I want to verify the X509 certificate presented by a client against a CRL to see if it has been revoked.
I have successfully instanciated a java.security.cert.X509CRL, but I am having problems retrieving the certificate of the session:
try {
SSLSocket s = (SSLSocket) serverSocket.accept();
s.setSoTimeout(TIMEOUT_RW * 1000);
s.startHandshake();
SSLSession session = s.getSession();
X509Certificate[] cert = session.getPeerCertificateChain();
if (crl.isRevoked(cert[0])) {
System.err.println("Attempted to stablish connection using revoked certificate");
} else {
...
}
} catch (Exception ex) {
System.err.println("Something went wrong");
}
SSLSession belongs to the javax.net.ssl package, and its method getPeerCertificateChain() returns a javax.security.cert.X509Certificate[], which cannot be converted to the java.security.cert.X509Certificate[] that I need to feed the java.security.cert.X509CRL.
How can it be done?
javax.security.cert.X509Certificate is deprecated. Get java.security.cert.Certificate[] by session.getPeerCertificates();, and then pass it to your crl.isRevoked implementation.
See also:
http://docs.oracle.com/javase/7/docs/api/javax/net/ssl/SSLSession.html#getPeerCertificateChain()
http://docs.oracle.com/javase/7/docs/api/javax/net/ssl/SSLSession.html#getPeerCertificates()
The classes in the package javax.security.cert exist for compatibility with earlier versions of the Java Secure Sockets Extension (JSSE). New applications should instead use the standard Java SE certificate classes located in java.security.cert.
You can convert java.security.cert.Certificate to java.security.cert.X509Certificate (source):
CertificateFactory cf = CertificateFactory.getInstance("X.509");
ByteArrayInputStream bais = new ByteArrayInputStream(certificate.getEncoded());
X509Certificate x509 = (X509Certificate) cf.generateCertificate(bais);