X509CrlToXmlDoc (String function): Difference between revisions
m (→Usage notes) |
m (→See also: add method to list) |
||
(26 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
{{Template:String:X509CrlToXmlDoc subtitle}} | {{Template:String:X509CrlToXmlDoc subtitle}} | ||
X509 is a general authentication framework that establishes standard formats for for public-key certificates, certificate revocation list (CRLs), and more. <var>X509CrlToXmlDoc</var> converts a string (<var>Longstring</var>) that contains a CRL to an <var>[[XmlDoc class|XmlDoc]]</var>. DER (Distinguished Encoding Rules), a subset of BER (Basic Encoding Rules, provide a way to uniquely encode an Abstract Syntax Notation One (ASN.1) type value as a string of eight-bit octets. | |||
==Syntax== | ==Syntax== | ||
{{Template:String:X509CrlToXmlDoc syntax}} | {{Template:String:X509CrlToXmlDoc syntax}} | ||
===Syntax terms=== | ===Syntax terms=== | ||
<table | <table> | ||
<tr><th>%doc</th> | <tr><th>%doc</th> | ||
<td>An <var>XmlDoc</var> object variable to contain the decoded value of the method object, <var class="term">string</var>. </td></tr> | <td>An <var>XmlDoc</var> object variable to contain the decoded value of the method object, <var class="term">string</var>. </td></tr> | ||
<tr><th>string</th> | <tr><th>string</th> | ||
<td>A DER encoded string that contains the contents of a CRL (Certificate Revocation List).</td></tr> | <td>A DER encoded string that contains the contents of a CRL (Certificate Revocation List). </td></tr> | ||
</table> | </table> | ||
==Usage notes== | ==Usage notes== | ||
<ul> | <ul> | ||
<li>Currently, no method is available to produce a DER stream from an <var>XmlDoc</var>. | <li>Prior to version 7.7 of Model 204, input to this method that created any element in the result <var>XmlDoc</var> with a text child whose length exceeded 650 characters produced an error. As of version 7.7, the lengths of the created text nodes are not restricted. </li> | ||
<li><var>X509CrlToXmlDoc</var> is very similar to | |||
<var>[[DerToXmlDoc (String function)|DerToXmlDoc]]</var>, except that <var>X509CrlToXmlDoc</var> understands the semantics of the CRL tags, so it provides more meaningful XML element names. Contrast the [[DerToXmlDoc (String function)#Examples|DerToXmlDoc example]] with the <var>X509CrlToXmlDoc</var> [[X509CrlToXmlDoc (String function)#Examples|example]], below. </li> | |||
<li><var>X509CrlToXmlDoc</var> is a complete implementation of the PKCS standards for CRLs. </li> | |||
<li><var class="product">Janus Web Server</var> is not equipped to use the <var>XmlDoc</var> CRLs automatically; you have to process them yourself. Probably, for efficiency, you want to get the CRL at startup time, then store it somewhere easy to get at (a global <var>[[NamedArraylist class|NamedArraylist]]</var>, for example, or a file, depending on how many certificates are in the list. | |||
<li>Currently, no method is available to produce a DER stream from an <var>XmlDoc</var> nor to validate the signature on a CRL. </li> | |||
</ul> | </ul> | ||
==Examples== | ==Examples== | ||
<ol> | |||
<li>[[PemToString (Stringlist function)#Examples|The PemToString example]] loads a <var>Longstring</var> with the contents of the base64 encoded CRL (Certificate Revocation List). If that <var>Longstring</var> is <code>%ls</code> below, the following statement converts that string to the XmlDoc whose contents are printed thereafter: | |||
<p class="code">%ls:x509CrlToXmlDoc:print </p> | |||
The result is shown in part below: | |||
<p class="code"><CertificateList> | |||
<tbsCertList> | |||
<signature> | |||
<algorithm name="md5WithRSAEncryption"> | |||
1.2.840.113549.1.1.4 | |||
</algorithm> | |||
<parameters/> | |||
</signature> | |||
<issuer> | |||
<RelativeDistinguishedName> | |||
