i具有x509certificate,源自cmssigneddata(pkcs7)。我的问题是如何将URL获取到CRL文件中以检查证书是否已撤销。我尝试了以下代码:
X509CertificateHolder signerCertificateHolder = (X509CertificateHolder) certIt.next();
X509Certificate certificate = new JcaX509CertificateConverter().setProvider("BC").getCertificate(signerCertificateHolder);
X509CRLEntry revokedCertificate;
X509CRL crl;
URL url = new URL("???");
URLConnection connection = url.openConnection();
try(DataInputStream inStream = new DataInputStream(connection.getInputStream()))
{
crl = (X509CRL) cf.generateCRL(inStream);
}
revokedCertificate = crl.getRevokedCertificate(certificate.getSerialNumber());
if(revokedCertificate != null)
{
System.out.println("Revoked");
}
else
{
System.out.println("Valid");
}
,它会很好地工作,除了我无法获得CRL的URL。我知道它具有OI(对象标识符)-2.5.29.31。但是不幸的是,我无法从证书中得出它。我该怎么做?
在此处找到此代码段,它将在证书中打印所有CRL。
import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.FileInputStream;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.List;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1Primitive;
import org.bouncycastle.asn1.DERIA5String;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.x509.CRLDistPoint;
import org.bouncycastle.asn1.x509.DistributionPoint;
import org.bouncycastle.asn1.x509.DistributionPointName;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
public class CertCRL
{
public static void main(String[] args)
{
try
{
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
X509Certificate certificate = (X509Certificate) certificateFactory.generateCertificate(new FileInputStream(new File("CERT_FILE_PATH")));
byte[] crlDistributionPointDerEncodedArray = certificate.getExtensionValue(Extension.cRLDistributionPoints.getId());
ASN1InputStream oAsnInStream = new ASN1InputStream(new ByteArrayInputStream(crlDistributionPointDerEncodedArray));
ASN1Primitive derObjCrlDP = oAsnInStream.readObject();
DEROctetString dosCrlDP = (DEROctetString) derObjCrlDP;
oAsnInStream.close();
byte[] crldpExtOctets = dosCrlDP.getOctets();
ASN1InputStream oAsnInStream2 = new ASN1InputStream(new ByteArrayInputStream(crldpExtOctets));
ASN1Primitive derObj2 = oAsnInStream2.readObject();
CRLDistPoint distPoint = CRLDistPoint.getInstance(derObj2);
oAsnInStream2.close();
List<String> crlUrls = new ArrayList<String>();
for (DistributionPoint dp : distPoint.getDistributionPoints())
{
DistributionPointName dpn = dp.getDistributionPoint();
// Look for URIs in fullName
if (dpn != null)
{
if (dpn.getType() == DistributionPointName.FULL_NAME)
{
GeneralName[] genNames = GeneralNames.getInstance(dpn.getName()).getNames();
// Look for an URI
for (int j = 0; j < genNames.length; j++)
{
if (genNames[j].getTagNo() == GeneralName.uniformResourceIdentifier)
{
String url = DERIA5String.getInstance(genNames[j].getName()).getString();
crlUrls.add(url);
}
}
}
}
}
for (String url : crlUrls)
System.out.println(url);
}
catch (Throwable e)
{
e.printStackTrace();
}
}
}
我在这里有一个更新且更轻松的答案:
byte[] crlDistributionPoint = certificate.getExtensionValue(Extension.cRLDistributionPoints.getId());
if (crlDistributionPoint == null)
return;
CRLDistPoint distPoint = CRLDistPoint
.getInstance(JcaX509ExtensionUtils.parseExtensionValue(crlDistributionPoint));
List<String> crlUrls = new ArrayList<String>();
for (DistributionPoint dp : distPoint.getDistributionPoints()) {
DistributionPointName dpn = dp.getDistributionPoint();
// Look for URIs in fullName
if (dpn != null) {
if (dpn.getType() == DistributionPointName.FULL_NAME) {
GeneralName[] genNames = GeneralNames.getInstance(dpn.getName()).getNames();
// Look for an URI
for (int j = 0; j < genNames.length; j++) {
if (genNames[j].getTagNo() == GeneralName.uniformResourceIdentifier) {
String url = DERIA5String.getInstance(genNames[j].getName()).getString();
crlUrls.add(url);
}
}
}
}
}