java.security.cert.X509CRLEntry Java Examples

/**
 * This static method is the default implementation of the
 * getRevocationReason method in X509CRLEntry.
 */
public static CRLReason getRevocationReason(X509CRLEntry crlEntry) {
    try {
        byte[] ext = crlEntry.getExtensionValue("2.5.29.21");
        if (ext == null) {
            return null;
        }
        DerValue val = new DerValue(ext);
        byte[] data = val.getOctetString();

        CRLReasonCodeExtension rcExt =
            new CRLReasonCodeExtension(Boolean.FALSE, data);
        return rcExt.getReasonCode();
    } catch (IOException ioe) {
        return null;
    }
}
 

@Test
public void derVsPemEncodedTest() throws Exception {
	try (InputStream isDer = AbstractTestCRLUtils.class.getResourceAsStream("/DSS-2039/crl.der");
			InputStream isPem = AbstractTestCRLUtils.class.getResourceAsStream("/DSS-2039/crl.pem");
			InputStream isCert = AbstractTestCRLUtils.class.getResourceAsStream("/DSS-2039/cert.pem");
			InputStream isCA = AbstractTestCRLUtils.class.getResourceAsStream("/DSS-2039/ca.pem") ) {

		CertificateToken cert = loadCert(isCert);
		CertificateToken ca = loadCert(isCA);
		
		CRLBinary crlBinaryDER = CRLUtils.buildCRLBinary(toByteArray(isDer));
		CRLValidity crlDER = CRLUtils.buildCRLValidity(crlBinaryDER, ca);
		
		CRLBinary crlBinaryPEM = CRLUtils.buildCRLBinary(toByteArray(isPem));
		CRLValidity crlPEM = CRLUtils.buildCRLValidity(crlBinaryPEM, ca);
		
		assertArrayEquals(crlDER.getDerEncoded(), crlPEM.getDerEncoded());
		
		X509CRLEntry revocationInfoDER = CRLUtils.getRevocationInfo(crlDER, cert.getSerialNumber());
		X509CRLEntry revocationInfoPEM = CRLUtils.getRevocationInfo(crlPEM, cert.getSerialNumber());
		assertEquals(revocationInfoDER, revocationInfoPEM);
	}
}
 

public X509CRLEntry getRevokedCertificate(BigInteger serialNumber)
{
	TBSCertList.CRLEntry[] certs = c.getRevokedCertificates();

	if ( certs != null )
	{
		for ( int i = 0; i < certs.length; i++ )
		{
			if ( certs[i].getUserCertificate().getValue().equals(serialNumber) ) {
				return new X509CRLEntryObject(certs[i]);
			}
		}
	}

	return null;
}
 

/**
 * This static method is the default implementation of the
 * getRevocationReason method in X509CRLEntry.
 */
public static CRLReason getRevocationReason(X509CRLEntry crlEntry) {
    try {
        byte[] ext = crlEntry.getExtensionValue("2.5.29.21");
        if (ext == null) {
            return null;
        }
        DerValue val = new DerValue(ext);
        byte[] data = val.getOctetString();

        CRLReasonCodeExtension rcExt =
            new CRLReasonCodeExtension(Boolean.FALSE, data);
        return rcExt.getReasonCode();
    } catch (IOException ioe) {
        return null;
    }
}
 

/**
 * This static method is the default implementation of the
 * getRevocationReason method in X509CRLEntry.
 */
public static CRLReason getRevocationReason(X509CRLEntry crlEntry) {
    try {
        byte[] ext = crlEntry.getExtensionValue("2.5.29.21");
        if (ext == null) {
            return null;
        }
        DerValue val = new DerValue(ext);
        byte[] data = val.getOctetString();

        CRLReasonCodeExtension rcExt =
            new CRLReasonCodeExtension(Boolean.FALSE, data);
        return rcExt.getReasonCode();
    } catch (IOException ioe) {
        return null;
    }
}
 

/**
 * This static method is the default implementation of the
 * getRevocationReason method in X509CRLEntry.
 */
public static CRLReason getRevocationReason(X509CRLEntry crlEntry) {
    try {
        byte[] ext = crlEntry.getExtensionValue("2.5.29.21");
        if (ext == null) {
            return null;
        }
        DerValue val = new DerValue(ext);
        byte[] data = val.getOctetString();

