• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# 证书吊销列表对象的创建、解析和校验
2
3以校验证书是否已吊销为例,完成证书吊销列表对象的创建、解析和校验。若证书已被吊销,将打印被吊销日期。
4
5## 开发步骤
6
71. 导入[证书算法库框架模块](../../reference/apis-device-certificate-kit/js-apis-cert.md)和[加解密算法库模块](../../reference/apis-crypto-architecture-kit/js-apis-cryptoFramework.md)。
8   ```ts
9   import { cert } from '@kit.DeviceCertificateKit';
10   import { cryptoFramework } from '@kit.CryptoArchitectureKit';
11   ```
12
132. 基于已有的CRL数据,调用[cert.createX509CRL](../../reference/apis-device-certificate-kit/js-apis-cert.md#certcreatex509crl11)创建X509证书吊销列表的对象。
14
153. 解析证书吊销列表信息。
16
17   此处以获取证书吊销列表版本、证书吊销列表类型为例,更多字段信息获取接口请查看[API参考文档](../../reference/apis-device-certificate-kit/js-apis-cert.md#x509crl11)。
18
194. 基于已有公钥信息,创建PublicKey公钥对象。
20
21   具体可参考[加解密算法库框架-指定二进制数据生成非对称密钥对](../../reference/apis-crypto-architecture-kit/js-apis-cryptoFramework.md#convertkey-3)。
22
235. 调用[X509CRL.verify](../../reference/apis-device-certificate-kit/js-apis-cert.md#verify11)校验签名合法性。
24
256. 基于已有的X509证书数据,调用[cert.createX509Cert](../../reference/apis-device-certificate-kit/js-apis-cert.md#certcreatex509cert)创建证书对象。
26
277. 调用[X509CRL.isRevoked](../../reference/apis-device-certificate-kit/js-apis-cert.md#isrevoked11)判断X509证书是否已被吊销。
28
298. 调用[X509CRL.getRevokedCert](../../reference/apis-device-certificate-kit/js-apis-cert.md#getrevokedcert11)获取被吊销证书对象。
30
319.  调用[X509CRLEntry.getRevocationDate](../../reference/apis-device-certificate-kit/js-apis-cert.md#getrevocationdate11)获取被吊销日期。
32
33```ts
34import { cert } from '@kit.DeviceCertificateKit';
35import { cryptoFramework } from '@kit.CryptoArchitectureKit';
36import { BusinessError } from '@kit.BasicServicesKit';
37import { util } from '@kit.ArkTS';
38
39// CRL数据,以下只是一个示例,需要根据具体业务来赋值。
40let crlData = '-----BEGIN X509 CRL-----\n' +
41  'MIIByzCBtAIBATANBgkqhkiG9w0BAQsFADBXMQswCQYDVQQGEwJDTjEPMA0GA1UE\n' +
42  'CAwG6ZmV6KW/MQ8wDQYDVQQHDAbopb/lrokxDzANBgNVBAoMBua1i+ivlTEVMBMG\n' +
43  'A1UEAwwM5Lit5paH5rWL6K+VFw0yNTAyMjAwNjEzMTZaFw0yNTAzMjIwNjEzMTZa\n' +
44  'MBkwFwIGAXKnJjrAFw0yNTAyMjAwNjEzMDNaoA4wDDAKBgNVHRQEAwIBADANBgkq\n' +
45  'hkiG9w0BAQsFAAOCAQEAt9AZ/B5FQiXnKKBGocKmM5QKeky/3etcI+cAVyD0zfjI\n' +
46  'r1UrL1aF+49LdZps3zQRqm4RQmo9CwL+KsMZiIMSeWF5Q6LW7BQa08hx5PtdjoOu\n' +
47  '1IWVKAwR5IigpaOwMKRTq1xJ372EiUkDD83AsxEkQoQW0bBvFklGrzglSACeKST+\n' +
48  'Pn6ywwFyYj34cfRuz3ueqwHRmN/mGzQdet7Ns8JBGWutDzfJsAiPC/TIaafTOocO\n' +