<countryName>AU</countryName> | |||
</RelativeDistinguishedName> | |||
<RelativeDistinguishedName> | |||
<stateOrProvinceName type="PrintableString"> | |||
QLD | |||
</stateOrProvinceName> | |||
</RelativeDistinguishedName> | |||
... | |||
</issuer> | |||
<thisUpdate type="UTCTime"> | |||
20010115162657.000Z | |||
</thisUpdate> | |||
<nextUpdate type="UTCTime"> | |||
20010214162657.000Z | |||
</nextUpdate> | |||
<revokedCertificates> | |||
<revokedCertificate> | |||
<userCertificate>1</userCertificate> | |||
<revocationDate type="UTCTime"> | |||
19951009233205.000Z | |||
</revocationDate> | |||
</revokedCertificate> | |||
<revokedCertificate> | |||
<userCertificate>3</userCertificate> | |||
<revocationDate type="UTCTime"> | |||
19951201010000.000Z | |||
</revocationDate> | |||
</revokedCertificate> | |||
<revokedCertificate> | |||
<userCertificate>4660</userCertificate> | |||
<revocationDate type="UTCTime"> | |||
20010115161947.000Z | |||
</revocationDate> | |||
</revokedCertificate> | |||
... | |||
</revokedCertificates> | |||
</tbsCertList> | |||
... | |||
</CertificateList> | |||
</p></li> | |||
<li>If you have a web port from which you can get a CRL, you might do something like this: | |||
<p class="code">%httprequest:url = %crlUrl | |||
%httpResponse = %httpRequest:[[Get (HttpRequest function)|Get]] | |||
%doc = %httpResponse:X509CrlToXmlDoc </p> | |||
<p class="note">'''Note:''' Janus will not validate a signature on a CRL returned by a <var>Get</var>. </p></li> | |||
</ol> | |||
==See also== | ==See also== | ||
<p> | |||
<var>String</var> methods:</p> | |||
<ul> | |||
<li><var>[[CertificateRequest (String function)|CertificateRequest]]</var> </li> | |||
<li><var>[[ClientCertificateRequest (String function)|ClientCertificateRequest]]</var> </li> | |||
<li><var>[[SignedCertificate (String function)|SignedCertificate]]</var> </li> | |||
<li><var>[[SignedClientCertificate (String function)|SignedClientCertificate]]</var> </li> | |||
<li><var>[[DerToXmlDoc (String function)|DerToXmlDoc]]</var> </li> | |||
<li><var>[[RSAPrivateKeyToXmlDoc (String function)|RSAPrivateKeyToXmlDoc]]</var></li> | |||
<li><var>[[X509CertificateToXmlDoc (String function)|X509CertificateToXmlDoc]]</var> </li> | |||
<li><var>[[X509CrlToXmlDoc (String function)|X509CrlToXmlDoc]]</var> </li> | |||
<li>Multiple cryptographic cipher methods </li> | |||
</ul> | |||
<p> | |||
<var>Stringlist</var> methods: </p> | |||
{{Template:Stringlist crypto methods}} | |||
<p> | |||
<var>System</var> methods: </p> | |||
<ul> | |||
<li><var>[[ClientCertificate (System function)|ClientCertificate]]</var> </li> | |||
<li><var>[[GeneratedPrivateKey (System function)|GeneratedPrivateKey]]</var> </li> | |||
</ul> | |||
<p> | |||
<var>Socket</var> methods: </p> | |||
<ul> | |||
<li><var>[[Certificate (Socket function)|Certificate]]</var> </li> | |||
</ul> | |||
Background information: | |||
<ul> | |||
<li>[http://en.wikipedia.org/wiki/Abstract_Syntax_Notation_One "Abstract Syntax Notation One"] | |||
<li>[http://luca.ntop.org/Teaching/Appunti/asn1.html "A Layman's Guide to a Subset of ASN.1, BER, and DER"] | |||
</ul> | |||
{{Template:String:X509CrlToXmlDoc footer}} | {{Template:String:X509CrlToXmlDoc footer}} |
Latest revision as of 15:09, 6 September 2018
Convert BER encoded X.509 CRL to XML (String class)
[Introduced in Sirius Mods 8.0]
X509 is a general authentication framework that establishes standard formats for for public-key certificates, certificate revocation list (CRLs), and more. X509CrlToXmlDoc converts a string (Longstring) that contains a CRL to an XmlDoc. DER (Distinguished Encoding Rules), a subset of BER (Basic Encoding Rules, provide a way to uniquely encode an Abstract Syntax Notation One (ASN.1) type value as a string of eight-bit octets.
