Purpose : To obtain information on the certificate revocation list for this certificate.
Reason . When an object is java.security.cert.PKIXParametersinstalled to enable verification of certificate revocation status through PKIXParameters#setRevocationEnabled(true);, it uses an instance sun.security.provider.certpath.CrlRevocationChecker
. This check requires a call PKIXParameters#addCertStore(...)that adds a java.security.cert.CertStorecontaining an implementation X509CRLthat contains CRL information that validation can check.
Question . Is there a library or implementation to extract this data? or does it need to be done manually? (example guide below). The library will most likely support all possible types of connections / exceptions / errors that may occur, while a manual solution should work to bring it in line with corporate standards.
The certificate can be in any of these x509 certificate wrappers
java.security.cert.X509Certificate
org.bouncycastle.cert.X509CertificateHolder
org.bouncycastle.jce.provider.X509CertificateObject
Java code to get CRL data manually
static List<X509CRLObject> getCRLSFromCertPath(CertPath certPath, CertificateFactory certificateFactory) {
List<X509CRLObject> x509CRLs = Lists.newArrayList();
List<? extends Certificate> certificates = certPath.getCertificates();
for (Certificate certificate : certificates) {
try {
X509CertImpl x509Cert = new X509CertImpl(certificate.getEncoded());
CRLDistributionPointsExtension crlDistroExten = x509Cert.getCRLDistributionPointsExtension();
if (crlDistroExten != null) {
ArrayList<DistributionPoint> distros = (ArrayList<DistributionPoint>) crlDistroExten.get(CRLDistributionPointsExtension.POINTS);
for (DistributionPoint distributionPoint : distros) {
GeneralNames distroName = distributionPoint.getFullName();
for (int i = 0; i < distroName.size(); ++i) {
URI uri = ((URIName) distroName.get(i).getName()).getURI();
InputStream inputStream = new URL(uri.toString()).openConnection().getInputStream();
X509CRLObject x509CRL = (X509CRLObject) certificateFactory.generateCRL(inputStream);
x509CRLs.add(x509CRL);
inputStream.close();
}
}
}
} catch (CertificateException | IOException | CRLException e) {
e.printStackTrace();
} catch (RuntimeException e) {
e.printStackTrace();
}
}
return x509CRLs;
}
source
share