49  'CHo81Q2rMcqAJj5uXyc1Gq8KfOEqsxo/oDwReghjwrUedJ+9l/cQBr0F8HPV4H8W\n' +
50  '49sYMpseywjp9lxjWt/2nrx1z2yMaivGrVhoFasZvQ==\n' +
51  '-----END X509 CRL-----\n'
52
53let certData = '-----BEGIN CERTIFICATE-----\n' +
54  'MIIDgTCCAmmgAwIBAgIGAXKnJjrAMA0GCSqGSIb3DQEBCwUAMFcxCzAJBgNVBAYT\n' +
55  'AkNOMQ8wDQYDVQQIDAbpmZXopb8xDzANBgNVBAcMBuilv+WuiTEPMA0GA1UECgwG\n' +
56  '5rWL6K+VMRUwEwYDVQQDDAzkuK3mlofmtYvor5UwHhcNMjUwMjIwMDYwOTUyWhcN\n' +
57  'MzUwMjE4MDYwOTUyWjBXMQswCQYDVQQGEwJDTjEPMA0GA1UECAwG6ZmV6KW/MQ8w\n' +
58  'DQYDVQQHDAbopb/lrokxDzANBgNVBAoMBua1i+ivlTEVMBMGA1UEAwwM5Lit5paH\n' +
59  '5rWL6K+VMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2DQpPYN7cJjQ\n' +
60  'LWLlkP5dD8J/g1xx97t2bFciUOru14IBm9EeX6qkohDSl6kQHwfVSqTfcqdIn9We\n' +
61  '73FiitfDjHc9xxbvBKbCYicCzS/eNl0W9q14FiEB8M9vz4dpKK00KZBcGc1QK2m+\n' +
62  '/N6zw4Tw4wXZ97v6/M+bhY5X0b3qEJlgQNyz7dD0wF7SCuzLL9zbr403KktHMG5Y\n' +
63  'MzyOBaGOaMuVQFlXMV/E5OWfqbM7n0Pu/cGj+AfkkziWxB+5WFCRP6Pw64LJGo+e\n' +
64  'uZHgHp07kk6+a2YNnFMcdTsOIWBSpCvC3I612NjpBirn2bFRWqTD++YAuvJQagmM\n' +
65  '+VhIjXD48wIDAQABo1MwUTAdBgNVHQ4EFgQUIN7ulBn89L5HXh9m9JM7rpkvlXUw\n' +
66  'HwYDVR0jBBgwFoAUIN7ulBn89L5HXh9m9JM7rpkvlXUwDwYDVR0TAQH/BAUwAwEB\n' +
67  '/zANBgkqhkiG9w0BAQsFAAOCAQEAxWNa3LSOR3QOJ+wE1Y/q5zzEPWmWR5OMrRJK\n' +
68  'juBHhYbzsg3r74fBO3Hw8XggEpHr6SOI1rBpZhciA8D9E8RnM1aJLY53rpBDY5OV\n' +
69  'wxTFzrjdwIknt13t6ILfGeLye5OAF0S8VPdfDqP9NddNNr/WFKpd3tKoBlG0ObMa\n' +
70  'LaQvOqObz0MJrjKsyI680nJjFLjLZ6+lEDSg4rsGU+bxEkONerStAPNcN2x9z7O6\n' +
71  'YJOvhiLjWvr8VRjlMZYVmT9gqCImoo+7JaHbu8jz9mjRxD6fo9I1OvCLNFyFw2sV\n' +
72  'iYID9UEbT6IWv/kKBdr7Te9+SY6AWxUxO8Hd7HdPKDOCrGrU9A==\n' +
73  '-----END CERTIFICATE-----\n';
74
75let pubKeyData = new Uint8Array([
76  0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
77  0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01,
78  0x00, 0xd8, 0x34, 0x29, 0x3d, 0x83, 0x7b, 0x70, 0x98, 0xd0, 0x2d, 0x62, 0xe5, 0x90, 0xfe, 0x5d,
79  0x0f, 0xc2, 0x7f, 0x83, 0x5c, 0x71, 0xf7, 0xbb, 0x76, 0x6c, 0x57, 0x22, 0x50, 0xea, 0xee, 0xd7,
80  0x82, 0x01, 0x9b, 0xd1, 0x1e, 0x5f, 0xaa, 0xa4, 0xa2, 0x10, 0xd2, 0x97, 0xa9, 0x10, 0x1f, 0x07,
81  0xd5, 0x4a, 0xa4, 0xdf, 0x72, 0xa7, 0x48, 0x9f, 0xd5, 0x9e, 0xef, 0x71, 0x62, 0x8a, 0xd7, 0xc3,
82  0x8c, 0x77, 0x3d, 0xc7, 0x16, 0xef, 0x04, 0xa6, 0xc2, 0x62, 0x27, 0x02, 0xcd, 0x2f, 0xde, 0x36,
83  0x5d, 0x16, 0xf6, 0xad, 0x78, 0x16, 0x21, 0x01, 0xf0, 0xcf, 0x6f, 0xcf, 0x87, 0x69, 0x28, 0xad,
84  0x34, 0x29, 0x90, 0x5c, 0x19, 0xcd, 0x50, 0x2b, 0x69, 0xbe, 0xfc, 0xde, 0xb3, 0xc3, 0x84, 0xf0,
85  0xe3, 0x05, 0xd9, 0xf7, 0xbb, 0xfa, 0xfc, 0xcf, 0x9b, 0x85, 0x8e, 0x57, 0xd1, 0xbd, 0xea, 0x10,
86  0x99, 0x60, 0x40, 0xdc, 0xb3, 0xed, 0xd0, 0xf4, 0xc0, 0x5e, 0xd2, 0x0a, 0xec, 0xcb, 0x2f, 0xdc,
87  0xdb, 0xaf, 0x8d, 0x37, 0x2a, 0x4b, 0x47, 0x30, 0x6e, 0x58, 0x33, 0x3c, 0x8e, 0x05, 0xa1, 0x8e,
88  0x68, 0xcb, 0x95, 0x40, 0x59, 0x57, 0x31, 0x5f, 0xc4, 0xe4, 0xe5, 0x9f, 0xa9, 0xb3, 0x3b, 0x9f,
89  0x43, 0xee, 0xfd, 0xc1, 0xa3, 0xf8, 0x07, 0xe4, 0x93, 0x38, 0x96, 0xc4, 0x1f, 0xb9, 0x58, 0x50,
90  0x91, 0x3f, 0xa3, 0xf0, 0xeb, 0x82, 0xc9, 0x1a, 0x8f, 0x9e, 0xb9, 0x91, 0xe0, 0x1e, 0x9d, 0x3b,
91  0x92, 0x4e, 0xbe, 0x6b, 0x66, 0x0d, 0x9c, 0x53, 0x1c, 0x75, 0x3b, 0x0e, 0x21, 0x60, 0x52, 0xa4,
92  0x2b, 0xc2, 0xdc, 0x8e, 0xb5, 0xd8, 0xd8, 0xe9, 0x06, 0x2a, 0xe7, 0xd9, 0xb1, 0x51, 0x5a, 0xa4,
93  0xc3, 0xfb, 0xe6, 0x00, 0xba, 0xf2, 0x50, 0x6a, 0x09, 0x8c, 0xf9, 0x58, 0x48, 0x8d, 0x70, 0xf8,
94  0xf3, 0x02, 0x03, 0x01, 0x00, 0x01
95]);
96
97// CRL示例
98function crlSample(): void {
99  let textEncoder = new util.TextEncoder();
100  let encodingBlob: cert.EncodingBlob = {
101    // 将CRL数据从string转为Unit8Array。
102    data: textEncoder.encodeInto(crlData),
103    // CRL格式,仅支持PEM和DER格式。在这个例子中,CRL用的是PEM格式。
104    encodingFormat: cert.EncodingFormat.FORMAT_PEM
105  };
106
107  // 创建X509CRL实例。
108  cert.createX509CRL(encodingBlob, (err, x509Crl) => {
109    if (err != null) {
110      // 创建X509CRL实例失败。
111      console.error(`createX509Crl failed, errCode: ${err.code}, errMsg:${err.message} `);
112      return;
113    }
114    // 创建X509CRL实例成功。
115    console.log('createX509CRL success');
116
117    // 获取CRL的版本。
118    let version = x509Crl.getVersion();
119    let revokedType = x509Crl.getType();
120    console.log(`X509 CRL version: ${version}, type :${revokedType}`);
121
122    // 公钥的二进制数据需要传入@ohos.security.cryptoFramework的convertKey()方法去获取公钥对象。
123    try {
124      let keyGenerator = cryptoFramework.createAsyKeyGenerator('RSA1024|PRIMES_3');
125      console.log('createAsyKeyGenerator success');
126      let pubEncodingBlob: cryptoFramework.DataBlob = {
127        data: pubKeyData,
128      };
129      keyGenerator.convertKey(pubEncodingBlob, null, (e, keyPair) => {
130        if (e == null) {
131          console.log('convert key success');
