• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# 证书吊销列表对象的创建、解析和校验
2
3<!--Kit: Device Certificate Kit-->
4<!--Subsystem: Security-->
5<!--Owner: @zxz--3-->
6<!--Designer: @lanming-->
7<!--Tester: @PAFT-->
8<!--Adviser: @zengyawen-->
9
10以校验证书是否已吊销为例,完成证书吊销列表对象的创建、解析和校验。若证书已被吊销,将打印被吊销日期。
11
12## 开发步骤
13
141. 导入[证书算法库框架模块](../../reference/apis-device-certificate-kit/js-apis-cert.md)和[加解密算法库模块](../../reference/apis-crypto-architecture-kit/js-apis-cryptoFramework.md)。
15   ```ts
16   import { cert } from '@kit.DeviceCertificateKit';
17   import { cryptoFramework } from '@kit.CryptoArchitectureKit';
18   ```
19
202. 基于已有的CRL数据,调用[cert.createX509CRL](../../reference/apis-device-certificate-kit/js-apis-cert.md#certcreatex509crl11)创建X509证书吊销列表的对象。
21
223. 解析证书吊销列表信息。
23
24   此处以获取证书吊销列表版本、证书吊销列表类型、证书吊销列表颁发者名称、证书吊销列表对象的字符串类型数据为例,更多字段信息获取接口请查看[API参考文档](../../reference/apis-device-certificate-kit/js-apis-cert.md#x509crl11)。
25
264. 基于已有公钥信息,创建PublicKey公钥对象。
27
28   具体可参考[加解密算法库框架-指定二进制数据生成非对称密钥对](../../reference/apis-crypto-architecture-kit/js-apis-cryptoFramework.md#convertkey-3)。
29
305. 调用[X509CRL.verify](../../reference/apis-device-certificate-kit/js-apis-cert.md#verify11)校验签名合法性。
31
326. 基于已有的X509证书数据,调用[cert.createX509Cert](../../reference/apis-device-certificate-kit/js-apis-cert.md#certcreatex509cert)创建证书对象。
33
347. 调用[X509CRL.isRevoked](../../reference/apis-device-certificate-kit/js-apis-cert.md#isrevoked11)判断X509证书是否已被吊销。
35
368. 调用[X509CRL.getRevokedCert](../../reference/apis-device-certificate-kit/js-apis-cert.md#getrevokedcert11)获取被吊销证书对象。
37
389.  调用[X509CRLEntry.getRevocationDate](../../reference/apis-device-certificate-kit/js-apis-cert.md#getrevocationdate11)获取被吊销日期。
39
40```ts
41import { cert } from '@kit.DeviceCertificateKit';
42import { cryptoFramework } from '@kit.CryptoArchitectureKit';
43import { BusinessError } from '@kit.BasicServicesKit';
44import { util } from '@kit.ArkTS';
45
46// CRL数据,以下只是一个示例,需要根据具体业务来赋值。
47let crlData = '-----BEGIN X509 CRL-----\n' +
48  'MIIByzCBtAIBATANBgkqhkiG9w0BAQsFADBXMQswCQYDVQQGEwJDTjEPMA0GA1UE\n' +
49  'CAwG6ZmV6KW/MQ8wDQYDVQQHDAbopb/lrokxDzANBgNVBAoMBua1i+ivlTEVMBMG\n' +
50  'A1UEAwwM5Lit5paH5rWL6K+VFw0yNTAyMjAwNjEzMTZaFw0yNTAzMjIwNjEzMTZa\n' +
51  'MBkwFwIGAXKnJjrAFw0yNTAyMjAwNjEzMDNaoA4wDDAKBgNVHRQEAwIBADANBgkq\n' +
52  'hkiG9w0BAQsFAAOCAQEAt9AZ/B5FQiXnKKBGocKmM5QKeky/3etcI+cAVyD0zfjI\n' +
53  'r1UrL1aF+49LdZps3zQRqm4RQmo9CwL+KsMZiIMSeWF5Q6LW7BQa08hx5PtdjoOu\n' +
54  '1IWVKAwR5IigpaOwMKRTq1xJ372EiUkDD83AsxEkQoQW0bBvFklGrzglSACeKST+\n' +
