javacertificatecertificate-revocation

How to get revocation status of an X509 certificate with DSS?

I am trying to validate an X509 certificate based on its revocation status using DSS framework, where do you find it?

I am using this piece of code to validate the certificate with CRL and OCSP. I want to find out if the toValidateToken has been revoked.

CertificateToken class has methods like isSignatureValid, isExpired, isValidOn, but no methods related to revocation.

I found an isRevoked() method in other forums but I don't have it. I'm sure I have all the dependencies installed.

CommonCertificateSource adjunctCertificateSource = new CommonCertificateSource();

// Firstly, we load the certificate to be validated
CertificateToken toValidate = getCertificateFromSignature(documentPath);
CertificateToken toValidateToken = adjunctCertificateSource.addCertificate(toValidate);

//Configure the certificate verifier using the trust store and the intermediate certificates
//OnlineOCSPSource and OnlineCRLSource will invoke the OCSP service and CRL
//distribution point extracting the URL  from the certificate
CertificateVerifier certificateVerifier = new CommonCertificateVerifier();
certificateVerifier.setAdjunctCertSource(adjunctCertificateSource);
certificateVerifier.setCrlSource(new OnlineCRLSource());
certificateVerifier.setOcspSource(new OnlineOCSPSource());

//Perform validation
CertificatePool validationPool = certificateVerifier.createValidationPool();
SignatureValidationContext validationContext = new SignatureValidationContext(validationPool);

validationContext.addCertificateTokenForVerification(toValidateToken);
validationContext.validate();

I only need a simple true/false as a result.

Solution

  • Whatever the DSS framework is... Here is an article how to check validity with CRL and OCSP: How do I check if an X509 certificate has been revoked in Java?

    The standard below is PKCS#7, defined in RFC2315. The cryptographic message syntax defines so called attributes, which can either be of the data (signed), that is hashed and whose has is then signed, or reside next to the signature (unsigned).

    The additional question posted seems to contain the addition of certificate verification data (OCSP and CRL):

            commonCertificateVerifier.setCrlSource(new OnlineCRLSource());
        commonCertificateVerifier.setOcspSource(new OnlineOCSPSource());