KickJava   Java API By Example, From Geeks To Geeks.

Java > Open Source Codes > ValidateCertUseCRL


1 import java.io.*;
2 import java.net.URL JavaDoc;
3 import java.net.URLConnection JavaDoc;
4 import java.security.*;
5 import java.security.cert.*;
6 import java.util.*;
7 import java.security.cert.X509Certificate JavaDoc;
8 import java.security.cert.PKIXParameters JavaDoc;
9
10 /**
11  * Check the revocation status of a public key certificate using a CRL.
12  *
13  * NOTE: it only works with V1 CRLs
14  */

15
16 public class ValidateCertUseCRL {
17
18     /*
19      * Filename that contains the root CA cert
20      */

21     private static final String JavaDoc ROOT_CA_CERT = "DemoCA.pem";
22
23     /**
24      * Checks the revocation status of a public key certificate using CRL.
25      *
26      * Usage: java ValidateCertUseCRL <cert-file> [<CRL-location>]
27      * <cert-file> is the filename of the certificate to be checked.
28      * The certificate must be in PEM format.
29      * <CRL> is the URL of the CRL to use.
30      * If not supplied then the certificate must identify the CRL
31      * by means of its CRL Distribution Points extension.
32      * If supplied then it overrides any URL which may be present
33      * in the certificate's CRLDP extension.
34      *
35      * Example: java \
36      * -Dhttp.proxyHost=webcache.sfbay.sun.com \
37      * -Dhttp.proxyPort=8080 \
38      * ValidateCertUseCRL \
39      * mycert.pem \
40      * http://www.sun.com/pki/pkirootca.crl
41      */

42     public static void main(String JavaDoc[] args) {
43     try {
44         CertPath cp = null;
45         Vector<X509Certificate JavaDoc> certs = new Vector<X509Certificate JavaDoc>();
46         URL JavaDoc url = null;
47
48         if (args.length == 0 || args.length > 2) {
49         System.out.println(
50             "Usage: java ValidateCertUseCRL <cert-file> [<CRL-location>]");
51         System.exit(-1);
52         }
53
54         // load the cert to be checked
55
certs.add(getCertFromFile(args[0]));
56
57         // handle location of CRL
58
if (args.length == 2) {
59         url = new URL JavaDoc(args[1]);
60             System.out.println("Using the CRL at: " + args[1]);
61             System.out.println("to check the revocation status of: " +
62             certs.elementAt(0));
63             System.out.println();
64         } else {
65             System.out.println("Using the CRL specified in the " +
66             "cert to check the revocation status of: " +
67             certs.elementAt(0));
68             System.out.println();
69         System.setProperty("com.sun.security.enableCRLDP", "true");
70         }
71
72         // init cert path
73
CertificateFactory cf = CertificateFactory.getInstance("X509");
74         cp = (CertPath)cf.generateCertPath(certs);
75
76         // load the root CA cert
77
X509Certificate JavaDoc rootCACert = getCertFromFile(ROOT_CA_CERT);
78
79         // init trusted certs
80
TrustAnchor ta = new TrustAnchor(rootCACert, null);
81         Set<TrustAnchor> trustedCerts = new HashSet<TrustAnchor>();
82         trustedCerts.add(ta);
83
84         // init PKIX parameters
85
PKIXParameters JavaDoc params = new PKIXParameters JavaDoc(trustedCerts);
86
87         // load the CRL
88
if (url != null) {
89         URLConnection JavaDoc connection = url.openConnection();
90         connection.setDoInput(true);
91         connection.setUseCaches(false);
92         DataInputStream inStream =
93             new DataInputStream(connection.getInputStream());
94         X509CRL crl = (X509CRL)cf.generateCRL(inStream);
95         inStream.close();
96             params.addCertStore(CertStore.getInstance("Collection",
97             new CollectionCertStoreParameters(
98             Collections.singletonList(crl))));
99         }
100
101         // perform validation
102
CertPathValidator cpv = CertPathValidator.getInstance("PKIX");
103         PKIXCertPathValidatorResult cpv_result =
104         (PKIXCertPathValidatorResult) cpv.validate(cp, params);
105         X509Certificate JavaDoc trustedCert = (X509Certificate JavaDoc)
106         cpv_result.getTrustAnchor().getTrustedCert();
107         
108         if (trustedCert == null) {
109         System.out.println("Trusted Cert = NULL");
110         } else {
111         System.out.println("Trusted CA DN = " +
112             trustedCert.getSubjectDN());
113         }
114         
115     } catch (CertPathValidatorException e) {
116         e.printStackTrace();
117         System.exit(1);
118
119     } catch(Exception JavaDoc e) {
120         e.printStackTrace();
121         System.exit(-1);
122     }
123     System.out.println("CERTIFICATE VALIDATION SUCCEEDED");
124     System.exit(0);
125     }
126
127     /*
128      * Read a certificate from the specified filepath.
129      */

130     private static X509Certificate JavaDoc getCertFromFile(String JavaDoc path) {
131         X509Certificate JavaDoc cert = null;
132         try {
133
134             File certFile = new File(path);
135             if (!certFile.canRead())
136                 throw new IOException(" File " + certFile.toString() +
137             " is unreadable");
138
139             FileInputStream fis = new FileInputStream(path);
140             CertificateFactory cf = CertificateFactory.getInstance("X509");
141             cert = (X509Certificate JavaDoc)cf.generateCertificate(fis);
142
143         } catch(Exception JavaDoc e) {
144         System.out.println("Can't construct X509 Certificate. " +
145         e.getMessage());
146     }
147         return cert;
148     }
149 }
150
Popular Tags