1e41f4b71Sopenharmony_ci# CRL Development 2e41f4b71Sopenharmony_ci 3e41f4b71Sopenharmony_ci 4e41f4b71Sopenharmony_ciThis topic walks you through on how to create a certificate revocation list (CRL) object, obtain CRL information, check whether a certificate has been revoked, and print the revocation date if the certificate has been revoked. 5e41f4b71Sopenharmony_ci 6e41f4b71Sopenharmony_ci 7e41f4b71Sopenharmony_ci## How to Develop 8e41f4b71Sopenharmony_ci 9e41f4b71Sopenharmony_ci1. Import the [certFramework](../../reference/apis-device-certificate-kit/js-apis-cert.md) and [cryptoFramework](../../reference/apis-crypto-architecture-kit/js-apis-cryptoFramework.md) modules. 10e41f4b71Sopenharmony_ci ```ts 11e41f4b71Sopenharmony_ci import { cert } from '@kit.DeviceCertificateKit'; 12e41f4b71Sopenharmony_ci import { cryptoFramework } from '@kit.CryptoArchitectureKit'; 13e41f4b71Sopenharmony_ci ``` 14e41f4b71Sopenharmony_ci 15e41f4b71Sopenharmony_ci2. Use [cert.createX509CRL](../../reference/apis-device-certificate-kit/js-apis-cert.md#certcreatex509crl11) to create an X.509 CRL object. 16e41f4b71Sopenharmony_ci 17e41f4b71Sopenharmony_ci3. Obtain CRL information. 18e41f4b71Sopenharmony_ci 19e41f4b71Sopenharmony_ci The following example shows how to obtain the CRL version and type. For more information, see [X509CRL](../../reference/apis-device-certificate-kit/js-apis-cert.md#x509crl11). 20e41f4b71Sopenharmony_ci 21e41f4b71Sopenharmony_ci4. Create a **PublicKey** object. 22e41f4b71Sopenharmony_ci 23e41f4b71Sopenharmony_ci For details, see [convertKey](../../reference/apis-crypto-architecture-kit/js-apis-cryptoFramework.md#convertkey-3). 24e41f4b71Sopenharmony_ci 25e41f4b71Sopenharmony_ci5. Use [X509CRL.verify](../../reference/apis-device-certificate-kit/js-apis-cert.md#verify11) to verify the signature. 26e41f4b71Sopenharmony_ci 27e41f4b71Sopenharmony_ci6. Use [cert.createX509Cert](../../reference/apis-device-certificate-kit/js-apis-cert.md#certcreatex509cert) to create an **X509Cert** object based on the existing X.509 certificate data. 28e41f4b71Sopenharmony_ci 29e41f4b71Sopenharmony_ci7. Use [X509CRL.isRevoked](../../reference/apis-device-certificate-kit/js-apis-cert.md#isrevoked11) to check whether the X.509 certificate has been revoked. 30e41f4b71Sopenharmony_ci 31e41f4b71Sopenharmony_ci8. Use [X509CRL.getRevokedCert](../../reference/apis-device-certificate-kit/js-apis-cert.md#getrevokedcert11) to obtain the revoked certificate. 32e41f4b71Sopenharmony_ci 33e41f4b71Sopenharmony_ci9. Use [X509CRLEntry.getRevocationDate](../../reference/apis-device-certificate-kit/js-apis-cert.md#getrevocationdate11) to obtain the date when the certificate was revoked. 34e41f4b71Sopenharmony_ci 35e41f4b71Sopenharmony_ci```ts 36e41f4b71Sopenharmony_ciimport { cert } from '@kit.DeviceCertificateKit'; 37e41f4b71Sopenharmony_ciimport { cryptoFramework } from '@kit.CryptoArchitectureKit'; 38e41f4b71Sopenharmony_ciimport { BusinessError } from '@kit.BasicServicesKit'; 39e41f4b71Sopenharmony_ciimport { util } from '@kit.ArkTS'; 40e41f4b71Sopenharmony_ci 41e41f4b71Sopenharmony_ci// CRL data example. 