        CRLReasonCodeExtension rcExt =
            new CRLReasonCodeExtension(Boolean.FALSE, data);
        return rcExt.getReasonCode();
    } catch (IOException ioe) {
        return null;
    }
}
 

/**
 * This static method is the default implementation of the
 * getRevocationReason method in X509CRLEntry.
 */
public static CRLReason getRevocationReason(X509CRLEntry crlEntry) {
    try {
        byte[] ext = crlEntry.getExtensionValue("2.5.29.21");
        if (ext == null) {
            return null;
        }
        DerValue val = new DerValue(ext);
        byte[] data = val.getOctetString();

        CRLReasonCodeExtension rcExt =
            new CRLReasonCodeExtension(Boolean.FALSE, data);
        return rcExt.getReasonCode();
    } catch (IOException ioe) {
        return null;
    }
}
 

/**
 * Add the CRLEntry objects contained in a previous CRL.
 * 
 * @param other the X509CRL to source the other entries from. 
 */
public void addCRL(X509CRL other)
    throws CRLException
{
    Set revocations = other.getRevokedCertificates();

    if (revocations != null)
    {
        Iterator it = revocations.iterator();
        while (it.hasNext())
        {
            X509CRLEntry entry = (X509CRLEntry)it.next();

            ASN1InputStream aIn = new ASN1InputStream(entry.getEncoded());

            try
            {
                tbsGen.addCRLEntry(ASN1Sequence.getInstance(aIn.readObject()));
            }
            catch (IOException e)
            {
                throw new CRLException("exception processing encoding of CRL: " + e.toString());
            }
        }
    }
}
 

private void displayCrlEntryExtensions() {
	int row = jtRevokedCerts.getSelectedRow();

	if (row != -1) {
		BigInteger serialNumber = (BigInteger) jtRevokedCerts.getValueAt(row, 0);

		Set<?> revokedCertsSet = crl.getRevokedCertificates();

		X509CRLEntry x509CrlEntry = null;

		for (Iterator<?> itr = revokedCertsSet.iterator(); itr.hasNext();) {
			X509CRLEntry entry = (X509CRLEntry) itr.next();
			if (serialNumber.equals(entry.getSerialNumber())) {
				x509CrlEntry = entry;
				break;
			}
		}

		if (x509CrlEntry.hasExtensions()) {
			DViewExtensions dViewExtensions = new DViewExtensions(this,
					res.getString("DViewCrl.EntryExtensions.Title"), x509CrlEntry);
			dViewExtensions.setLocationRelativeTo(this);
			dViewExtensions.setVisible(true);
		}
	}
}
 

/**
 * Gets the CRL entry with the given serial number from this CRL.
 *
 * @return the entry with the given serial number, or <code>null</code> if
 * no such entry exists in the CRL.
 * @see X509CRLEntry
 */
public X509CRLEntry getRevokedCertificate(BigInteger serialNumber) {
    if (revokedMap.isEmpty()) {
        return null;
    }
    // assume this is a direct CRL entry (cert and CRL issuer are the same)
    X509IssuerSerial issuerSerial = new X509IssuerSerial
        (getIssuerX500Principal(), serialNumber);
    return revokedMap.get(issuerSerial);
}
 

public static void main(String[] args) throws Exception {

        // Generate 20 serial numbers with dup and a special order
        int count = 20;
        BigInteger[] serials = new BigInteger[count];
        for (int i=0; i<count; i++) {
            serials[i] = BigInteger.valueOf(i*7%10);
        }

        // Generates a CRL
        X509CRLEntry[] badCerts = new X509CRLEntry[count];
        for (int i=0; i<count; i++) {
            badCerts[i] = new X509CRLEntryImpl(serials[i],
                    new Date(System.currentTimeMillis()+i*1000));
        }
        X500Name owner = new X500Name("CN=CA");
        X509CRLImpl crl = new X509CRLImpl(owner, new Date(), new Date(), badCerts);
        KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
        crl.sign(kpg.genKeyPair().getPrivate(), "SHA1withRSA");
        byte[] data = crl.getEncodedInternal();

        // Check the encoding
        checkData(crl, data, serials);

        // Load a CRL from raw data
        CertificateFactory cf = CertificateFactory.getInstance("X.509");
        X509CRLImpl crl2 = (X509CRLImpl)cf.generateCRL(new ByteArrayInputStream(data));