55  'Pn6ywwFyYj34cfRuz3ueqwHRmN/mGzQdet7Ns8JBGWutDzfJsAiPC/TIaafTOocO\n' +
56  'CHo81Q2rMcqAJj5uXyc1Gq8KfOEqsxo/oDwReghjwrUedJ+9l/cQBr0F8HPV4H8W\n' +
57  '49sYMpseywjp9lxjWt/2nrx1z2yMaivGrVhoFasZvQ==\n' +
58  '-----END X509 CRL-----\n'
59
60let certData = '-----BEGIN CERTIFICATE-----\n' +
61  'MIIDgTCCAmmgAwIBAgIGAXKnJjrAMA0GCSqGSIb3DQEBCwUAMFcxCzAJBgNVBAYT\n' +
62  'AkNOMQ8wDQYDVQQIDAbpmZXopb8xDzANBgNVBAcMBuilv+WuiTEPMA0GA1UECgwG\n' +
63  '5rWL6K+VMRUwEwYDVQQDDAzkuK3mlofmtYvor5UwHhcNMjUwMjIwMDYwOTUyWhcN\n' +
64  'MzUwMjE4MDYwOTUyWjBXMQswCQYDVQQGEwJDTjEPMA0GA1UECAwG6ZmV6KW/MQ8w\n' +
65  'DQYDVQQHDAbopb/lrokxDzANBgNVBAoMBua1i+ivlTEVMBMGA1UEAwwM5Lit5paH\n' +
66  '5rWL6K+VMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2DQpPYN7cJjQ\n' +
67  'LWLlkP5dD8J/g1xx97t2bFciUOru14IBm9EeX6qkohDSl6kQHwfVSqTfcqdIn9We\n' +
68  '73FiitfDjHc9xxbvBKbCYicCzS/eNl0W9q14FiEB8M9vz4dpKK00KZBcGc1QK2m+\n' +
69  '/N6zw4Tw4wXZ97v6/M+bhY5X0b3qEJlgQNyz7dD0wF7SCuzLL9zbr403KktHMG5Y\n' +
70  'MzyOBaGOaMuVQFlXMV/E5OWfqbM7n0Pu/cGj+AfkkziWxB+5WFCRP6Pw64LJGo+e\n' +
71  'uZHgHp07kk6+a2YNnFMcdTsOIWBSpCvC3I612NjpBirn2bFRWqTD++YAuvJQagmM\n' +
72  '+VhIjXD48wIDAQABo1MwUTAdBgNVHQ4EFgQUIN7ulBn89L5HXh9m9JM7rpkvlXUw\n' +
73  'HwYDVR0jBBgwFoAUIN7ulBn89L5HXh9m9JM7rpkvlXUwDwYDVR0TAQH/BAUwAwEB\n' +
74  '/zANBgkqhkiG9w0BAQsFAAOCAQEAxWNa3LSOR3QOJ+wE1Y/q5zzEPWmWR5OMrRJK\n' +
75  'juBHhYbzsg3r74fBO3Hw8XggEpHr6SOI1rBpZhciA8D9E8RnM1aJLY53rpBDY5OV\n' +
76  'wxTFzrjdwIknt13t6ILfGeLye5OAF0S8VPdfDqP9NddNNr/WFKpd3tKoBlG0ObMa\n' +
77  'LaQvOqObz0MJrjKsyI680nJjFLjLZ6+lEDSg4rsGU+bxEkONerStAPNcN2x9z7O6\n' +
78  'YJOvhiLjWvr8VRjlMZYVmT9gqCImoo+7JaHbu8jz9mjRxD6fo9I1OvCLNFyFw2sV\n' +
79  'iYID9UEbT6IWv/kKBdr7Te9+SY6AWxUxO8Hd7HdPKDOCrGrU9A==\n' +
80  '-----END CERTIFICATE-----\n';
81
82let pubKeyData = new Uint8Array([
83  0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
84  0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01,
85  0x00, 0xd8, 0x34, 0x29, 0x3d, 0x83, 0x7b, 0x70, 0x98, 0xd0, 0x2d, 0x62, 0xe5, 0x90, 0xfe, 0x5d,
86  0x0f, 0xc2, 0x7f, 0x83, 0x5c, 0x71, 0xf7, 0xbb, 0x76, 0x6c, 0x57, 0x22, 0x50, 0xea, 0xee, 0xd7,
87  0x82, 0x01, 0x9b, 0xd1, 0x1e, 0x5f, 0xaa, 0xa4, 0xa2, 0x10, 0xd2, 0x97, 0xa9, 0x10, 0x1f, 0x07,
88  0xd5, 0x4a, 0xa4, 0xdf, 0x72, 0xa7, 0x48, 0x9f, 0xd5, 0x9e, 0xef, 0x71, 0x62, 0x8a, 0xd7, 0xc3,
89  0x8c, 0x77, 0x3d, 0xc7, 0x16, 0xef, 0x04, 0xa6, 0xc2, 0x62, 0x27, 0x02, 0xcd, 0x2f, 0xde, 0x36,
90  0x5d, 0x16, 0xf6, 0xad, 0x78, 0x16, 0x21, 0x01, 0xf0, 0xcf, 0x6f, 0xcf, 0x87, 0x69, 0x28, 0xad,