42e41f4b71Sopenharmony_cilet crlData = '-----BEGIN X509 CRL-----\n' + 43e41f4b71Sopenharmony_ci 'MIHzMF4CAQMwDQYJKoZIhvcNAQEEBQAwFTETMBEGA1UEAxMKQ1JMIGlzc3VlchcN\n' + 44e41f4b71Sopenharmony_ci 'MTcwODA3MTExOTU1WhcNMzIxMjE0MDA1MzIwWjAVMBMCAgPoFw0zMjEyMTQwMDUz\n' + 45e41f4b71Sopenharmony_ci 'MjBaMA0GCSqGSIb3DQEBBAUAA4GBACEPHhlaCTWA42ykeaOyR0SGQIHIOUR3gcDH\n' + 46e41f4b71Sopenharmony_ci 'J1LaNwiL+gDxI9rMQmlhsUGJmPIPdRs9uYyI+f854lsWYisD2PUEpn3DbEvzwYeQ\n' + 47e41f4b71Sopenharmony_ci '5SqQoPDoM+YfZZa23hoTLsu52toXobP74sf/9K501p/+8hm4ROMLBoRT86GQKY6g\n' + 48e41f4b71Sopenharmony_ci 'eavsH0Q3\n' + 49e41f4b71Sopenharmony_ci '-----END X509 CRL-----\n' 50e41f4b71Sopenharmony_ci 51e41f4b71Sopenharmony_cilet certData = '-----BEGIN CERTIFICATE-----\n' + 52e41f4b71Sopenharmony_ci 'MIIBLzCB1QIUO/QDVJwZLIpeJyPjyTvE43xvE5cwCgYIKoZIzj0EAwIwGjEYMBYG\n' + 53e41f4b71Sopenharmony_ci 'A1UEAwwPRXhhbXBsZSBSb290IENBMB4XDTIzMDkwNDExMjAxOVoXDTI2MDUzMDEx\n' + 54e41f4b71Sopenharmony_ci 'MjAxOVowGjEYMBYGA1UEAwwPRXhhbXBsZSBSb290IENBMFkwEwYHKoZIzj0CAQYI\n' + 55e41f4b71Sopenharmony_ci 'KoZIzj0DAQcDQgAEHjG74yMIueO7z3T+dyuEIrhxTg2fqgeNB3SGfsIXlsiUfLTa\n' + 56e41f4b71Sopenharmony_ci 'tUsU0i/sePnrKglj2H8Abbx9PK0tsW/VgqwDIDAKBggqhkjOPQQDAgNJADBGAiEA\n' + 57e41f4b71Sopenharmony_ci '0ce/fvA4tckNZeB865aOApKXKlBjiRlaiuq5mEEqvNACIQDPD9WyC21MXqPBuRUf\n' + 58e41f4b71Sopenharmony_ci 'BetUokslUfjT6+s/X4ByaxycAA==\n' + 59e41f4b71Sopenharmony_ci '-----END CERTIFICATE-----\n'; 60e41f4b71Sopenharmony_ci 61e41f4b71Sopenharmony_cilet pubKeyData = new Uint8Array([ 62e41f4b71Sopenharmony_ci 0x30, 0x81, 0x9F, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01, 63e41f4b71Sopenharmony_ci 0x05, 0x00, 0x03, 0x81, 0x8D, 0x00, 0x30, 0x81, 0x89, 0x02, 0x81, 0x81, 0x00, 0xDC, 0x4C, 0x2D, 64e41f4b71Sopenharmony_ci 0x57, 0x49, 0x3D, 0x42, 0x52, 0x1A, 0x09, 0xED, 0x3E, 0x90, 0x29, 0x51, 0xF7, 0x70, 0x15, 0xFE, 65e41f4b71Sopenharmony_ci 0x76, 0xB0, 0xDB, 0xDF, 0xA1, 0x2C, 0x6C, 0x67, 0x95, 0xDA, 0x63, 0x3D, 0x4F, 0x71, 0x48, 0x8C, 66e41f4b71Sopenharmony_ci 0x3E, 0xFA, 0x24, 0x79, 0xE9, 0xF2, 0xF2, 0x20, 0xCB, 0xF1, 0x59, 0x6B, 0xED, 0xC8, 0x72, 0x66, 67e41f4b71Sopenharmony_ci 0x6E, 0x31, 0xD4, 0xF3, 0xCE, 0x0B, 0x12, 0xC4, 0x17, 0x39, 0xB4, 0x52, 0x16, 0xD3, 0xE3, 0xC0, 68e41f4b71Sopenharmony_ci 0xF8, 0x48, 0xB3, 0xF6, 0x40, 0xD5, 0x47, 0x23, 0x30, 0x7F, 0xA7, 0xC5, 0x5A, 0x5A, 0xBB, 0x5C, 69e41f4b71Sopenharmony_ci 0x7B, 0xEF, 0x69, 0xE2, 0x74, 0x35, 0x24, 0x22, 0x25, 0x45, 0x7E, 0xFC, 0xE8, 0xC4, 0x52, 0x65, 70e41f4b71Sopenharmony_ci 0xA0, 0x4E, 0xBC, 0xFD, 0x3F, 0xD9, 0x85, 0x14, 0x8A, 0x5A, 0x93, 0x02, 0x24, 0x6C, 0x19, 0xBA, 71e41f4b71Sopenharmony_ci 0x81, 0xBE, 0x65, 0x2E, 0xCB, 0xBB, 0xE9, 0x91, 0x7B, 0x7C, 0x47, 0xC2, 0x61, 0x02, 0x03, 0x01, 72e41f4b71Sopenharmony_ci 0x00, 0x01 73e41f4b71Sopenharmony_ci]); 74e41f4b71Sopenharmony_ci 75e41f4b71Sopenharmony_ci// CRL example. 