Syntax
%doc = string:X509CrlToXmlDoc Throws InvalidBerData
Syntax terms
%doc | An XmlDoc object variable to contain the decoded value of the method object, string. |
---|---|
string | A DER encoded string that contains the contents of a CRL (Certificate Revocation List). |
Usage notes
- Prior to version 7.7 of Model 204, input to this method that created any element in the result XmlDoc with a text child whose length exceeded 650 characters produced an error. As of version 7.7, the lengths of the created text nodes are not restricted.
- X509CrlToXmlDoc is very similar to DerToXmlDoc, except that X509CrlToXmlDoc understands the semantics of the CRL tags, so it provides more meaningful XML element names. Contrast the DerToXmlDoc example with the X509CrlToXmlDoc example, below.
- X509CrlToXmlDoc is a complete implementation of the PKCS standards for CRLs.
- Janus Web Server is not equipped to use the XmlDoc CRLs automatically; you have to process them yourself. Probably, for efficiency, you want to get the CRL at startup time, then store it somewhere easy to get at (a global NamedArraylist, for example, or a file, depending on how many certificates are in the list.
- Currently, no method is available to produce a DER stream from an XmlDoc nor to validate the signature on a CRL.
Examples
- The PemToString example loads a Longstring with the contents of the base64 encoded CRL (Certificate Revocation List). If that Longstring is
%ls
below, the following statement converts that string to the XmlDoc whose contents are printed thereafter:%ls:x509CrlToXmlDoc:print
The result is shown in part below:
<CertificateList> <tbsCertList> <signature> <algorithm name="md5WithRSAEncryption"> 1.2.840.113549.1.1.4 </algorithm> <parameters/> </signature> <issuer> <RelativeDistinguishedName> <countryName>AU</countryName> </RelativeDistinguishedName> <RelativeDistinguishedName> <stateOrProvinceName type="PrintableString"> QLD </stateOrProvinceName> </RelativeDistinguishedName> ... </issuer> <thisUpdate type="UTCTime"> 20010115162657.000Z </thisUpdate> <nextUpdate type="UTCTime"> 20010214162657.000Z </nextUpdate> <revokedCertificates> <revokedCertificate> <userCertificate>1</userCertificate> <revocationDate type="UTCTime"> 19951009233205.000Z </revocationDate> </revokedCertificate> <revokedCertificate> <userCertificate>3</userCertificate> <revocationDate type="UTCTime"> 19951201010000.000Z </revocationDate> </revokedCertificate> <revokedCertificate> <userCertificate>4660</userCertificate> <revocationDate type="UTCTime"> 20010115161947.000Z </revocationDate> </revokedCertificate> ... </revokedCertificates> </tbsCertList> ... </CertificateList>
- If you have a web port from which you can get a CRL, you might do something like this:
%httprequest:url = %crlUrl %httpResponse = %httpRequest:Get %doc = %httpResponse:X509CrlToXmlDoc
Note: Janus will not validate a signature on a CRL returned by a Get.
See also
String methods:
- CertificateRequest
- ClientCertificateRequest
- SignedCertificate
- SignedClientCertificate
- DerToXmlDoc
- RSAPrivateKeyToXmlDoc
- X509CertificateToXmlDoc
- X509CrlToXmlDoc
- Multiple cryptographic cipher methods
Stringlist methods:
- AppendCertificateInfo
- AppendCertificateRequest
- AppendCertificateRequestInfo
- AppendClientCertificateRequest
- AppendEncryptedSecurityData
- AppendGeneratedPrivateKey
- AppendPemData
- AppendPrivateKeyInfo
- AppendSignedCertificate
- AppendSignedClientCertificate
- CheckCertificate
- CheckCertificateRequest
- PemToString
System methods:
Socket methods:
Background information: