@Override
public CRLValidity isValidCRL(InputStream crlStream, CertificateToken issuerToken) throws IOException {
final CRLValidity crlValidity = new CRLValidity();
try (ByteArrayOutputStream baos = getDERContent(crlStream)) {
CRLInfo crlInfos = getCrlInfos(baos);
SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.forOID(crlInfos.getCertificateListSignatureAlgorithmOid());
byte[] digest = recomputeDigest(baos, getMessageDigest(signatureAlgorithm.getDigestAlgorithm()));
crlValidity.setCrlEncoded(baos.toByteArray());
crlValidity.setSignatureAlgorithm(signatureAlgorithm);
crlValidity.setThisUpdate(crlInfos.getThisUpdate());
crlValidity.setNextUpdate(crlInfos.getNextUpdate());
checkCriticalExtensions(crlValidity, crlInfos.getCriticalExtensions().keySet(),
crlInfos.getCriticalExtension(Extension.issuingDistributionPoint.getId()));
extractExpiredCertsOnCRL(crlValidity, crlInfos.getNonCriticalExtension(Extension.expiredCertsOnCRL.getId()));
final X500Principal x509CRLIssuerX500Principal = crlInfos.getIssuer();
final X500Principal issuerTokenSubjectX500Principal = issuerToken.getSubjectX500Principal();
if (x509CRLIssuerX500Principal.equals(issuerTokenSubjectX500Principal)) {
crlValidity.setIssuerX509PrincipalMatches(true);
}
checkSignatureValue(crlValidity, crlInfos.getSignatureValue(), digest, issuerToken);
}
return crlValidity;
}