Pheox - Forums
  [Search] Search   [Recent Topics] Recent Topics   [Hottest Topics] Hottest Topics   [Top Downloads] Top Downloads   [Groups] Back to home page 
[Register] Register /  [Login] Login 

Get CRL of a certificate RSS feed
Forum Index » General Issues
Author Message
[Post New]10/09/2009 21:40:31
Subject: Get CRL of a certificate
[Up] #1
clercmedia

Visitor

Joined: Sep 10, 2009
Messages: 1
Offline
Hi Guy's ,

Im now finally trying your demo, and we are petty happy with it.
The only things is im having problems to get the CRL from the certificate.

We always got an empty collection when calling

Collection<? extends CRL> generatedCRL = cf.generateCRLs();

May you give me an example of how we can get the CRL with your tool please, this is the only thing that miss before buying your api.

here my code : 

    public static void main(String[] args)

    {

        try

        {

            Security.addProvider(new JCAPIProvider());



            KeyStore ks = KeyStore.getInstance("msks", "JCAPI");

            ks.load(null, null);

            String alias = null;

            RSAPrivateKey privateKey = null;



            // Force JCAPI to export private keys.

            JCAPIProperties.getInstance().setPrivateKeyExportable(true);



            System.out.println("Trying to find an exportable RSA private key.");

            // Get first available RSA private key.

            for (java.util.Enumeration e = ks.aliases(); e.hasMoreElements();)

            {

                alias = (String) e.nextElement();

                if (ks.isKeyEntry(alias))

                {

                    privateKey = (RSAPrivateKey) ks.getKey(alias, null);

                    getCRLFromCertificate(ks.getCertificate(alias));

                    ks.getCertificateChain(alias);

                }

                break;

            }

        }

        catch (Throwable t)

        {

            System.err.println("Example program failed.");

            t.printStackTrace();

        }

    }

    private static void getCRLFromCertificate(Certificate c) throws Exception

    {

        CertificateFactory cf = CertificateFactory.getInstance("X.509");

        ByteArrayInputStream bais = new ByteArrayInputStream(c.getEncoded());

        cf.generateCertificate(bais);     

        Collection<? extends CRL> generatedCRL = cf.generateCRLs(bais);

        bais.close();

        // why this is always 0 ?!?!?!

        System.out.println(generatedCRL.size());

    }



Thank in advance

Chris
[Post New]11/09/2009 20:04:24
Subject: Re:Get CRL of a certificate
[Up] #2
tommy

Visitor

Joined: May 30, 2005
Messages: 148
Offline
Hi Chris,

The problem is not within JCAPI.
You cannot get the CRL list from a certificate since it doesn't contain one. However, most certificates have something called "CRL Distribution Points" which contains one or more URLs to be used for downloading CRLs. Consequently, you have to:
1. Get the CRL URL(s) from your certificate. Perhaps by using the getExtensionValue() method in X509Extension class, see link below.
2. Download the CRL(s). Perhaps by using the HttpURLConnection class with a URL class.
3. Decode the downloaded ASN.1/BER encoded CRLs into manageable Java X509CRL instances by using the method generateCRLs() in class CertificateFactory.

A good starting point would be:
http://www.javaworld.com/javaworld/jw-03-2001/jw-0316-howto.html
http://juliusdavies.ca/commons-ssl/src/java/org/apache/commons/ssl/Certificates.java

Regards,
Tommy
 
Forum Index » General Issues
Go to:   
Mobile view
Powered by JForum 2.8.3 © 2023 JForum Team • Maintained by Andowson Chang and Ulf Dittmer