[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [iaik-jce] How to use CRL(Certificate Revocation List)



Hi Nigel,

Thanks for your mail. Actually i was interested in how to generate the CRL.
In ur function u have passed the X509CRL as a parameter. Can you please tell
me how I can get this list from the trusted CAs site( e.g. If i am verifying
the VeriSign i need to get the CRL from VeriSign site) 
Can you please tell me how to do that?

Thanks.
I really appreciate ur help

- Manoj

-----Original Message-----
From: Nigel Lowe [mailto:nlowe@delanotech.com]
Sent: Thursday, February 08, 2001 5:51 AM
To: 'Manoj Thorat'; iaik-jce@iaik.at
Subject: RE: [iaik-jce] How to use CRL(Certificate Revocation List)


Here is some code that I have written during my evaluation of IAIK.

Hope this helps and if you come up with any other ideas, let me know.

Nigel

------------------------------------------------

  public static boolean isCertValid(X509Certificate cert, X509Certificate
caCert, X509CRL crl)
  {
    boolean rc = false;

    try
    {
      System.out.println("  Checking valid dates...");
      cert.checkValidity();

      System.out.println("  Checking certificate against CRL...");

// Verify CRL      
      Signature sig;
      String    algName =
((iaik.x509.X509CRL)crl).getSignatureAlgorithm().getImplementationName();
      
      System.out.println("  Verifying CA signature on CRL...");
      sig = Signature.getInstance(algName, JCE_PROVIDER);
      sig.initVerify(caCert.getPublicKey());
      sig.update(((iaik.x509.X509CRL)crl).getTBSCertList());
      
      if(!sig.verify(crl.getSignature()))
        System.out.println("  CRL is either invalid or does not belong to
CA");

      if(crl.isRevoked(cert))
        System.out.println("  ERROR: Certificate has been revoked");
      else
      {
        System.out.println("  Verifying CA signature on certificate...");
        algName =
((iaik.x509.X509Certificate)cert).getSignatureAlgorithm().getImplementationN
ame();
        sig     = Signature.getInstance(algName, JCE_PROVIDER);
        sig.initVerify(caCert.getPublicKey());
        sig.update(cert.getTBSCertificate());
        rc = sig.verify(cert.getSignature());
      }
    }
    catch(CertificateExpiredException ex)
    {
      System.out.println("  ERROR: Certificate has expired`");
    }
    catch(CertificateException ex)
    {
      ex.printStackTrace(System.err);
    }
    catch(CRLException ex)
    {
      ex.printStackTrace(System.err);
    }
    catch(NoSuchAlgorithmException ex)
    {
      ex.printStackTrace(System.err);
    }
    catch(InvalidKeyException ex)
    {
      ex.printStackTrace(System.err);
    }
    catch(SignatureException ex)
    {
      ex.printStackTrace(System.err);
    }
    catch(NoSuchProviderException ex)
    {
      ex.printStackTrace(System.err);
    }
    finally
    {
      return(rc);
    }
  }// END isCertValid

________________________________________________________________
Nigel M. Lowe, B. Eng.
Senior Software Engineer
Delano Technology Corporation
Voice: (905) 947-2271
E-mail: nlowe@delanotech.com

Delano.  What Customer Relationships Should Be.
________________________________________________________________ 



-----Original Message-----
From: Manoj Thorat [mailto:mthorat@Symphoni.com]
Sent: Wednesday, February 07, 2001 12:13 PM
To: iaik-jce@iaik.at
Subject: [iaik-jce] How to use CRL(Certificate Revocation List)


Hi,

Has anyone used CRL(Certificate Revocation List) in the verification
process????  I am trying to verify the certificates issued by Verisign. I
know that it is published on the CAs repository. Can anyone help me on this?

Thanks And Regards,

Manoj
--
Mailinglist-archive at
http://jcewww.iaik.at/mailarchive/iaik-jce/jcethreads.html

To unsubscribe send an email to listserv@iaik.at with the folowing content:
UNSUBSCRIBE iaik-jce
 
--
Mailinglist-archive at
http://jcewww.iaik.at/mailarchive/iaik-jce/jcethreads.html

To unsubscribe send an email to listserv@iaik.at with the folowing content:
UNSUBSCRIBE iaik-jce
 
--
Mailinglist-archive at http://jcewww.iaik.at/mailarchive/iaik-jce/jcethreads.html

To unsubscribe send an email to listserv@iaik.at with the folowing content: UNSUBSCRIBE iaik-jce