1# 证书吊销列表对象的创建、解析和校验
2
3
4以校验证书是否已吊销为例,完成证书吊销列表对象的创建、解析和校验。若证书已被吊销,将打印被吊销日期。
5
6
7## 开发步骤
8
91. 导入[证书算法库框架模块](../../reference/apis-device-certificate-kit/js-apis-cert.md)和[加解密算法库模块](../../reference/apis-crypto-architecture-kit/js-apis-cryptoFramework.md)。
10   ```ts
11   import { cert } from '@kit.DeviceCertificateKit';
12   import { cryptoFramework } from '@kit.CryptoArchitectureKit';
13   ```
14
152. 基于已有的CRL数据,调用[cert.createX509CRL](../../reference/apis-device-certificate-kit/js-apis-cert.md#certcreatex509crl11)创建X509证书吊销列表的对象。
16
173. 解析证书吊销列表信息。
18
19   此处以获取证书吊销列表版本、证书吊销列表类型为例,更多字段信息获取接口请查看[API参考文档](../../reference/apis-device-certificate-kit/js-apis-cert.md#x509crl11)。
20
214. 基于已有公钥信息,创建PublicKey公钥对象。
22
23   具体可参考[加解密算法库框架-指定二进制数据生成非对称密钥对](../../reference/apis-crypto-architecture-kit/js-apis-cryptoFramework.md#convertkey-3)。
24
255. 调用[X509CRL.verify](../../reference/apis-device-certificate-kit/js-apis-cert.md#verify11)校验签名合法性。
26
276. 基于已有的X509证书数据,调用[cert.createX509Cert](../../reference/apis-device-certificate-kit/js-apis-cert.md#certcreatex509cert)创建证书对象。
28
297. 调用[X509CRL.isRevoked](../../reference/apis-device-certificate-kit/js-apis-cert.md#isrevoked11)判断X509证书是否已被吊销。
30
318. 调用[X509CRL.getRevokedCert](../../reference/apis-device-certificate-kit/js-apis-cert.md#getrevokedcert11)获取被吊销证书对象。
32
339.  调用[X509CRLEntry.getRevocationDate](../../reference/apis-device-certificate-kit/js-apis-cert.md#getrevocationdate11)获取被吊销日期。
34
35```ts
36import { cert } from '@kit.DeviceCertificateKit';
37import { cryptoFramework } from '@kit.CryptoArchitectureKit';
38import { BusinessError } from '@kit.BasicServicesKit';
39import { util } from '@kit.ArkTS';
40
41// CRL数据,以下只是一个示例,需要根据具体业务来赋值
42let crlData = '-----BEGIN X509 CRL-----\n' +
43  'MIHzMF4CAQMwDQYJKoZIhvcNAQEEBQAwFTETMBEGA1UEAxMKQ1JMIGlzc3VlchcN\n' +
44  'MTcwODA3MTExOTU1WhcNMzIxMjE0MDA1MzIwWjAVMBMCAgPoFw0zMjEyMTQwMDUz\n' +
45  'MjBaMA0GCSqGSIb3DQEBBAUAA4GBACEPHhlaCTWA42ykeaOyR0SGQIHIOUR3gcDH\n' +
46  'J1LaNwiL+gDxI9rMQmlhsUGJmPIPdRs9uYyI+f854lsWYisD2PUEpn3DbEvzwYeQ\n' +
47  '5SqQoPDoM+YfZZa23hoTLsu52toXobP74sf/9K501p/+8hm4ROMLBoRT86GQKY6g\n' +
48  'eavsH0Q3\n' +
49  '-----END X509 CRL-----\n'
50
51let certData = '-----BEGIN CERTIFICATE-----\n' +
52  'MIIBLzCB1QIUO/QDVJwZLIpeJyPjyTvE43xvE5cwCgYIKoZIzj0EAwIwGjEYMBYG\n' +
53  'A1UEAwwPRXhhbXBsZSBSb290IENBMB4XDTIzMDkwNDExMjAxOVoXDTI2MDUzMDEx\n' +
54  'MjAxOVowGjEYMBYGA1UEAwwPRXhhbXBsZSBSb290IENBMFkwEwYHKoZIzj0CAQYI\n' +
55  'KoZIzj0DAQcDQgAEHjG74yMIueO7z3T+dyuEIrhxTg2fqgeNB3SGfsIXlsiUfLTa\n' +
56  'tUsU0i/sePnrKglj2H8Abbx9PK0tsW/VgqwDIDAKBggqhkjOPQQDAgNJADBGAiEA\n' +
57  '0ce/fvA4tckNZeB865aOApKXKlBjiRlaiuq5mEEqvNACIQDPD9WyC21MXqPBuRUf\n' +
58  'BetUokslUfjT6+s/X4ByaxycAA==\n' +
59  '-----END CERTIFICATE-----\n';
60
61let pubKeyData = new Uint8Array([
62  0x30, 0x81, 0x9F, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01,
63  0x05, 0x00, 0x03, 0x81, 0x8D, 0x00, 0x30, 0x81, 0x89, 0x02, 0x81, 0x81, 0x00, 0xDC, 0x4C, 0x2D,
64  0x57, 0x49, 0x3D, 0x42, 0x52, 0x1A, 0x09, 0xED, 0x3E, 0x90, 0x29, 0x51, 0xF7, 0x70, 0x15, 0xFE,
65  0x76, 0xB0, 0xDB, 0xDF, 0xA1, 0x2C, 0x6C, 0x67, 0x95, 0xDA, 0x63, 0x3D, 0x4F, 0x71, 0x48, 0x8C,
66  0x3E, 0xFA, 0x24, 0x79, 0xE9, 0xF2, 0xF2, 0x20, 0xCB, 0xF1, 0x59, 0x6B, 0xED, 0xC8, 0x72, 0x66,
67  0x6E, 0x31, 0xD4, 0xF3, 0xCE, 0x0B, 0x12, 0xC4, 0x17, 0x39, 0xB4, 0x52, 0x16, 0xD3, 0xE3, 0xC0,
68  0xF8, 0x48, 0xB3, 0xF6, 0x40, 0xD5, 0x47, 0x23, 0x30, 0x7F, 0xA7, 0xC5, 0x5A, 0x5A, 0xBB, 0x5C,
69  0x7B, 0xEF, 0x69, 0xE2, 0x74, 0x35, 0x24, 0x22, 0x25, 0x45, 0x7E, 0xFC, 0xE8, 0xC4, 0x52, 0x65,
70  0xA0, 0x4E, 0xBC, 0xFD, 0x3F, 0xD9, 0x85, 0x14, 0x8A, 0x5A, 0x93, 0x02, 0x24, 0x6C, 0x19, 0xBA,