91  0x34, 0x29, 0x90, 0x5c, 0x19, 0xcd, 0x50, 0x2b, 0x69, 0xbe, 0xfc, 0xde, 0xb3, 0xc3, 0x84, 0xf0,
92  0xe3, 0x05, 0xd9, 0xf7, 0xbb, 0xfa, 0xfc, 0xcf, 0x9b, 0x85, 0x8e, 0x57, 0xd1, 0xbd, 0xea, 0x10,
93  0x99, 0x60, 0x40, 0xdc, 0xb3, 0xed, 0xd0, 0xf4, 0xc0, 0x5e, 0xd2, 0x0a, 0xec, 0xcb, 0x2f, 0xdc,
94  0xdb, 0xaf, 0x8d, 0x37, 0x2a, 0x4b, 0x47, 0x30, 0x6e, 0x58, 0x33, 0x3c, 0x8e, 0x05, 0xa1, 0x8e,
95  0x68, 0xcb, 0x95, 0x40, 0x59, 0x57, 0x31, 0x5f, 0xc4, 0xe4, 0xe5, 0x9f, 0xa9, 0xb3, 0x3b, 0x9f,
96  0x43, 0xee, 0xfd, 0xc1, 0xa3, 0xf8, 0x07, 0xe4, 0x93, 0x38, 0x96, 0xc4, 0x1f, 0xb9, 0x58, 0x50,
97  0x91, 0x3f, 0xa3, 0xf0, 0xeb, 0x82, 0xc9, 0x1a, 0x8f, 0x9e, 0xb9, 0x91, 0xe0, 0x1e, 0x9d, 0x3b,
98  0x92, 0x4e, 0xbe, 0x6b, 0x66, 0x0d, 0x9c, 0x53, 0x1c, 0x75, 0x3b, 0x0e, 0x21, 0x60, 0x52, 0xa4,
99  0x2b, 0xc2, 0xdc, 0x8e, 0xb5, 0xd8, 0xd8, 0xe9, 0x06, 0x2a, 0xe7, 0xd9, 0xb1, 0x51, 0x5a, 0xa4,
100  0xc3, 0xfb, 0xe6, 0x00, 0xba, 0xf2, 0x50, 0x6a, 0x09, 0x8c, 0xf9, 0x58, 0x48, 0x8d, 0x70, 0xf8,
101  0xf3, 0x02, 0x03, 0x01, 0x00, 0x01
102]);
103
104// CRL示例
105function crlSample(): void {
106  let textEncoder = new util.TextEncoder();
107  let encodingBlob: cert.EncodingBlob = {
108    // 将CRL数据从string转为Unit8Array。
109    data: textEncoder.encodeInto(crlData),
110    // CRL格式,仅支持PEM和DER格式。在这个例子中,CRL用的是PEM格式。
111    encodingFormat: cert.EncodingFormat.FORMAT_PEM
112  };
113
114  // 创建X509CRL实例。
115  cert.createX509CRL(encodingBlob, (err, x509Crl) => {
116    if (err != null) {
117      // 创建X509CRL实例失败。
118      console.error(`createX509Crl failed, errCode: ${err.code}, errMsg:${err.message} `);
119      return;
120    }
121    // 创建X509CRL实例成功。
122    console.log('createX509CRL success');
123
124    // 获取CRL的版本。
125    let version = x509Crl.getVersion();
126    // 获取证书吊销列表类型。
127    let revokedType = x509Crl.getType();
128    console.log(`X509 CRL version: ${version}, type :${revokedType}`);
129
130    // 获取证书吊销列表颁发者名称。
131    let issuerName = x509Crl.getIssuerName(cert.EncodingType.ENCODING_UTF8);
132    console.log(`X509 CRL issuerName: ${issuerName}`);
133
134    // 获取证书吊销列表对象的字符串类型数据。
135    let crlString = x509Crl.toString(cert.EncodingType.ENCODING_UTF8);
136    console.log(`X509 CRL crlString: ${crlString}`);
137
138
139    // 公钥的二进制数据需要传入@ohos.security.cryptoFramework的convertKey()方法去获取公钥对象。
140    try {
141      let keyGenerator = cryptoFramework.createAsyKeyGenerator('RSA1024|PRIMES_3');
142      console.log('createAsyKeyGenerator success');
143      let pubEncodingBlob: cryptoFramework.DataBlob = {
144        data: pubKeyData,
145      };
