如何从 Java 中的 X509Certificate 获取 CRL

【问题标题】:How to get CRL from X509Certificate in Java如何从 Java 中的 X509Certificate 获取 CRL
【发布时间】:2017-11-21 09:54:16
【问题描述】:

我有一个从 CMSSignedData(PKCS7) 派生的 X509Certificate。我的问题是如何获取 CRL 文件的 URL 以检查证书是否被吊销。我试过下面的代码:

X509CertificateHolder signerCertificateHolder = (X509CertificateHolder) certIt.next();
X509Certificate certificate = new JcaX509CertificateConverter().setProvider("BC").getCertificate(signerCertificateHolder);
X509CRLEntry revokedCertificate;
X509CRL crl;

URL url = new URL("???");
URLConnection connection = url.openConnection();

try(DataInputStream inStream = new DataInputStream(connection.getInputStream()))
{
 crl = (X509CRL) cf.generateCRL(inStream);
}

revokedCertificate = crl.getRevokedCertificate(certificate.getSerialNumber());

if(revokedCertificate != null)
{
 System.out.println("Revoked");
}
else
{
 System.out.println("Valid");
}

它会很好用,只是我无法获取 CRL 的 URL。我知道它有 OI(对象标识符)- 2.5.29.31。但不幸的是,我不能从证书中得出它。我该怎么做?

【问题讨论】:

  • 感谢您提前投票

标签: java cryptography x509certificate bouncycastle pkcs#7


【解决方案1】:

找到这个代码 sn-p here,它将打印证书中的所有 CRL。

import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.FileInputStream;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.List;

import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1Primitive;
import org.bouncycastle.asn1.DERIA5String;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.x509.CRLDistPoint;
import org.bouncycastle.asn1.x509.DistributionPoint;
import org.bouncycastle.asn1.x509.DistributionPointName;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;

public class CertCRL
{

    public static void main(String[] args)
    {
        try
        {
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");

            X509Certificate certificate = (X509Certificate) certificateFactory.generateCertificate(new FileInputStream(new File("CERT_FILE_PATH")));

            byte[] crlDistributionPointDerEncodedArray = certificate.getExtensionValue(Extension.cRLDistributionPoints.getId());

            ASN1InputStream oAsnInStream = new ASN1InputStream(new ByteArrayInputStream(crlDistributionPointDerEncodedArray));
            ASN1Primitive derObjCrlDP = oAsnInStream.readObject();
            DEROctetString dosCrlDP = (DEROctetString) derObjCrlDP;

            oAsnInStream.close();

            byte[] crldpExtOctets = dosCrlDP.getOctets();
            ASN1InputStream oAsnInStream2 = new ASN1InputStream(new ByteArrayInputStream(crldpExtOctets));
            ASN1Primitive derObj2 = oAsnInStream2.readObject();
            CRLDistPoint distPoint = CRLDistPoint.getInstance(derObj2);

            oAsnInStream2.close();

            List<String> crlUrls = new ArrayList<String>();
            for (DistributionPoint dp : distPoint.getDistributionPoints())
            {
                DistributionPointName dpn = dp.getDistributionPoint();
                // Look for URIs in fullName
                if (dpn != null)
                {
                    if (dpn.getType() == DistributionPointName.FULL_NAME)
                    {
                        GeneralName[] genNames = GeneralNames.getInstance(dpn.getName()).getNames();
                        // Look for an URI
                        for (int j = 0; j < genNames.length; j++)
                        {
                            if (genNames[j].getTagNo() == GeneralName.uniformResourceIdentifier)
                            {
                                String url = DERIA5String.getInstance(genNames[j].getName()).getString();
                                crlUrls.add(url);
                            }
                        }
                    }
                }
            }

            for (String url : crlUrls)
                System.out.println(url);
        }
        catch (Throwable e)
        {
            e.printStackTrace();
        }
    }

}

【讨论】:

    【解决方案2】:

    我在这里有一个更新的更简单的答案:

        byte[] crlDistributionPoint = certificate.getExtensionValue(Extension.cRLDistributionPoints.getId());
    if (crlDistributionPoint == null)
        return;

    CRLDistPoint distPoint = CRLDistPoint
            .getInstance(JcaX509ExtensionUtils.parseExtensionValue(crlDistributionPoint));

    List<String> crlUrls = new ArrayList<String>();
    for (DistributionPoint dp : distPoint.getDistributionPoints()) {
        DistributionPointName dpn = dp.getDistributionPoint();
        // Look for URIs in fullName
        if (dpn != null) {
            if (dpn.getType() == DistributionPointName.FULL_NAME) {
                GeneralName[] genNames = GeneralNames.getInstance(dpn.getName()).getNames();
                // Look for an URI
                for (int j = 0; j < genNames.length; j++) {
                    if (genNames[j].getTagNo() == GeneralName.uniformResourceIdentifier) {
                        String url = DERIA5String.getInstance(genNames[j].getName()).getString();
                        crlUrls.add(url);
                    }
                }
            }
        }
    }

    【讨论】:

      猜你喜欢
      • 2011-02-24
      • 2023-03-04
      • 1970-01-01
      • 2022-06-15
      • 2015-11-02
      • 1970-01-01
      • 2011-11-23
      • 2017-08-15
      • 1970-01-01
      相关资源
      最近更新 更多
      热门标签
      Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode