• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# CRL Development
2
3<!--Kit: Device Certificate Kit-->
4<!--Subsystem: Security-->
5<!--Owner: @zxz--3-->
6<!--Designer: @lanming-->
7<!--Tester: @PAFT-->
8<!--Adviser: @zengyawen-->
9
10This topic walks you through on how to create a certificate revocation list (CRL) instance, obtain CRL information, check whether a certificate has been revoked, and print the revocation date if the certificate has been revoked.
11
12## How to Develop
13
141. Import the [certFramework](../../reference/apis-device-certificate-kit/js-apis-cert.md) and [cryptoFramework](../../reference/apis-crypto-architecture-kit/js-apis-cryptoFramework.md) modules.
15   ```ts
16   import { cert } from '@kit.DeviceCertificateKit';
17   import { cryptoFramework } from '@kit.CryptoArchitectureKit';
18   ```
19
202. Use [cert.createX509CRL](../../reference/apis-device-certificate-kit/js-apis-cert.md#certcreatex509crl11) to create an X.509 CRL instance.
21
223. Obtain CRL information.
23
24   Here is an example of obtaining the CRL version, CRL type, CRL issuer name, and string-type data of the CRL object. For more field information, see [@ohos.security.cert (Certificate)](../../reference/apis-device-certificate-kit/js-apis-cert.md#x509crl11).
25
264. Create a **PublicKey** instance.
27
28   For details, see [convertKey](../../reference/apis-crypto-architecture-kit/js-apis-cryptoFramework.md#convertkey-3).
29
305. Use [X509CRL.verify](../../reference/apis-device-certificate-kit/js-apis-cert.md#verify11) to verify the signature.
31
326. Use [cert.createX509Cert](../../reference/apis-device-certificate-kit/js-apis-cert.md#certcreatex509cert) to create an **X509Cert** object based on the existing X.509 certificate data.
33
347. Use [X509CRL.isRevoked](../../reference/apis-device-certificate-kit/js-apis-cert.md#isrevoked11) to check whether the X.509 certificate has been revoked.
35
368. Use [X509CRL.getRevokedCert](../../reference/apis-device-certificate-kit/js-apis-cert.md#getrevokedcert11) to obtain the revoked certificate.
37
389.  Use [X509CRLEntry.getRevocationDate](../../reference/apis-device-certificate-kit/js-apis-cert.md#getrevocationdate11) to obtain the date when the certificate was revoked.
39
40```ts
41import { cert } from '@kit.DeviceCertificateKit';
42import { cryptoFramework } from '@kit.CryptoArchitectureKit';
43import { BusinessError } from '@kit.BasicServicesKit';
44import { util } from '@kit.ArkTS';
45
46// CRL data, which is only an example.
47let crlData = '-----BEGIN X509 CRL-----\n' +
48  'MIIByzCBtAIBATANBgkqhkiG9w0BAQsFADBXMQswCQYDVQQGEwJDTjEPMA0GA1UE\n' +
49  'CAwG6ZmV6KW/MQ8wDQYDVQQHDAbopb/lrokxDzANBgNVBAoMBua1i+ivlTEVMBMG\n' +
50  'A1UEAwwM5Lit5paH5rWL6K+VFw0yNTAyMjAwNjEzMTZaFw0yNTAzMjIwNjEzMTZa\n' +
51  'MBkwFwIGAXKnJjrAFw0yNTAyMjAwNjEzMDNaoA4wDDAKBgNVHRQEAwIBADANBgkq\n' +
52  'hkiG9w0BAQsFAAOCAQEAt9AZ/B5FQiXnKKBGocKmM5QKeky/3etcI+cAVyD0zfjI\n' +
53  'r1UrL1aF+49LdZps3zQRqm4RQmo9CwL+KsMZiIMSeWF5Q6LW7BQa08hx5PtdjoOu\n' +
54  '1IWVKAwR5IigpaOwMKRTq1xJ372EiUkDD83AsxEkQoQW0bBvFklGrzglSACeKST+\n' +
55  'Pn6ywwFyYj34cfRuz3ueqwHRmN/mGzQdet7Ns8JBGWutDzfJsAiPC/TIaafTOocO\n' +
56  'CHo81Q2rMcqAJj5uXyc1Gq8KfOEqsxo/oDwReghjwrUedJ+9l/cQBr0F8HPV4H8W\n' +
57  '49sYMpseywjp9lxjWt/2nrx1z2yMaivGrVhoFasZvQ==\n' +
58  '-----END X509 CRL-----\n'
59
60let certData = '-----BEGIN CERTIFICATE-----\n' +
61  'MIIDgTCCAmmgAwIBAgIGAXKnJjrAMA0GCSqGSIb3DQEBCwUAMFcxCzAJBgNVBAYT\n' +
62  'AkNOMQ8wDQYDVQQIDAbpmZXopb8xDzANBgNVBAcMBuilv+WuiTEPMA0GA1UECgwG\n' +
63  '5rWL6K+VMRUwEwYDVQQDDAzkuK3mlofmtYvor5UwHhcNMjUwMjIwMDYwOTUyWhcN\n' +
64  'MzUwMjE4MDYwOTUyWjBXMQswCQYDVQQGEwJDTjEPMA0GA1UECAwG6ZmV6KW/MQ8w\n' +
65  'DQYDVQQHDAbopb/lrokxDzANBgNVBAoMBua1i+ivlTEVMBMGA1UEAwwM5Lit5paH\n' +
66  '5rWL6K+VMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2DQpPYN7cJjQ\n' +
67  'LWLlkP5dD8J/g1xx97t2bFciUOru14IBm9EeX6qkohDSl6kQHwfVSqTfcqdIn9We\n' +
68  '73FiitfDjHc9xxbvBKbCYicCzS/eNl0W9q14FiEB8M9vz4dpKK00KZBcGc1QK2m+\n' +
69  '/N6zw4Tw4wXZ97v6/M+bhY5X0b3qEJlgQNyz7dD0wF7SCuzLL9zbr403KktHMG5Y\n' +
70  'MzyOBaGOaMuVQFlXMV/E5OWfqbM7n0Pu/cGj+AfkkziWxB+5WFCRP6Pw64LJGo+e\n' +
71  'uZHgHp07kk6+a2YNnFMcdTsOIWBSpCvC3I612NjpBirn2bFRWqTD++YAuvJQagmM\n' +
72  '+VhIjXD48wIDAQABo1MwUTAdBgNVHQ4EFgQUIN7ulBn89L5HXh9m9JM7rpkvlXUw\n' +
73  'HwYDVR0jBBgwFoAUIN7ulBn89L5HXh9m9JM7rpkvlXUwDwYDVR0TAQH/BAUwAwEB\n' +
74  '/zANBgkqhkiG9w0BAQsFAAOCAQEAxWNa3LSOR3QOJ+wE1Y/q5zzEPWmWR5OMrRJK\n' +
75  'juBHhYbzsg3r74fBO3Hw8XggEpHr6SOI1rBpZhciA8D9E8RnM1aJLY53rpBDY5OV\n' +
76  'wxTFzrjdwIknt13t6ILfGeLye5OAF0S8VPdfDqP9NddNNr/WFKpd3tKoBlG0ObMa\n' +
77  'LaQvOqObz0MJrjKsyI680nJjFLjLZ6+lEDSg4rsGU+bxEkONerStAPNcN2x9z7O6\n' +
78  'YJOvhiLjWvr8VRjlMZYVmT9gqCImoo+7JaHbu8jz9mjRxD6fo9I1OvCLNFyFw2sV\n' +
