Java密码学 - 12.CRL

  1. 代码
  2. 验证证书是否被吊销

Certificate Revocation List (CRL)用来存储被吊销的证书。


代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
	/**
	 * @param crlCer
	 * @param caPrivateKey
	 * @param caCert
	 * @param SIGNING_ALGORITHM
	 * 		SHA256WithRSAEncryption
	 * @param reason
	 * 		CRLReason.privilegeWithdrawn
	 * @throws CertificateParsingException
	 * @throws CertIOException
	 * @throws OperatorCreationException
	 * @throws CertificateEncodingException
	 */
	public static X509CRLHolder createCRL(X509Certificate crlCer, PrivateKey caPrivateKey, X509Certificate caCert, String SIGNING_ALGORITHM, int reason) throws CertificateParsingException, CertIOException, OperatorCreationException, CertificateEncodingException {


		X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(
				X500Name.getInstance(PrincipalUtil.getIssuerX509Principal(caCert).getEncoded()),//issuer
				new Date()//this Updated
		);
		// build and sign CRL with CA private key

		crlBuilder.setNextUpdate(new Date(System.currentTimeMillis() + (365 * 86400000L)));
		crlBuilder.addCRLEntry(crlCer.getSerialNumber(), new Date(), reason);//注销证书+时间+原因

		ContentSigner signer = new JcaContentSignerBuilder(SIGNING_ALGORITHM).setProvider("BC").build(caPrivateKey);
		X509CRLHolder crl = crlBuilder.build(signer);
		return crl;
	}


验证证书是否被吊销

1
2
3
4
5
//cer是要被检查的
public static void isRevoked(X509CRLHolder cRLHolder, X509Certificate cer) throws CRLException, NoSuchProviderException, NoSuchAlgorithmException, InvalidKeyException, SignatureException {
   X509CRL crl = new JcaX509CRLConverter().getCRL(cRLHolder);
   if (crl.isRevoked(cer)) System.out.println("被吊销了");
}