X.509 Certificate Revocation Lists
来源:互联网 发布:数据分析师考试含金量 编辑:程序博客网 时间:2024/05/22 03:12
X.509 Certificate Revocation Lists
X.509 Certificate Revocation Lists
Introduction
The Bouncy Castle APIs support the creation of version 2 X.509 Certificate Revocation Lists (CRLs) with the class:
org.bouncycastle.x509.X509V2CRLGenerator
Fuller details on CRL creation and their interpretation can be found in RFC 3280 Section 5.
Avaliable Algorithms
DSA
DSA currently just supports SHA-1. The following value can be used in place of the variablesignatureAlgorithm in the examples below:
- SHA1withDSA
Elliptic Curve (ECDSA)
ECDSA is support with both the SHA-1 and SHA-2 family of digest algorithms. The following values can be used in place of the variablesignatureAlgorithm in the examples below:
- SHA1withECDSA
- SHA224withECDSA
- SHA256withECDSA
- SHA384withECDSA
- SHA512withECDSA
RSA
A variety of digests can be used to sign CRLs using the RSA algorithm. The following value can be used in place of the variablesignatureAlgorithm in the examples below:
- MD2withRSA
- MD5withRSA
- SHA1withRSA
- SHA224withRSA
- SHA256withRSA
- SHA384withRSA
- SHA512withRSA
- RIPEMD160withRSA
- RIPEMD128withRSA
- RIPEMD256withRSA
Creating a Basic CRL
A basic CRL just includes the some details about the issuing CA, the CRL, and details of the certificates that have been revoked as well as when they have been revoked. At a minimum a CRL should contain extensions giving the identity of the certificate used to sign the CRL and the number of the CRL to make it easier for clients using the CRL to recognise it.
The following code generates a basic CRL revoking the certificate with the number 1 that was issued by a particular CA. The code labels the CRL as being issued at the timenow and also provides a time at which a new update should have been received by providingnextUpdate. A CRL entry is added using the addCRLEntry() method with the reason for the revocation been given as privilegeWithdrawn. Two extensions are added describing the certificate that can be used to verify the CRL and assigning a number to the CRL and then the CRL is generated.
import java.security.cert.X509CRL;import java.security.cert.X509Certificate;import org.bouncycastle.asn1.x509.CRLReason;import org.bouncycastle.asn1.x509.CRLNumber;import org.bouncycastle.asn1.x509.X509Extensions;import org.bouncycastle.x509.X509V2CRLGenerator;...X509V2CRLGenerator crlGen = new X509V2CRLGenerator();Date now = new Date();Date nextUpdate = ...;X509Certificate caCrlCert = ...;PrivateKey caCrlPrivateKey = ...;crlGen.setIssuerDN(new X500Principal("CN=Test CA"));crlGen.setThisUpdate(now);crlGen.setNextUpdate(nextUpdate);crlGen.setSignatureAlgorithm(signatureAlgorithm);crlGen.addCRLEntry(BigInteger.ONE, now, CRLReason.privilegeWithdrawn);crlGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(caCrlCert));crlGen.addExtension(X509Extensions.CRLNumber, false, new CRLNumber(crlNumber));X509CRL crl = crlGen.generateX509CRL(caCrlPrivateKey, "BC");
As the code suggests the extensions are constructed in the same way as those for certificates.
Updating an Existing CRL
Often you just need to add another entry to an already existing CRL. The Bouncy Castle APIs provide aaddCRL() method to do this, so, for example, if we discovered that we had to revoke the certificate with serial number 2 we could include our previous CRL using code similar to the following:
import java.security.cert.X509CRL;import java.security.cert.X509Certificate;import org.bouncycastle.asn1.x509.CRLReason;import org.bouncycastle.asn1.x509.CRLNumber;import org.bouncycastle.asn1.x509.X509Extensions;import org.bouncycastle.x509.X509V2CRLGenerator;...X509V2CRLGenerator crlGen = new X509V2CRLGenerator();Date nextUpdate = ...;X509Certificate caCrlCert = ...;PrivateKey caCrlPrivateKey = ...;X509CRL existingCRL = ...crlGen.setIssuerDN(new X500Principal("CN=Test CA"));crlGen.setThisUpdate(now);crlGen.setNextUpdate(nextUpdate);crlGen.setSignatureAlgorithm(signatureAlgorithm);crlGen.addCRL(existingCRL);crlGen.addCRLEntry(BigInteger.valueOf(2), now, CRLReason.privilegeWithdrawn);crlGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(caCrlCert));crlGen.addExtension(X509Extensions.CRLNumber, false, new CRLNumber(crlNumber));X509CRL crl = crlGen.generateX509CRL(pair.getPrivate(), "BC");
- X.509 Certificate Revocation Lists
- X.509 Certificate Revocation Lists
- Troubleshooting Certificate Status and Revocation
- [Cloud Computing]Mechanisms: Certificate Revocation List
- X.509 certificate sample
- Request for Comments: 2459 Internet X.509 Public Key Infrastructure Certificate and CRL Profile
- Request for Comments: 2560 X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP
- RFC2510文档: (CMP)>Internet X.509 Public Key Infrastructure Certificate Management Protocols
- 比较难 如何手工 或编程实现 调用 X.509 certificate 签名的 https WCF Service
- certificate
- certificate
- Invoke WCF service from Java Client with Authentication (X.509 Certificate) Java 客户端调用WCF服务 需要安全验证
- Mac OS X Server: Software Update Certificate expiration
- Lists
- HTTP Error 12057 - SSL Revocation(解决geen的问题)
- 用XCA(X Certificate and key management)可视化程序管理SSL 证书(3)--创建自定义的凭证管理中心(Certificate Authority)
- 用XCA(X Certificate and key management)可视化程序管理SSL 证书(4)--用自定义的凭证管理中心(Certificate Authority)签名证书请求
- Certificate Chain
- 安全审计与安全管理平台的区别与联系
- Specify CRL Distribution Points
- linux shell 之数组操作
- Ogre3D 1.8.1 Android移植
- js搞定网页的简繁转换
- X.509 Certificate Revocation Lists
- .Net 垃圾回收机制原理
- 语言目录
- 如何让Android编辑界面显示出来
- Eclipse 4.2.0 汉化全过程
- Linux makefile 教程 非常详细,且易懂
- 一个30年老程序员的回顾(十)
- Re: What if the CRL distribution points for a CA change?
- UTF-8 GBK UTF8 GB2312 之间的区别和关系