79  'iYID9UEbT6IWv/kKBdr7Te9+SY6AWxUxO8Hd7HdPKDOCrGrU9A==\n' +
80  '-----END CERTIFICATE-----\n';
81
82let pubKeyData = new Uint8Array([
83  0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
84  0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01,
85  0x00, 0xd8, 0x34, 0x29, 0x3d, 0x83, 0x7b, 0x70, 0x98, 0xd0, 0x2d, 0x62, 0xe5, 0x90, 0xfe, 0x5d,
86  0x0f, 0xc2, 0x7f, 0x83, 0x5c, 0x71, 0xf7, 0xbb, 0x76, 0x6c, 0x57, 0x22, 0x50, 0xea, 0xee, 0xd7,
87  0x82, 0x01, 0x9b, 0xd1, 0x1e, 0x5f, 0xaa, 0xa4, 0xa2, 0x10, 0xd2, 0x97, 0xa9, 0x10, 0x1f, 0x07,
88  0xd5, 0x4a, 0xa4, 0xdf, 0x72, 0xa7, 0x48, 0x9f, 0xd5, 0x9e, 0xef, 0x71, 0x62, 0x8a, 0xd7, 0xc3,
89  0x8c, 0x77, 0x3d, 0xc7, 0x16, 0xef, 0x04, 0xa6, 0xc2, 0x62, 0x27, 0x02, 0xcd, 0x2f, 0xde, 0x36,
90  0x5d, 0x16, 0xf6, 0xad, 0x78, 0x16, 0x21, 0x01, 0xf0, 0xcf, 0x6f, 0xcf, 0x87, 0x69, 0x28, 0xad,
91  0x34, 0x29, 0x90, 0x5c, 0x19, 0xcd, 0x50, 0x2b, 0x69, 0xbe, 0xfc, 0xde, 0xb3, 0xc3, 0x84, 0xf0,
92  0xe3, 0x05, 0xd9, 0xf7, 0xbb, 0xfa, 0xfc, 0xcf, 0x9b, 0x85, 0x8e, 0x57, 0xd1, 0xbd, 0xea, 0x10,
93  0x99, 0x60, 0x40, 0xdc, 0xb3, 0xed, 0xd0, 0xf4, 0xc0, 0x5e, 0xd2, 0x0a, 0xec, 0xcb, 0x2f, 0xdc,
94  0xdb, 0xaf, 0x8d, 0x37, 0x2a, 0x4b, 0x47, 0x30, 0x6e, 0x58, 0x33, 0x3c, 0x8e, 0x05, 0xa1, 0x8e,
95  0x68, 0xcb, 0x95, 0x40, 0x59, 0x57, 0x31, 0x5f, 0xc4, 0xe4, 0xe5, 0x9f, 0xa9, 0xb3, 0x3b, 0x9f,
96  0x43, 0xee, 0xfd, 0xc1, 0xa3, 0xf8, 0x07, 0xe4, 0x93, 0x38, 0x96, 0xc4, 0x1f, 0xb9, 0x58, 0x50,
97  0x91, 0x3f, 0xa3, 0xf0, 0xeb, 0x82, 0xc9, 0x1a, 0x8f, 0x9e, 0xb9, 0x91, 0xe0, 0x1e, 0x9d, 0x3b,
98  0x92, 0x4e, 0xbe, 0x6b, 0x66, 0x0d, 0x9c, 0x53, 0x1c, 0x75, 0x3b, 0x0e, 0x21, 0x60, 0x52, 0xa4,
99  0x2b, 0xc2, 0xdc, 0x8e, 0xb5, 0xd8, 0xd8, 0xe9, 0x06, 0x2a, 0xe7, 0xd9, 0xb1, 0x51, 0x5a, 0xa4,
100  0xc3, 0xfb, 0xe6, 0x00, 0xba, 0xf2, 0x50, 0x6a, 0x09, 0x8c, 0xf9, 0x58, 0x48, 0x8d, 0x70, 0xf8,
101  0xf3, 0x02, 0x03, 0x01, 0x00, 0x01
102]);
103
104// CRL example.
105function crlSample(): void {
106  let textEncoder = new util.TextEncoder();
107  let encodingBlob: cert.EncodingBlob = {
108    // Convert the CRL data from a string to a Unit8Array.
109    data: textEncoder.encodeInto(crlData),
110    // CRL format. Only the PEM and DER formats are supported. In this example, the CRL is in PEM format.
111    encodingFormat: cert.EncodingFormat.FORMAT_PEM
112  };
113
114  // Create an X509CRL instance.
