Menu
I want to verify the X509 certificate presented by a client against a CRL to see if it has been revoked.
I have successfully instanciated a java.security.cert.X509CRL, but I am having problems retrieving the certificate of the session:
try {
SSLSocket s = (SSLSocket) serverSocket.accept();
s.setSoTimeout(TIMEOUT_RW * 1000);
s.startHandshake();
SSLSession session = s.getSession();
X509Certificate[] cert = session.getPeerCertificateChain();
if (crl.isRevoked(cert[0])) {
System.err.println("Attempted to stablish connection using revoked certificate");
} else {
...
}
} catch (Exception ex) {
System.err.println("Something went wrong");
}
SSLSession belongs to the javax.net.ssl package, and its method getPeerCertificateChain() returns a javax.security.cert.X509Certificate[], which cannot be converted to the java.security.cert.X509Certificate[] that I need to feed the java.security.cert.X509CRL.
How can it be done?
888
public abstract class X509Certificate extends Certificate. Abstract class for X. 509 v1 certificates. This provides a standard way to access all the version 1 attributes of an X. 509 certificate.
This class is an abstraction for certificates that have different formats but important common uses. For example, different types of certificates, such as X. 509 and PGP, share general certificate functionality (like encoding and verifying) and some types of information (like a public key). X.
X509Certificate2(String, String, X509KeyStorageFlags) Initializes a new instance of the X509Certificate2 class using a certificate file name, a password used to access the certificate, and a key storage flag. X509Certificate2(String, SecureString, X509KeyStorageFlags)
javax.security.cert.X509Certificate is deprecated. Get java.security.cert.Certificate[] by session.getPeerCertificates();, and then pass it to your crl.isRevoked implementation.
See also:
http://docs.oracle.com/javase/7/docs/api/javax/net/ssl/SSLSession.html#getPeerCertificateChain()
http://docs.oracle.com/javase/7/docs/api/javax/net/ssl/SSLSession.html#getPeerCertificates()
The classes in the package javax.security.cert exist for compatibility with earlier versions of the Java Secure Sockets Extension (JSSE). New applications should instead use the standard Java SE certificate classes located in java.security.cert.
You can convert java.security.cert.Certificate to java.security.cert.X509Certificate (source):
CertificateFactory cf = CertificateFactory.getInstance("X.509");
ByteArrayInputStream bais = new ByteArrayInputStream(certificate.getEncoded());
X509Certificate x509 = (X509Certificate) cf.generateCertificate(bais);
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