        // Check the encoding again
        data = crl2.getEncodedInternal();
        checkData(crl2, data, serials);
    }
 

/**
 * Utility method to convert an arbitrary instance of X509CRLEntry
 * to a X509CRLEntryImpl. Does a cast if possible, otherwise reparses
 * the encoding.
 */
public static X509CRLEntryImpl toImpl(X509CRLEntry entry)
        throws CRLException {
    if (entry instanceof X509CRLEntryImpl) {
        return (X509CRLEntryImpl)entry;
    } else {
        return new X509CRLEntryImpl(entry.getEncoded());
    }
}
 

/**
 * CRL constructor, revoked certs, no extensions.
 *
 * @param issuer the name of the CA issuing this CRL.
 * @param thisUpdate the Date of this issue.
 * @param nextUpdate the Date of the next CRL.
 * @param badCerts the array of CRL entries.
 *
 * @exception CRLException on parsing/construction errors.
 */
public X509CRLImpl(X500Name issuer, Date thisDate, Date nextDate,
                   X509CRLEntry[] badCerts)
    throws CRLException
{
    this.issuer = issuer;
    this.thisUpdate = thisDate;
    this.nextUpdate = nextDate;
    if (badCerts != null) {
        X500Principal crlIssuer = getIssuerX500Principal();
        X500Principal badCertIssuer = crlIssuer;
        for (int i = 0; i < badCerts.length; i++) {
            X509CRLEntryImpl badCert = (X509CRLEntryImpl)badCerts[i];
            try {
                badCertIssuer = getCertIssuer(badCert, badCertIssuer);
            } catch (IOException ioe) {
                throw new CRLException(ioe);
            }
            badCert.setCertificateIssuer(crlIssuer, badCertIssuer);
            X509IssuerSerial issuerSerial = new X509IssuerSerial
                (badCertIssuer, badCert.getSerialNumber());
            this.revokedMap.put(issuerSerial, badCert);
            this.revokedList.add(badCert);
            if (badCert.hasExtensions()) {
                this.version = 1;
            }
        }
    }
}
 

/**
 * Utility method to convert an arbitrary instance of X509CRLEntry
 * to a X509CRLEntryImpl. Does a cast if possible, otherwise reparses
 * the encoding.
 */
public static X509CRLEntryImpl toImpl(X509CRLEntry entry)
        throws CRLException {
    if (entry instanceof X509CRLEntryImpl) {
        return (X509CRLEntryImpl)entry;
    } else {
        return new X509CRLEntryImpl(entry.getEncoded());
    }
}
 

/**
 * CRL entry selected or deselected. Enable/disable the "CRL Extensions" button accordingly (i.e. enable it if only
 * one extension is selected and it has extensions.
 */
private void crlEntrySelection()
{
	ListSelectionModel listSelectionModel = m_jtRevokedCerts.getSelectionModel();

	if (!listSelectionModel.isSelectionEmpty()) // Entry must be selected
	{
		// Only one entry though
		// TODO: probably no longer necessary?
		if (listSelectionModel.getMinSelectionIndex() == listSelectionModel.getMaxSelectionIndex())
		{
			// Get serial number of entry
			int iRow = listSelectionModel.getMinSelectionIndex();
			BigInteger serialNumber = (BigInteger) m_jtRevokedCerts.getValueAt(iRow, 0);

			// Find CRL entry using serial number
			Set<? extends X509CRLEntry> revokedCertsSet = m_crl.getRevokedCertificates();
			X509CRLEntry x509CrlEntry = null;
			for (X509CRLEntry entry : revokedCertsSet)
			{
				if (serialNumber.equals(entry.getSerialNumber()))
				{
					x509CrlEntry = entry;
					break;
				}
			}

			if (x509CrlEntry != null && x509CrlEntry.hasExtensions())
			{
				m_jbCrlEntryExtensions.setEnabled(true);
				return;
			}
		}
	}

	// Disable "CRL Extensions" button
	m_jbCrlEntryExtensions.setEnabled(false);
}
 

/**
 * Gets the CRL entry for the given certificate.
 */
public X509CRLEntry getRevokedCertificate(X509Certificate cert) {
    if (revokedMap.isEmpty()) {
        return null;
    }
    X509IssuerSerial issuerSerial = new X509IssuerSerial(cert);
    return revokedMap.get(issuerSerial);
}
 

/**
 * Gets the CRL entry for the given certificate.
 */
public X509CRLEntry getRevokedCertificate(X509Certificate cert) {
    if (revokedMap.isEmpty()) {
        return null;
    }
    X509IssuerSerial issuerSerial = new X509IssuerSerial(cert);
    return revokedMap.get(issuerSerial);
}
 

public static void main(String[] args) throws Exception {

        // Generate 20 serial numbers with dup and a special order
        int count = 20;
        BigInteger[] serials = new BigInteger[count];
        for (int i=0; i<count; i++) {
            serials[i] = BigInteger.valueOf(i*7%10);
        }

        // Generates a CRL
        X509CRLEntry[] badCerts = new X509CRLEntry[count];
        for (int i=0; i<count; i++) {
            badCerts[i] = new X509CRLEntryImpl(serials[i],
                    new Date(System.currentTimeMillis()+i*1000));
        }
        X500Name owner = new X500Name("CN=CA");
        X509CRLImpl crl = new X509CRLImpl(owner, new Date(), new Date(), badCerts);
        KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
        crl.sign(kpg.genKeyPair().getPrivate(), "SHA1withRSA");
        byte[] data = crl.getEncodedInternal();

        // Check the encoding
        checkData(crl, data, serials);

        // Load a CRL from raw data
        CertificateFactory cf = CertificateFactory.getInstance("X.509");
        X509CRLImpl crl2 = (X509CRLImpl)cf.generateCRL(new ByteArrayInputStream(data));

        // Check the encoding again
        data = crl2.getEncodedInternal();
        checkData(crl2, data, serials);
    }
 

@Test
public void retrieveRevocationInfo() throws IOException {
	try (InputStream fis = CRLParserTest.class.getResourceAsStream("/LTGRCA.crl"); BufferedInputStream is = new BufferedInputStream(fis)) {
		BigInteger serialNumber = new BigInteger("5203");
		X509CRLEntry entry = parser.retrieveRevocationInfo(fis, serialNumber);
		assertNotNull(entry);
		assertNotNull(entry.getRevocationDate());
		assertNotNull(entry.getRevocationReason());
		assertNotNull(entry.getSerialNumber());
		assertEquals(serialNumber, entry.getSerialNumber());
	}
}
 

/**
 * @see java.security.cert.CRL#isRevoked(java.security.cert.Certificate)
 */
@Override
public boolean isRevoked(final Certificate cert) {
    if (cert instanceof X509Certificate) {
        final X509Certificate xcert = (X509Certificate) cert;
        for (final X509CRLEntry entry : getRevokedCertificates()) {
            if (entry.getSerialNumber().equals(xcert.getSerialNumber())) {
                return true;
            }
        }
    }
    return false;
}
 

/**
 * @see java.security.cert.CRL#isRevoked(java.security.cert.Certificate)
 */
@Override
public boolean isRevoked(final Certificate cert) {
    if (cert instanceof X509Certificate) {
        final X509Certificate xcert = (X509Certificate) cert;
        for (X509CRLEntry entry : getRevokedCertificates()) {
            if (entry.getSerialNumber().equals(xcert.getSerialNumber())) {
                return true;
            }
        }
    }
    return false;
}
 

/**
 * CRL constructor, revoked certs, no extensions.
 *
 * @param issuer the name of the CA issuing this CRL.
 * @param thisUpdate the Date of this issue.
 * @param nextUpdate the Date of the next CRL.
 * @param badCerts the array of CRL entries.
 *
 * @exception CRLException on parsing/construction errors.
 */
public X509CRLImpl(X500Name issuer, Date thisDate, Date nextDate,
                   X509CRLEntry[] badCerts)
    throws CRLException
{
    this.issuer = issuer;
    this.thisUpdate = thisDate;
    this.nextUpdate = nextDate;
    if (badCerts != null) {
        X500Principal crlIssuer = getIssuerX500Principal();
        X500Principal badCertIssuer = crlIssuer;
        for (int i = 0; i < badCerts.length; i++) {
            X509CRLEntryImpl badCert = (X509CRLEntryImpl)badCerts[i];
            try {
                badCertIssuer = getCertIssuer(badCert, badCertIssuer);
            } catch (IOException ioe) {
                throw new CRLException(ioe);
            }
            badCert.setCertificateIssuer(crlIssuer, badCertIssuer);
            X509IssuerSerial issuerSerial = new X509IssuerSerial
                (badCertIssuer, badCert.getSerialNumber());
            this.revokedMap.put(issuerSerial, badCert);
            this.revokedList.add(badCert);
            if (badCert.hasExtensions()) {
                this.version = 1;
            }
        }
    }
}
 

