Just wondering if someone knows what is the logic behind the method isRevoked from X509CRL class.
In the Java documentation is only saying that this method validates if the Certificate object passed as parameter is in the list, but doesn't say which fields it compares (Serial Number, Issuer DN, etc).
Certificate cert = CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(rs.getString("x509_certificate").getBytes("utf-8")));
CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
URL crlURL = new URL("http://www.certificadodigital.com.br/repositorio/lcr/serasarfbv2.crl");
InputStream crlStream = crlURL.openStream();
X509CRL crl = (X509CRL) certFactory.generateCRL(crlStream);
System.out.println(crl.getIssuerDN());
if (crl.isRevoked(cert) {
System.out.println("revoked");
}
Basically what I'm trying to do is to create a batch job to load some CRLs and check if the certificates that I have in my database were revoked, then flag them as revoked.
Thanks in advance.
You'll need to need to check the source/decompiled code as the Java Docs for this area are a laugh, and the behaviour is implementation specific.
In the Oracle VM, the CRL object checks that the serial and the X500Name is the same... now the Voodoo happens inside X500Name.equals(), as it creates the DN based on all the name attributes from the CRL and certificate.
I'm sorry I cannot be more specific. My suggestion is: debug the code and put a breakpoint in CRL.isRevoked() and check from there on.