146      keyGenerator.convertKey(pubEncodingBlob, null, (e, keyPair) => {
147        if (e == null) {
148          console.log('convert key success');
149          x509Crl.verify(keyPair.pubKey, (err, data) => {
150            if (err == null) {
151              // 签名验证成功。
152              console.log('verify success');
153            } else {
154              // 签名验证失败。
155              console.error(`verify failed, errCode: ${err.code}, errMsg: ${err.message}`);
156            }
157          });
158        } else {
159          console.error(`convert key failed, message: ${e.message}, code: ${e.code} `);
160        }
161      })
162    } catch (error) {
163      let e: BusinessError = error as BusinessError;
164      console.error(`get pubKey failed, errCode: ${e.code}, errMsg: ${e.message}` );
165    }
166
167    // 使用certFramework的createX509Cert()方法创建一个X509Cert实例。
168    let certBlob: cert.EncodingBlob = {
169      data: textEncoder.encodeInto(certData),
170      encodingFormat: cert.EncodingFormat.FORMAT_PEM
171    };
172    let revokedFlag = true;
173    let serial:bigint = BigInt('0');
174    cert.createX509Cert(certBlob, (err, cert) => {
175      serial = cert.getCertSerialNumber();
176      if (err == null) {
177        try {
178          // 检查证书是否被吊销。
179          revokedFlag = x509Crl.isRevoked(cert);
180          console.log(`revokedFlag is: ${revokedFlag}`);
181          if (!revokedFlag) {
182              console.log('the given cert is not revoked.');
183              return;
184          }
185          // 根据序列号来获取被吊销的证书。
186          try {
187            let crlEntry = x509Crl.getRevokedCert(serial);
188            console.log('get getRevokedCert success');
189            let serialNumber = crlEntry.getSerialNumber();
190            console.log(`crlEntry serialNumber is: ${serialNumber}`);
191
192            // 获取被吊销证书的吊销日期。
193            let date = crlEntry.getRevocationDate();
194            console.log(`revocation date is: ${date}`);
195          } catch (error) {
196            let e: BusinessError = error as BusinessError;
197            console.error(`getRevokedCert failed, errCode: ${e.code}, errMsg: ${e.message}`);
198          }
199        } catch (error) {
200          let e: BusinessError = error as BusinessError;
201          console.error(`isRevoked failed, errCode: ${e.code}, errMsg:${e.message}`);
202        }
203      } else {
204        console.error(`create x509 cert failed, errCode: ${err.code}, errMsg: ${err.message}`);
205      }
206    })
207
208  });
209}
210```
211