Pheox - Forums

Navigation
Forum Index Search Recent Topics Hottest Topics Top Downloads

Register / Login  |  Desktop view  |  Jump to bottom of page

General Issues » Get CRL of a certificate

Author: clercmedia, Visitor
10/09/2009 21:40:31
Hi Guy's ,

Im now finally trying your demo, and we are petty happy with it.
The only things is im having problems to get the CRL from the certificate.

We always got an empty collection when calling

Collection<? extends CRL> generatedCRL = cf.generateCRLs();

May you give me an example of how we can get the CRL with your tool please, this is the only thing that miss before buying your api.

here my code : 

    public static void main(String[] args)

    {

        try

        {

            Security.addProvider(new JCAPIProvider());



            KeyStore ks = KeyStore.getInstance("msks", "JCAPI");

            ks.load(null, null);

            String alias = null;

            RSAPrivateKey privateKey = null;



            // Force JCAPI to export private keys.

            JCAPIProperties.getInstance().setPrivateKeyExportable(true);



            System.out.println("Trying to find an exportable RSA private key.");

            // Get first available RSA private key.

            for (java.util.Enumeration e = ks.aliases(); e.hasMoreElements();)

            {

                alias = (String) e.nextElement();

                if (ks.isKeyEntry(alias))

                {

                    privateKey = (RSAPrivateKey) ks.getKey(alias, null);

                    getCRLFromCertificate(ks.getCertificate(alias));

                    ks.getCertificateChain(alias);

                }

                break;

            }

        }

        catch (Throwable t)

        {

            System.err.println("Example program failed.");

            t.printStackTrace();

        }

    }

    private static void getCRLFromCertificate(Certificate c) throws Exception

    {

        CertificateFactory cf = CertificateFactory.getInstance("X.509");

        ByteArrayInputStream bais = new ByteArrayInputStream(c.getEncoded());

        cf.generateCertificate(bais);     

        Collection<? extends CRL> generatedCRL = cf.generateCRLs(bais);

        bais.close();

        // why this is always 0 ?!?!?!

        System.out.println(generatedCRL.size());

    }



Thank in advance

Chris

Author: tommy, Visitor
11/09/2009 20:04:24
Hi Chris,

The problem is not within JCAPI.
You cannot get the CRL list from a certificate since it doesn't contain one. However, most certificates have something called "CRL Distribution Points" which contains one or more URLs to be used for downloading CRLs. Consequently, you have to:
1. Get the CRL URL(s) from your certificate. Perhaps by using the getExtensionValue() method in X509Extension class, see link below.
2. Download the CRL(s). Perhaps by using the HttpURLConnection class with a URL class.
3. Decode the downloaded ASN.1/BER encoded CRLs into manageable Java X509CRL instances by using the method generateCRLs() in class CertificateFactory.

A good starting point would be:
http://www.javaworld.com/javaworld/jw-03-2001/jw-0316-howto.html
http://juliusdavies.ca/commons-ssl/src/java/org/apache/commons/ssl/Certificates.java

Regards,
Tommy




Register / Login  |  Desktop view  |  Jump to top of page