How to get revocation status of an X509 certificate with DSS?

Question

I am trying to validate an X509 certificate based on its revocation status using DSS framework, where do you find it?

I am using this piece of code to validate the certificate with CRL and OCSP. I want to find out if the toValidateToken has been revoked.

CertificateToken class has methods like isSignatureValid, isExpired, isValidOn, but no methods related to revocation.

I found an isRevoked() method in other forums but I don't have it. I'm sure I have all the dependencies installed.

CommonCertificateSource adjunctCertificateSource = new CommonCertificateSource();

// Firstly, we load the certificate to be validated
CertificateToken toValidate = getCertificateFromSignature(documentPath);
CertificateToken toValidateToken = adjunctCertificateSource.addCertificate(toValidate);

//Configure the certificate verifier using the trust store and the intermediate certificates
//OnlineOCSPSource and OnlineCRLSource will invoke the OCSP service and CRL
//distribution point extracting the URL  from the certificate
CertificateVerifier certificateVerifier = new CommonCertificateVerifier();
certificateVerifier.setAdjunctCertSource(adjunctCertificateSource);
certificateVerifier.setCrlSource(new OnlineCRLSource());
certificateVerifier.setOcspSource(new OnlineOCSPSource());

//Perform validation
CertificatePool validationPool = certificateVerifier.createValidationPool();
SignatureValidationContext validationContext = new SignatureValidationContext(validationPool);

validationContext.addCertificateTokenForVerification(toValidateToken);
validationContext.validate();

I only need a simple true/false as a result.

Daniel Fisher lennybacon · Accepted Answer · 2022-02-01T22:12:07.950

0

Whatever the DSS framework is... Here is an article how to check validity with CRL and OCSP: How do I check if an X509 certificate has been revoked in Java?

The standard below is PKCS#7, defined in RFC2315. The cryptographic message syntax defines so called attributes, which can either be of the data (signed), that is hashed and whose has is then signed, or reside next to the signature (unsigned).

The additional question posted seems to contain the addition of certificate verification data (OCSP and CRL):

        commonCertificateVerifier.setCrlSource(new OnlineCRLSource());
        commonCertificateVerifier.setOcspSource(new OnlineOCSPSource());

edited Feb 01 '22 at 22:12

answered Jul 13 '19 at 18:35

Daniel Fisher lennybacon

3,865
1
30
38

and if we try to integrate this verification into the signature, how can we do that? – Mehdi Jan 28 '22 at 21:18
You mean adding the validation results as signed or unsigned attributes to the signature? – Daniel Fisher lennybacon Jan 30 '22 at 13:01
Exactly added validation results as signed attributes – Mehdi Jan 30 '22 at 18:41
Fisher lennybacon, have you any idea ? – Mehdi Jan 31 '22 at 17:58
Could you extend the question with code that produces the signature? I‘ve done this in several languages and think I could help you extend your code. – Daniel Fisher lennybacon Jan 31 '22 at 19:14
Thanks for your help, this is the question that i was posted : https://stackoverflow.com/questions/66993643/ensure-ltv-verification-using-dss-cms-container – Mehdi Jan 31 '22 at 21:02

How to get revocation status of an X509 certificate with DSS?

1 Answers1