public abstract byte[] getSubjectUniqueID Return the unique identifier for the subject of the certificate again, this is unused in general. public abstract BitSet getKeyUsage Return the key usage extension, which defines the purpose of the key: the key may be used for digital signing, nonrepudiation, key encipherment, data encipherment, key agreement, certificate signing, and more. The key usage is an extension to the X509 specification and need not be present in all X509 certificates. public abstract int getBasicConstraints An X509 certificate may contain an optional extension that identifies whether the subject of the certificate is a certificate authority. If the subject is a CA, this extension returns the number of certificates that may follow this certificate in a certification chain.

9.4.5 Revoked Certificates

Occasionally, a certificate authority needs to revoke a certificate it has issued −− perhaps the certificate was issued under false pretenses or maybe the user of the certificate has engaged in illegal conduct using the certificate. Under circumstances such as these, the expiration date attached to the certificate is insufficient protection; the certificate must be immediately invalidated. This invalidation occurs as the result of a CRL −− a certificate revocation list. Certificate authorities are responsible for issuing certificate revocation lists that contain predictably a list of certificates the authority has revoked. Validators of certificates are required to consult this list before accepting the validity of a certificate. Unfortunately, the means by which an authority issues a CRL is one of those areas that is in flux, and while the interfaces to support revoked certificates have been established, they are not completely integrated into most certificate systems. In particular, the validate method of the Certificate class doesnt automatically consult any CRL. The CRL itself is typically obtained in an out−of−band fashion just as the certificates of the authority were obtained; once you have a CRL, you can check to see if a particular certificate in which youre interested is on the list. While the notion of revoked certificates in not necessarily specific to an X509 certificate, the Java implementation is. Revoked certificates themselves are represented by the X509CRLEntry class java.security.cert.X509CRLEntry : public abstract class X509CRLEntry implements X509Extension The methods of this class are simple and are based upon the fields present in a revoked X509 certificate: public abstract BigInteger getSerialNumber Return the serial number of the revoked certificate. public abstract Date getRevocationDate Return the date on which the certificate was revoked. public abstract boolean hasExtensions Indicate whether the implementation of the class has any X509 extensions. Revoked certificates are modeled by the X509CRL class java.security.cert.X509CRL : public abstract class X509CRL implements X509Extension Provide the support for an X509−based certificate revocation list. Instances of the X509CRLEntry class are obtained by the getInstance method of the CertificateFactory . Once the class has been instantiated, you may operate upon it with these methods. As you can see, there is a strong synergy between the methods that are used to operate upon an X509 certificate and those used to operate upon a CRL: public abstract void verifyPublicKey pk public abstract void verifyPublicKey pk, String sigProvider Verify that the signature that accompanied the CRL is valid. The public key should be the public key of the certificate authority that issued the CRL. An error in the underlying signature object may generate a NoSuchAlgorithmException , a NoSuchProviderException , an InvalidKeyException , or a SignatureException . public abstract int getVersion Return the version of the CRL specification. The present version of the X509 CRL specification is 2. public abstract Principal getIssuerDN Extract the distinguished name of the issuer of the CRL and return a principal object that contains that name. public abstract Date getThisUpdate Extract and return the date when the authority issued this CRL. public abstract Date getNextUpdate Extract and return the date when the authority expects to issue its next CRL. This value may not be present in the CRL, in which case null is returned. public abstract X509CRLEntry getRevokedCertificateBigInteger bn Instantiate and return a revoked certificate object based on the given serial number. If the serial number is invalid, a CRLException is thrown. public abstract Set getRevokedCertificates Instantiate a revoked certificate object for each certificate in the CRL and return the set of those objects. This method may throw a CRLException . public abstract byte[] getEncoded Return the DER−encoded CRL itself. This method may throw a CRLException . Chapter 9. Keys and Certificates public abstract byte[] getTBSCertList Return the DER−encoded TBS certificate list −− that is, all the data that came with the CRL aside from the name of the algorithm used to sign the CRL and the digital signature itself. This data can be used to verify the signature directly. Parsing of the underlying data may throw a CRLException or an X509ExtensionException . public abstract byte[] getSignature Return the actual bytes of the signature. public abstract String getSigAlgName Return the name of the signature algorithm that was used to sign the CRL. public abstract String getSigAlgOID Return the OID string of the signature algorithm that was used to sign the CRL. public abstract byte[] getSigAlgParams Return the DER−encoded algorithms used in the signature generation. This generally returns null , as those parameters if any usually accompany the authoritys public key. There is one more method of the X509CRL class, which it inherits from its superclass, the CRL class java.security.cert.CRL : public abstract boolean isRevokedCertificate c Indicate whether or not the given certificate has been revoked by this CRL. When all is said and done, the point of the CRL class and the revoked certificate class is to provide you with the tools necessary to see if a particular certificate has been invalidated. Your application should perform this checking; you might choose to implement it as follows: package javasec.samples.ch09; import java.security.; import java.security.cert.; import java.io.; public class TestCertificate { Techniques to implement this method are shown in the next chapter. PublicKey getPublicKeyPrincipal p { return null; } Implementations of this method depend on the CA in use and are left to the reader. InputStream lookupCRLFilePrincipal p { return null; } public java.security.cert.Certificate importCertificatebyte data[] throws CertificateException { X509Certificate c = null;