71  0x81, 0xBE, 0x65, 0x2E, 0xCB, 0xBB, 0xE9, 0x91, 0x7B, 0x7C, 0x47, 0xC2, 0x61, 0x02, 0x03, 0x01,
72  0x00, 0x01
73]);
74
75// CRL示例
76function crlSample(): void {
77  let textEncoder = new util.TextEncoder();
78  let encodingBlob: cert.EncodingBlob = {
79    // 将CRL数据从string转为Unit8Array
80    data: textEncoder.encodeInto(crlData),
81    // CRL格式,仅支持PEM和DER格式。在这个例子中,CRL用的是PEM格式
82    encodingFormat: cert.EncodingFormat.FORMAT_PEM
83  };
84
85  // 创建X509CRL实例
86  cert.createX509CRL(encodingBlob, (err, x509Crl) => {
87    if (err != null) {
88      // 创建X509CRL实例失败
89      console.error(`createX509Crl failed, errCode: ${err.code}, errMsg:${err.message} `);
90      return;
91    }
92    // 创建X509CRL实例成功
93    console.log('createX509CRL success');
94
95    // 获取CRL的版本
96    let version = x509Crl.getVersion();
97    let revokedType = x509Crl.getType();
98    console.log(`X509 CRL version: ${version}, type :${revokedType}`);
99
100    // 公钥的二进制数据需要传入@ohos.security.cryptoFramework的convertKey()方法去获取公钥对象
101    try {
102      let keyGenerator = cryptoFramework.createAsyKeyGenerator('RSA1024|PRIMES_3');
103      console.log('createAsyKeyGenerator success');
104      let pubEncodingBlob: cryptoFramework.DataBlob = {
105        data: pubKeyData,
106      };
107      keyGenerator.convertKey(pubEncodingBlob, null, (e, keyPair) => {
108        if (e == null) {
109          console.log('convert key success');
110          x509Crl.verify(keyPair.pubKey, (err, data) => {
111            if (err == null) {
112              // 签名验证成功
113              console.log('verify success');
114            } else {
115              // 签名验证失败
116              console.error(`verify failed, errCode: ${err.code}, errMsg: ${err.message}`);
117            }
118          });
119        } else {
120          console.error(`convert key failed, message: ${e.message}, code: ${e.code} `);
121        }
122      })
123    } catch (error) {
124      let e: BusinessError = error as BusinessError;
125      console.error(`get pubKey failed, errCode: ${e.code}, errMsg: ${e.message}` );
126    }
127
128    // 使用certFramework的createX509Cert()方法创建一个X509Cert实例
129    let certBlob: cert.EncodingBlob = {
130      data: textEncoder.encodeInto(certData),
131      encodingFormat: cert.EncodingFormat.FORMAT_PEM
132    };
133    let revokedFlag = true;
134    let serial:bigint = BigInt('0');
135    cert.createX509Cert(certBlob, (err, cert) => {
136      serial = cert.getCertSerialNumber();
137      if (err == null) {
138        try {
139          // 检查证书是否被吊销
140          revokedFlag = x509Crl.isRevoked(cert);
141          console.log(`revokedFlag is: ${revokedFlag}`);
142        } catch (error) {
143          let e: BusinessError = error as BusinessError;
144          console.error(`isRevoked failed, errCode: ${e.code}, errMsg:${e.message}`);
145        }
146      } else {
147        console.error(`create x509 cert failed, errCode: ${err.code}, errMsg: ${err.message}`);
148      }
149    })
150    if (!revokedFlag) {
151        console.log('the given cert is not revoked.');
152        return;
153    }
154
155    // 根据序列号来获取被吊销的证书
156    try {
157      let crlEntry = x509Crl.getRevokedCert(serial);
158      console.log('get getRevokedCert success');
159      let serialNumber = crlEntry.getSerialNumber();
160      console.log(`crlEntry serialNumber is: ${serialNumber}`);
161
162      // 获取被吊销证书的吊销日期
163      let date = crlEntry.getRevocationDate();
164      console.log(`revocation date is: ${date}`);
165    } catch (error) {
166      let e: BusinessError = error as BusinessError;
167      console.error(`getRevokedCert failed, errCode: ${e.code}, errMsg: ${e.message}`);
168    }
169  });
170}
171```
172