76e41f4b71Sopenharmony_cifunction crlSample(): void { 77e41f4b71Sopenharmony_ci let textEncoder = new util.TextEncoder(); 78e41f4b71Sopenharmony_ci let encodingBlob: cert.EncodingBlob = { 79e41f4b71Sopenharmony_ci // Convert the CRL data from a string to a Unit8Array. 80e41f4b71Sopenharmony_ci data: textEncoder.encodeInto(crlData), 81e41f4b71Sopenharmony_ci // CRL format. Only the PEM and DER formats are supported. In this example, the CRL is in PEM format. 82e41f4b71Sopenharmony_ci encodingFormat: cert.EncodingFormat.FORMAT_PEM 83e41f4b71Sopenharmony_ci }; 84e41f4b71Sopenharmony_ci 85e41f4b71Sopenharmony_ci // Create an X509CRL object. 86e41f4b71Sopenharmony_ci cert.createX509CRL(encodingBlob, (err, x509Crl) => { 87e41f4b71Sopenharmony_ci if (err != null) { 88e41f4b71Sopenharmony_ci // The X509CRL object fails to be created. 89e41f4b71Sopenharmony_ci console.error(`createX509Crl failed, errCode: ${err.code}, errMsg:${err.message} `); 90e41f4b71Sopenharmony_ci return; 91e41f4b71Sopenharmony_ci } 92e41f4b71Sopenharmony_ci // The X509CRL object is successfully created. 93e41f4b71Sopenharmony_ci console.log('createX509CRL success'); 94e41f4b71Sopenharmony_ci 95e41f4b71Sopenharmony_ci // Obtain the CRL version 96e41f4b71Sopenharmony_ci let version = x509Crl.getVersion(); 97e41f4b71Sopenharmony_ci let revokedType = x509Crl.getType(); 98e41f4b71Sopenharmony_ci console.log(`X509 CRL version: ${version}, type :${revokedType}`); 99e41f4b71Sopenharmony_ci 100e41f4b71Sopenharmony_ci // Pass in the public key binary data to convertKey() of @ohos.security.cryptoFramework to obtain a public key object. 101e41f4b71Sopenharmony_ci try { 102e41f4b71Sopenharmony_ci let keyGenerator = cryptoFramework.createAsyKeyGenerator('RSA1024|PRIMES_3'); 103e41f4b71Sopenharmony_ci console.log('createAsyKeyGenerator success'); 104e41f4b71Sopenharmony_ci let pubEncodingBlob: cryptoFramework.DataBlob = { 105e41f4b71Sopenharmony_ci data: pubKeyData, 106e41f4b71Sopenharmony_ci }; 107e41f4b71Sopenharmony_ci keyGenerator.convertKey(pubEncodingBlob, null, (e, keyPair) => { 108e41f4b71Sopenharmony_ci if (e == null) { 109e41f4b71Sopenharmony_ci console.log('convert key success'); 110e41f4b71Sopenharmony_ci x509Crl.verify(keyPair.pubKey, (err, data) => { 111e41f4b71Sopenharmony_ci if (err == null) { 112e41f4b71Sopenharmony_ci // Signature verification is successful. 113e41f4b71Sopenharmony_ci console.log('verify success'); 114e41f4b71Sopenharmony_ci } else { 115e41f4b71Sopenharmony_ci // Signature verification fails. 