Wie bekomme ich CRL von X509Certificate in Java

Question

Ich habe ein X509Certificate, abgeleitet von CMSSignedData (PKCS7). Meine Frage ist, wie kann ich die URL der CRL-Datei überprüfen, ob das Zertifikat widerrufen wurde. Ich habe den Code unten versucht:

X509CertificateHolder signerCertificateHolder = (X509CertificateHolder) certIt.next(); 
X509Certificate certificate = new JcaX509CertificateConverter().setProvider("BC").getCertificate(signerCertificateHolder); 
X509CRLEntry revokedCertificate; 
X509CRL crl; 

URL url = new URL("???"); 
URLConnection connection = url.openConnection(); 

try(DataInputStream inStream = new DataInputStream(connection.getInputStream())) 
{ 
crl = (X509CRL) cf.generateCRL(inStream); 
} 

revokedCertificate = crl.getRevokedCertificate(certificate.getSerialNumber()); 

if(revokedCertificate != null) 
{ 
System.out.println("Revoked"); 
} 
else 
{ 
System.out.println("Valid"); 
} 

Und es wäre so gut funktionieren, außer ich nicht URL an das GRL bekommen. Ich weiß, dass es OI (Object Identifier) ​​- 2.5.29.31 hat. Aber leider kann ich es vom Zertifikat nicht ableiten. Wie kann ich das machen?

Answer 1

Dieses Code-Snippet here gefunden, das alle CRLs im Zertifikat ausgibt.

import java.io.ByteArrayInputStream; 
import java.io.File; 
import java.io.FileInputStream; 
import java.security.cert.CertificateFactory; 
import java.security.cert.X509Certificate; 
import java.util.ArrayList; 
import java.util.List; 

import org.bouncycastle.asn1.ASN1InputStream; 
import org.bouncycastle.asn1.ASN1Primitive; 
import org.bouncycastle.asn1.DERIA5String; 
import org.bouncycastle.asn1.DEROctetString; 
import org.bouncycastle.asn1.x509.CRLDistPoint; 
import org.bouncycastle.asn1.x509.DistributionPoint; 
import org.bouncycastle.asn1.x509.DistributionPointName; 
import org.bouncycastle.asn1.x509.Extension; 
import org.bouncycastle.asn1.x509.GeneralName; 
import org.bouncycastle.asn1.x509.GeneralNames; 

public class CertCRL 
{ 

    public static void main(String[] args) 
    { 
     try 
     { 
      CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509"); 

      X509Certificate certificate = (X509Certificate) certificateFactory.generateCertificate(new FileInputStream(new File("CERT_FILE_PATH"))); 

      byte[] crlDistributionPointDerEncodedArray = certificate.getExtensionValue(Extension.cRLDistributionPoints.getId()); 

      ASN1InputStream oAsnInStream = new ASN1InputStream(new ByteArrayInputStream(crlDistributionPointDerEncodedArray)); 
      ASN1Primitive derObjCrlDP = oAsnInStream.readObject(); 
      DEROctetString dosCrlDP = (DEROctetString) derObjCrlDP; 

      oAsnInStream.close(); 

      byte[] crldpExtOctets = dosCrlDP.getOctets(); 
      ASN1InputStream oAsnInStream2 = new ASN1InputStream(new ByteArrayInputStream(crldpExtOctets)); 
      ASN1Primitive derObj2 = oAsnInStream2.readObject(); 
      CRLDistPoint distPoint = CRLDistPoint.getInstance(derObj2); 

      oAsnInStream2.close(); 

      List<String> crlUrls = new ArrayList<String>(); 
      for (DistributionPoint dp : distPoint.getDistributionPoints()) 
      { 
       DistributionPointName dpn = dp.getDistributionPoint(); 
       // Look for URIs in fullName 
       if (dpn != null) 
       { 
        if (dpn.getType() == DistributionPointName.FULL_NAME) 
        { 
         GeneralName[] genNames = GeneralNames.getInstance(dpn.getName()).getNames(); 
         // Look for an URI 
         for (int j = 0; j < genNames.length; j++) 
         { 
          if (genNames[j].getTagNo() == GeneralName.uniformResourceIdentifier) 
          { 
           String url = DERIA5String.getInstance(genNames[j].getName()).getString(); 
           crlUrls.add(url); 
          } 
         } 
        } 
       } 
      } 

      for (String url : crlUrls) 
       System.out.println(url); 
     } 
     catch (Throwable e) 
     { 
      e.printStackTrace(); 
     } 
    } 

}