/**
 * Gets the CRL entry for the given certificate.
 */
public X509CRLEntry getRevokedCertificate(X509Certificate cert) {
    if (revokedMap.isEmpty()) {
        return null;
    }
    X509IssuerSerial issuerSerial = new X509IssuerSerial(cert);
    return revokedMap.get(issuerSerial);
}
 

/**
 * CRL constructor, revoked certs, no extensions.
 *
 * @param issuer the name of the CA issuing this CRL.
 * @param thisUpdate the Date of this issue.
 * @param nextUpdate the Date of the next CRL.
 * @param badCerts the array of CRL entries.
 *
 * @exception CRLException on parsing/construction errors.
 */
public X509CRLImpl(X500Name issuer, Date thisDate, Date nextDate,
                   X509CRLEntry[] badCerts)
    throws CRLException
{
    this.issuer = issuer;
    this.thisUpdate = thisDate;
    this.nextUpdate = nextDate;
    if (badCerts != null) {
        X500Principal crlIssuer = getIssuerX500Principal();
        X500Principal badCertIssuer = crlIssuer;
        for (int i = 0; i < badCerts.length; i++) {
            X509CRLEntryImpl badCert = (X509CRLEntryImpl)badCerts[i];
            try {
                badCertIssuer = getCertIssuer(badCert, badCertIssuer);
            } catch (IOException ioe) {
                throw new CRLException(ioe);
            }
            badCert.setCertificateIssuer(crlIssuer, badCertIssuer);
            X509IssuerSerial issuerSerial = new X509IssuerSerial
                (badCertIssuer, badCert.getSerialNumber());
            this.revokedMap.put(issuerSerial, badCert);
            this.revokedList.add(badCert);
            if (badCert.hasExtensions()) {
                this.version = 1;
            }
        }
    }
}
 

/**
 * Gets the CRL entry with the given serial number from this CRL.
 *
 * @return the entry with the given serial number, or <code>null</code> if
 * no such entry exists in the CRL.
 * @see X509CRLEntry
 */
public X509CRLEntry getRevokedCertificate(BigInteger serialNumber) {
    if (revokedMap.isEmpty()) {
        return null;
    }
    // assume this is a direct CRL entry (cert and CRL issuer are the same)
    X509IssuerSerial issuerSerial = new X509IssuerSerial
        (getIssuerX500Principal(), serialNumber);
    return revokedMap.get(issuerSerial);
}
 

public static void main(String[] args) throws Exception {

        // Generate 20 serial numbers with dup and a special order
        int count = 20;
        BigInteger[] serials = new BigInteger[count];
        for (int i=0; i<count; i++) {
            serials[i] = BigInteger.valueOf(i*7%10);
        }

        // Generates a CRL
        X509CRLEntry[] badCerts = new X509CRLEntry[count];
        for (int i=0; i<count; i++) {
            badCerts[i] = new X509CRLEntryImpl(serials[i],
                    new Date(System.currentTimeMillis()+i*1000));
        }
        X500Name owner = new X500Name("CN=CA");
        X509CRLImpl crl = new X509CRLImpl(owner, new Date(), new Date(), badCerts);
        KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
        crl.sign(kpg.genKeyPair().getPrivate(), "SHA1withRSA");
        byte[] data = crl.getEncodedInternal();

        // Check the encoding
        checkData(crl, data, serials);

        // Load a CRL from raw data
        CertificateFactory cf = CertificateFactory.getInstance("X.509");
        X509CRLImpl crl2 = (X509CRLImpl)cf.generateCRL(new ByteArrayInputStream(data));

        // Check the encoding again
        data = crl2.getEncodedInternal();
        checkData(crl2, data, serials);
    }
 

