60 * 1000) {
                // Expire cache every 24 hours
                if (tempCRLFile != null && tempCRLFile.exists()) {
                    tempCRLFile.delete();
                }
                tempCRLFile = null;
                passedTest.clear();

                /*
                      Note:  if any certificate ever fails the check, we will
                      remember that fact.

                      This breaks with temporary "holds" that CRL's can issue.
                      Apparently a certificate can have a temporary "hold" on its
                      validity, but I'm not interested in supporting that.  If a "held"
                      certificate is suddenly "unheld", you're just going to need
                      to restart your JVM.
                    */
                // failedTest.clear();  <-- DO NOT UNCOMMENT!
            }

            BigInteger fingerprint = getFingerprint(cert);
            if (failedTest.contains(fingerprint)) {
                throw new CertificateException("Revoked by CRL (cached response)");
            }
            if (passedTest.contains(fingerprint)) {
                return true;
            }

            if (tempCRLFile == null) {
                try {
                    // log.info( "Trying to load CRL [" + urlString + "]" );
                    URL url = new URL(urlString);
                    File tempFile = File.createTempFile("crl", ".tmp");
                    tempFile.deleteOnExit();

                    OutputStream out = new FileOutputStream(tempFile);
                    out = new BufferedOutputStream(out);
                    InputStream in = new BufferedInputStream(url.openStream());
                    try {
                        Util.pipeStream(in, out);
                    }
                    catch (IOException ioe) {
                        // better luck next time
                        tempFile.delete();
                        throw ioe;
                    }
                    this.tempCRLFile = tempFile;
                    this.creationTime = System.currentTimeMillis();
                }
                catch (IOException ioe) {
                    // log.warn( "Cannot check CRL: " + e );
                }
            }

            if (tempCRLFile != null && tempCRLFile.exists()) {
                try {
                    InputStream in = new FileInputStream(tempCRLFile);
                    in = new BufferedInputStream(in);
                    synchronized (CF) {
                        crl = CF.generateCRL(in);
                    }
                    in.close();
                    if (crl.isRevoked(cert)) {
                        // log.warn( "Revoked by CRL [" + urlString + "]: " + name );
                        passedTest.remove(fingerprint);
                        failedTest.add(fingerprint);
                        throw new CertificateException("Revoked by CRL");
                    } else {

     */
    public Collection engineGenerateCRLs(
        InputStream inStream)
        throws CRLException
    {
        CRL     crl;
        List    crls = new ArrayList();

        while ((crl = engineGenerateCRL(inStream)) != null)
        {
            crls.add(crl);

    }

    public Collection engineReadAll()
        throws StreamParsingException
    {
        CRL     crl;
        List certs = new ArrayList();

        while ((crl = (CRL)engineRead()) != null)
        {
            certs.add(crl);

    }

    public Collection engineReadAll()
        throws StreamParsingException
    {
        CRL     crl;
        List certs = new ArrayList();

        while ((crl = (CRL)engineRead()) != null)
        {
            certs.add(crl);

        {
            bIn = new ByteArrayInputStream(bytes);

            CertificateFactory  fact = CertificateFactory.getInstance("X.509", "BC");

            CRL cert = fact.generateCRL(bIn);

            // System.out.println(cert);
        }
        catch (Exception e)
        {

        Certificate cert = cf.generateCertificate(new ByteArrayInputStream(PEMData.CERTIFICATE_1.getBytes("US-ASCII")));
        if (cert == null)
        {
            fail("PEM cert not read");
        }
        CRL crl = cf.generateCRL(new ByteArrayInputStream(PEMData.CRL_1.getBytes("US-ASCII")));
        if (crl == null)
        {
            fail("PEM crl not read");
        }
        Collection col = cf.generateCertificates(new ByteArrayInputStream(PEMData.CERTIFICATE_2.getBytes("US-ASCII")));

     */
    public Collection engineGenerateCRLs(
        InputStream inStream)
        throws CRLException
    {
        CRL     crl;
        List    crls = new ArrayList();

        while ((crl = engineGenerateCRL(inStream)) != null)
        {
            crls.add(crl);