How to get CRL from X509Certificate in Java

Asked 21/11, 2017 at 9:54 Answered 17/8, 2021 at 12:12

java cryptography x509certificate bouncycastle pkcs#7

I have a X509Certificate, derived from CMSSignedData(PKCS7). My question is how can I get the URL to the CRL file to check whether the certificate was revocated. I've tried the code below:

X509CertificateHolder signerCertificateHolder = (X509CertificateHolder) certIt.next();
X509Certificate certificate = new JcaX509CertificateConverter().setProvider("BC").getCertificate(signerCertificateHolder);
X509CRLEntry revokedCertificate;
X509CRL crl;

URL url = new URL("???");
URLConnection connection = url.openConnection();

try(DataInputStream inStream = new DataInputStream(connection.getInputStream()))
{
 crl = (X509CRL) cf.generateCRL(inStream);
}

revokedCertificate = crl.getRevokedCertificate(certificate.getSerialNumber());

if(revokedCertificate != null)
{
 System.out.println("Revoked");
}
else
{
 System.out.println("Valid");
}

And it would work so well, except I cannot get URL to the CRL. I know that it has OI(Object Identifier) - 2.5.29.31. But unfortunatetly I cannot derive it from certificate. How can I do that?

Actualize answered 21/11, 2017 at 9:54 Comment(1)

Thank you for downvoting in advance – Actualize 21/11, 2017 at 9:55

Found this code snippet here, which will print all the CRL's in the certificate.

import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.FileInputStream;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.List;

import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1Primitive;
import org.bouncycastle.asn1.DERIA5String;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.x509.CRLDistPoint;
import org.bouncycastle.asn1.x509.DistributionPoint;
import org.bouncycastle.asn1.x509.DistributionPointName;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;

public class CertCRL
{

    public static void main(String[] args)
    {
        try
        {
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");

            X509Certificate certificate = (X509Certificate) certificateFactory.generateCertificate(new FileInputStream(new File("CERT_FILE_PATH")));

            byte[] crlDistributionPointDerEncodedArray = certificate.getExtensionValue(Extension.cRLDistributionPoints.getId());

            ASN1InputStream oAsnInStream = new ASN1InputStream(new ByteArrayInputStream(crlDistributionPointDerEncodedArray));
            ASN1Primitive derObjCrlDP = oAsnInStream.readObject();
            DEROctetString dosCrlDP = (DEROctetString) derObjCrlDP;

            oAsnInStream.close();

            byte[] crldpExtOctets = dosCrlDP.getOctets();
            ASN1InputStream oAsnInStream2 = new ASN1InputStream(new ByteArrayInputStream(crldpExtOctets));
            ASN1Primitive derObj2 = oAsnInStream2.readObject();
            CRLDistPoint distPoint = CRLDistPoint.getInstance(derObj2);

            oAsnInStream2.close();

            List<String> crlUrls = new ArrayList<String>();
            for (DistributionPoint dp : distPoint.getDistributionPoints())
            {
                DistributionPointName dpn = dp.getDistributionPoint();
                // Look for URIs in fullName
                if (dpn != null)
                {
                    if (dpn.getType() == DistributionPointName.FULL_NAME)
                    {
                        GeneralName[] genNames = GeneralNames.getInstance(dpn.getName()).getNames();
                        // Look for an URI
                        for (int j = 0; j < genNames.length; j++)
                        {
                            if (genNames[j].getTagNo() == GeneralName.uniformResourceIdentifier)
                            {
                                String url = DERIA5String.getInstance(genNames[j].getName()).getString();
                                crlUrls.add(url);
                            }
                        }
                    }
                }
            }

            for (String url : crlUrls)
                System.out.println(url);
        }
        catch (Throwable e)
        {
            e.printStackTrace();
        }
    }

}

Fimbria answered 21/11, 2017 at 16:26 Comment(0)

I have an updated and easier answer here:

    byte[] crlDistributionPoint = certificate.getExtensionValue(Extension.cRLDistributionPoints.getId());
    if (crlDistributionPoint == null)
        return;

    CRLDistPoint distPoint = CRLDistPoint
            .getInstance(JcaX509ExtensionUtils.parseExtensionValue(crlDistributionPoint));

    List<String> crlUrls = new ArrayList<String>();
    for (DistributionPoint dp : distPoint.getDistributionPoints()) {
        DistributionPointName dpn = dp.getDistributionPoint();
        // Look for URIs in fullName
        if (dpn != null) {
            if (dpn.getType() == DistributionPointName.FULL_NAME) {
                GeneralName[] genNames = GeneralNames.getInstance(dpn.getName()).getNames();
                // Look for an URI
                for (int j = 0; j < genNames.length; j++) {
                    if (genNames[j].getTagNo() == GeneralName.uniformResourceIdentifier) {
                        String url = DERIA5String.getInstance(genNames[j].getName()).getString();
                        crlUrls.add(url);
                    }
                }
            }
        }
    }

Obligato answered 17/8, 2021 at 12:12 Comment(0)

Recommended topics

Hot tags