/**
 * @param certificateToken
 *            the {@code CertificateToken} which is managed by this CRL.
 */
private void setRevocationStatus(final CertificateToken certificateToken) {
	final X500Principal issuerToken = certificateToken.getIssuerX500Principal();
	CertificateToken crlSigner = crlValidity.getIssuerToken();
	X500Principal crlSignerSubject = null;
	if (crlSigner != null) {
		crlSignerSubject = crlSigner.getSubject().getPrincipal();
	}

	if (!DSSASN1Utils.x500PrincipalAreEquals(issuerToken, crlSignerSubject)) {
		if (!crlValidity.isSignatureIntact()) {
			throw new DSSException(crlValidity.getSignatureInvalidityReason());
		}
		throw new DSSException("The CRLToken is not signed by the same issuer as the CertificateToken to be verified!");
	}

	final BigInteger serialNumber = certificateToken.getSerialNumber();
	X509CRLEntry crlEntry = CRLUtils.getRevocationInfo(crlValidity, serialNumber);

	if (crlEntry != null) {
		status = CertificateStatus.REVOKED;
		revocationDate = crlEntry.getRevocationDate();
		CRLReason revocationReason = crlEntry.getRevocationReason();
		if (revocationReason != null) {
			reason = RevocationReason.fromInt(revocationReason.ordinal());
		}
	} else {
		status = CertificateStatus.GOOD;
	}
}
 

/**
 * CRL constructor, revoked certs, no extensions.
 *
 * @param issuer the name of the CA issuing this CRL.
 * @param thisUpdate the Date of this issue.
 * @param nextUpdate the Date of the next CRL.
 * @param badCerts the array of CRL entries.
 *
 * @exception CRLException on parsing/construction errors.
 */
public X509CRLImpl(X500Name issuer, Date thisDate, Date nextDate,
                   X509CRLEntry[] badCerts)
    throws CRLException
{
    this.issuer = issuer;
    this.thisUpdate = thisDate;
    this.nextUpdate = nextDate;
    if (badCerts != null) {
        X500Principal crlIssuer = getIssuerX500Principal();
        X500Principal badCertIssuer = crlIssuer;
        for (int i = 0; i < badCerts.length; i++) {
            X509CRLEntryImpl badCert = (X509CRLEntryImpl)badCerts[i];
            try {
                badCertIssuer = getCertIssuer(badCert, badCertIssuer);
            } catch (IOException ioe) {
                throw new CRLException(ioe);
            }
            badCert.setCertificateIssuer(crlIssuer, badCertIssuer);
            X509IssuerSerial issuerSerial = new X509IssuerSerial
                (badCertIssuer, badCert.getSerialNumber());
            this.revokedMap.put(issuerSerial, badCert);
            this.revokedList.add(badCert);
            if (badCert.hasExtensions()) {
                this.version = 1;
            }
        }
    }
}
 

/**
 * Gets the CRL entry for the given certificate.
 */
public X509CRLEntry getRevokedCertificate(X509Certificate cert) {
    if (revokedMap.isEmpty()) {
        return null;
    }
    X509IssuerSerial issuerSerial = new X509IssuerSerial(cert);
    return revokedMap.get(issuerSerial);
}
 

public static void main(String[] args) throws Exception {

        // Generate 20 serial numbers with dup and a special order
        int count = 20;
        BigInteger[] serials = new BigInteger[count];
        for (int i=0; i<count; i++) {
            serials[i] = BigInteger.valueOf(i*7%10);
        }

        // Generates a CRL
        X509CRLEntry[] badCerts = new X509CRLEntry[count];
        for (int i=0; i<count; i++) {
            badCerts[i] = new X509CRLEntryImpl(serials[i],
                    new Date(System.currentTimeMillis()+i*1000));
        }
        X500Name owner = new X500Name("CN=CA");
        X509CRLImpl crl = new X509CRLImpl(owner, new Date(), new Date(), badCerts);
        KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
        crl.sign(kpg.genKeyPair().getPrivate(), "SHA1withRSA");
        byte[] data = crl.getEncodedInternal();

        // Check the encoding
        checkData(crl, data, serials);

        // Load a CRL from raw data
        CertificateFactory cf = CertificateFactory.getInstance("X.509");
        X509CRLImpl crl2 = (X509CRLImpl)cf.generateCRL(new ByteArrayInputStream(data));

        // Check the encoding again
        data = crl2.getEncodedInternal();
        checkData(crl2, data, serials);
    }