public abstract class X509CRL extends CRL
implements X509Extension

Abstract class for an X.509 Certificate Revocation List (CRL). A CRL is a time-stamped list identifying revoked certificates. It is signed by a Certificate Authority (CA) and made freely available in a public repository.

Each revoked certificate is identified in a CRL by its certificate serial number. When a certificate-using system uses a certificate (e.g., for verifying a remote user's digital signature), that system not only checks the certificate signature and validity but also acquires a suitably- recent CRL and checks that the certificate serial number is not on that CRL. The meaning of "suitably-recent" may vary with local policy, but it usually means the most recently-issued CRL. A CA issues a new CRL on a regular periodic basis (e.g., hourly, daily, or weekly). Entries are added to CRLs as revocations occur, and an entry may be removed when the certificate expiration date is reached.

The X.509 v2 CRL format is described below in ASN.1:

 CertificateList  ::=  SEQUENCE  {
     tbsCertList          TBSCertList,
     signatureAlgorithm   AlgorithmIdentifier,
     signature            BIT STRING  }

More information can be found in RFC 3280: Internet X.509 Public Key Infrastructure Certificate and CRL Profile.

The ASN.1 definition of tbsCertList is:

 TBSCertList  ::=  SEQUENCE  {
     version                 Version OPTIONAL,
                             -- if present, must be v2
     signature               AlgorithmIdentifier,
     issuer                  Name,
     thisUpdate              ChoiceOfTime,
     nextUpdate              ChoiceOfTime OPTIONAL,
     revokedCertificates     SEQUENCE OF SEQUENCE  {
         userCertificate         CertificateSerialNumber,
         revocationDate          ChoiceOfTime,
         crlEntryExtensions      Extensions OPTIONAL
                                 -- if present, must be v2
         }  OPTIONAL,
     crlExtensions           [0]  EXPLICIT Extensions OPTIONAL
                                  -- if present, must be v2

CRLs are instantiated using a certificate factory. The following is an example of how to instantiate an X.509 CRL:

 InputStream inStream = null;
 try {
     inStream = new FileInputStream("fileName-of-crl");
     CertificateFactory cf = CertificateFactory.getInstance("X.509");
     X509CRL crl = (X509CRL)cf.generateCRL(inStream);
 } finally {
     if (inStream != null) {

Protected Constructor Summary

Constructor for X.509 CRLs.

Public Method Summary

equals(Object other)
Compares this CRL for equality with the given object.
abstract byte[]
Returns the ASN.1 DER-encoded form of this CRL.
abstract Principal
Denigrated, replaced by {@linkplain #getIssuerX500Principal()}.
Returns the issuer (issuer distinguished name) value from the CRL as an X500Principal.
abstract Date
Gets the nextUpdate date from the CRL.
getRevokedCertificate(X509Certificate certificate)
Get the CRL entry, if any, for the given certificate.
abstract X509CRLEntry
getRevokedCertificate(BigInteger serialNumber)
Gets the CRL entry, if any, with the given certificate serialNumber.
abstract Set<? extends X509CRLEntry>
Gets all the entries from this CRL.
abstract String
Gets the signature algorithm name for the CRL signature algorithm.
abstract String
Gets the signature algorithm OID string from the CRL.
abstract byte[]
Gets the DER-encoded signature algorithm parameters from this CRL's signature algorithm.
abstract byte[]
Gets the signature value (the raw signature bits) from the CRL.
abstract byte[]
Gets the DER-encoded CRL information, the tbsCertList from this CRL.
abstract Date
Gets the thisUpdate date from the CRL.
abstract int
Gets the version (version number) value from the CRL.
Returns a hashcode value for this CRL from its encoded form.
abstract void
verify(PublicKey key)
Verifies that this CRL was signed using the private key that corresponds to the given public key.
abstract void
verify(PublicKey key, String sigProvider)
Verifies that this CRL was signed using the private key that corresponds to the given public key.

Inherited Method Summary