132          x509Crl.verify(keyPair.pubKey, (err, data) => {
133            if (err == null) {
134              // 签名验证成功。
135              console.log('verify success');
136            } else {
137              // 签名验证失败。
138              console.error(`verify failed, errCode: ${err.code}, errMsg: ${err.message}`);
139            }
140          });
141        } else {
142          console.error(`convert key failed, message: ${e.message}, code: ${e.code} `);
143        }
144      })
145    } catch (error) {
146      let e: BusinessError = error as BusinessError;
147      console.error(`get pubKey failed, errCode: ${e.code}, errMsg: ${e.message}` );
148    }
149
150    // 使用certFramework的createX509Cert()方法创建一个X509Cert实例。
151    let certBlob: cert.EncodingBlob = {
152      data: textEncoder.encodeInto(certData),
153      encodingFormat: cert.EncodingFormat.FORMAT_PEM
154    };
155    let revokedFlag = true;
156    let serial:bigint = BigInt('0');
157    cert.createX509Cert(certBlob, (err, cert) => {
158      serial = cert.getCertSerialNumber();
159      if (err == null) {
160        try {
161          // 检查证书是否被吊销。
162          revokedFlag = x509Crl.isRevoked(cert);
163          console.log(`revokedFlag is: ${revokedFlag}`);
164          if (!revokedFlag) {
165              console.log('the given cert is not revoked.');
166              return;
167          }
168          // 根据序列号来获取被吊销的证书。
169          try {
170            let crlEntry = x509Crl.getRevokedCert(serial);
171            console.log('get getRevokedCert success');
172            let serialNumber = crlEntry.getSerialNumber();
173            console.log(`crlEntry serialNumber is: ${serialNumber}`);
174
175            // 获取被吊销证书的吊销日期。
176            let date = crlEntry.getRevocationDate();
177            console.log(`revocation date is: ${date}`);
178          } catch (error) {
179            let e: BusinessError = error as BusinessError;
180            console.error(`getRevokedCert failed, errCode: ${e.code}, errMsg: ${e.message}`);
181          }
182        } catch (error) {
183          let e: BusinessError = error as BusinessError;
184          console.error(`isRevoked failed, errCode: ${e.code}, errMsg:${e.message}`);
185        }
186      } else {
187        console.error(`create x509 cert failed, errCode: ${err.code}, errMsg: ${err.message}`);
188      }
189    })
190
191  });
192}
193```
194