115  cert.createX509CRL(encodingBlob, (err, x509Crl) => {
116    if (err != null) {
117      // The X509CRL instance fails to be created.
118      console.error(`createX509Crl failed, errCode: ${err.code}, errMsg:${err.message} `);
119      return;
120    }
121    // The X509CRL instance is successfully created.
122    console.log('createX509CRL success');
123
124    // Obtain the CRL version.
125    let version = x509Crl.getVersion();
126    // Obtain the CRL type.
127    let revokedType = x509Crl.getType();
128    console.log(`X509 CRL version: ${version}, type :${revokedType}`);
129
130    // Obtain the CRL issuer name.
131    let issuerName = x509Crl.getIssuerName(cert.EncodingType.ENCODING_UTF8);
132    console.log(`X509 CRL issuerName: ${issuerName}`);
133
134    // Obtain the string-type data of the CRL object.
135    let crlString = x509Crl.toString(cert.EncodingType.ENCODING_UTF8);
136    console.log(`X509 CRL crlString: ${crlString}`);
137
138
139    // Pass in the public key binary data to convertKey() of @ohos.security.cryptoFramework to obtain a public key instance.
140    try {
141      let keyGenerator = cryptoFramework.createAsyKeyGenerator('RSA1024|PRIMES_3');
142      console.log('createAsyKeyGenerator success');
143      let pubEncodingBlob: cryptoFramework.DataBlob = {
144        data: pubKeyData,
145      };
146      keyGenerator.convertKey(pubEncodingBlob, null, (e, keyPair) => {
147        if (e == null) {
148          console.log('convert key success');
149          x509Crl.verify(keyPair.pubKey, (err, data) => {
150            if (err == null) {
151              // Signature verification is successful.
152              console.log('verify success');
153            } else {
154              // Signature verification fails.
155              console.error(`verify failed, errCode: ${err.code}, errMsg: ${err.message}`);
156            }
157          });
158        } else {
159          console.error(`convert key failed, message: ${e.message}, code: ${e.code} `);
160        }
161      })
162    } catch (error) {
163      let e: BusinessError = error as BusinessError;
164      console.error(`get pubKey failed, errCode: ${e.code}, errMsg: ${e.message}` );
165    }
166
167    // Use createX509Cert() of certFramework to create an X509Cert instance.
168    let certBlob: cert.EncodingBlob = {
169      data: textEncoder.encodeInto(certData),
170      encodingFormat: cert.EncodingFormat.FORMAT_PEM
171    };
172    let revokedFlag = true;
173    let serial:bigint = BigInt('0');
174    cert.createX509Cert(certBlob, (err, cert) => {
175      serial = cert.getCertSerialNumber();
176      if (err == null) {
177        try {
178          // Check whether the certificate has been revoked.
179          revokedFlag = x509Crl.isRevoked(cert);
180          console.log(`revokedFlag is: ${revokedFlag}`);
181          if (!revokedFlag) {
182              console.log('the given cert is not revoked.');
183              return;
184          }
185          // Obtain the revoked certificate based on the serial number.
186          try {
187            let crlEntry = x509Crl.getRevokedCert(serial);
188            console.log('get getRevokedCert success');
189            let serialNumber = crlEntry.getSerialNumber();
190            console.log(`crlEntry serialNumber is: ${serialNumber}`);
191
192            // Obtain the revocation date of the certificate.
193            let date = crlEntry.getRevocationDate();
194            console.log(`revocation date is: ${date}`);
195          } catch (error) {
196            let e: BusinessError = error as BusinessError;
197            console.error(`getRevokedCert failed, errCode: ${e.code}, errMsg: ${e.message}`);
198          }
199        } catch (error) {
200          let e: BusinessError = error as BusinessError;
201          console.error(`isRevoked failed, errCode: ${e.code}, errMsg:${e.message}`);
202        }
203      } else {
204        console.error(`create x509 cert failed, errCode: ${err.code}, errMsg: ${err.message}`);
205      }
206    })
207
208  });
209}
210```
211