116e41f4b71Sopenharmony_ci console.error(`verify failed, errCode: ${err.code}, errMsg: ${err.message}`); 117e41f4b71Sopenharmony_ci } 118e41f4b71Sopenharmony_ci }); 119e41f4b71Sopenharmony_ci } else { 120e41f4b71Sopenharmony_ci console.error(`convert key failed, message: ${e.message}, code: ${e.code} `); 121e41f4b71Sopenharmony_ci } 122e41f4b71Sopenharmony_ci }) 123e41f4b71Sopenharmony_ci } catch (error) { 124e41f4b71Sopenharmony_ci let e: BusinessError = error as BusinessError; 125e41f4b71Sopenharmony_ci console.error(`get pubKey failed, errCode: ${e.code}, errMsg: ${e.message}` ); 126e41f4b71Sopenharmony_ci } 127e41f4b71Sopenharmony_ci 128e41f4b71Sopenharmony_ci // Use createX509Cert() of certFramework to create an X509Cert object. 129e41f4b71Sopenharmony_ci let certBlob: cert.EncodingBlob = { 130e41f4b71Sopenharmony_ci data: textEncoder.encodeInto(certData), 131e41f4b71Sopenharmony_ci encodingFormat: cert.EncodingFormat.FORMAT_PEM 132e41f4b71Sopenharmony_ci }; 133e41f4b71Sopenharmony_ci let revokedFlag = true; 134e41f4b71Sopenharmony_ci let serial:bigint = BigInt('0'); 135e41f4b71Sopenharmony_ci cert.createX509Cert(certBlob, (err, cert) => { 136e41f4b71Sopenharmony_ci serial = cert.getCertSerialNumber(); 137e41f4b71Sopenharmony_ci if (err == null) { 138e41f4b71Sopenharmony_ci try { 139e41f4b71Sopenharmony_ci // Check whether the certificate has been revoked. 140e41f4b71Sopenharmony_ci revokedFlag = x509Crl.isRevoked(cert); 141e41f4b71Sopenharmony_ci console.log(`revokedFlag is: ${revokedFlag}`); 142e41f4b71Sopenharmony_ci } catch (error) { 143e41f4b71Sopenharmony_ci let e: BusinessError = error as BusinessError; 144e41f4b71Sopenharmony_ci console.error(`isRevoked failed, errCode: ${e.code}, errMsg:${e.message}`); 145e41f4b71Sopenharmony_ci } 146e41f4b71Sopenharmony_ci } else { 147e41f4b71Sopenharmony_ci console.error(`create x509 cert failed, errCode: ${err.code}, errMsg: ${err.message}`); 148e41f4b71Sopenharmony_ci } 149e41f4b71Sopenharmony_ci }) 150e41f4b71Sopenharmony_ci if (!revokedFlag) { 151e41f4b71Sopenharmony_ci console.log('the given cert is not revoked.'); 152e41f4b71Sopenharmony_ci return; 153e41f4b71Sopenharmony_ci } 154e41f4b71Sopenharmony_ci 155e41f4b71Sopenharmony_ci // Obtain the revoked certificate based on the serial number. 156e41f4b71Sopenharmony_ci try { 157e41f4b71Sopenharmony_ci let crlEntry = x509Crl.getRevokedCert(serial); 158e41f4b71Sopenharmony_ci console.log('get getRevokedCert success'); 159e41f4b71Sopenharmony_ci let serialNumber = crlEntry.getSerialNumber(); 160e41f4b71Sopenharmony_ci console.log(`crlEntry serialNumber is: ${serialNumber}`); 161e41f4b71Sopenharmony_ci 162e41f4b71Sopenharmony_ci // Obtain the revocation date of the certificate. 163e41f4b71Sopenharmony_ci let date = crlEntry.getRevocationDate(); 164e41f4b71Sopenharmony_ci console.log(`revocation date is: ${date}`); 165e41f4b71Sopenharmony_ci } catch (error) { 166e41f4b71Sopenharmony_ci let e: BusinessError = error as BusinessError; 167e41f4b71Sopenharmony_ci console.error(`getRevokedCert failed, errCode: ${e.code}, errMsg: ${e.message}`); 168e41f4b71Sopenharmony_ci } 169e41f4b71Sopenharmony_ci }); 170e41f4b71Sopenharmony_ci} 171e41f4b71Sopenharmony_ci``` 172