9

Goal: Retrieve the Certificate Revocation List information for a given Certificate.

Reason: When a java.security.cert.PKIXParameters object is set to enable checking of certificate revocation status via PKIXParameters#setRevocationEnabled(true); it uses an instance of sun.security.provider.certpath.CrlRevocationChecker This checker requires a call to PKIXParameters#addCertStore(...) which adds a java.security.cert.CertStore containing an implementation of X509CRL which holds the CRL information the validator can check against.

Question: Does there exist a library or implementation for retrieving this data ? or does it have to be done manually? (example of manual below). A library would most likely support all possible types of connections/exception/errors that could arise, while the manual solution needs to work to bring up to enterprise standards.

The certificate can be in any of these x509 certificate wrappers

java.security.cert.X509Certificate
org.bouncycastle.cert.X509CertificateHolder
org.bouncycastle.jce.provider.X509CertificateObject

Java Code for retrieving CRL data manually

static List<X509CRLObject> getCRLSFromCertPath(CertPath certPath, CertificateFactory certificateFactory) {
        List<X509CRLObject> x509CRLs = Lists.newArrayList();
        List<? extends Certificate> certificates = certPath.getCertificates();
        for (Certificate certificate : certificates) {
            try {
                X509CertImpl x509Cert = new X509CertImpl(certificate.getEncoded());
                CRLDistributionPointsExtension crlDistroExten = x509Cert.getCRLDistributionPointsExtension();
                if (crlDistroExten != null) {
                    ArrayList<DistributionPoint> distros = (ArrayList<DistributionPoint>) crlDistroExten.get(CRLDistributionPointsExtension.POINTS);
                    for (DistributionPoint distributionPoint : distros) {
                        GeneralNames distroName = distributionPoint.getFullName();
                        for (int i = 0; i < distroName.size(); ++i) {
                            URI uri = ((URIName) distroName.get(i).getName()).getURI();
                            InputStream inputStream = new URL(uri.toString()).openConnection().getInputStream();
                            X509CRLObject x509CRL = (X509CRLObject) certificateFactory.generateCRL(inputStream);
                            x509CRLs.add(x509CRL);
                            inputStream.close(); // Move this somewhere better
                        }
                    }
                }
            } catch (CertificateException | IOException | CRLException e) {
                e.printStackTrace();
            } catch (RuntimeException e) {
                e.printStackTrace();
            }
        }
        return x509CRLs;
    }
Spartan9209
  • 549
  • 5
  • 10

0 Answers0