[security-dev 00778]: CRL Distribution Points and Issuing DistributionPoint Extension
Xuelei Fan
Xuelei.Fan at Sun.COM
Tue Apr 21 02:54:31 UTC 2009
Hi,
In the DistributionPointFetcher.verifyCRL() [1], if CRL issuer in a
certificate CRLDP is set, the CRL must set IssuingDistributionPoint
extension, otherwise, the verification will failed. The codes:
300 boolean verifyCRL(X509CertImpl certImpl, DistributionPoint
point,
301 X509CRL crl, boolean[] reasonsMask, boolean signFlag,
302 PublicKey prevKey, String provider, TrustAnchor anchor,
303 List<CertStore> certStores) throws CRLException,
IOException {
304 boolean indirectCRL = false;
305 X509CRLImpl crlImpl = X509CRLImpl.toImpl(crl);
306 IssuingDistributionPointExtension idpExt =
307 crlImpl.getIssuingDistributionPointExtension();
308 X500Name certIssuer = (X500Name) certImpl.getIssuerDN();
309 X500Name crlIssuer = (X500Name) crlImpl.getIssuerDN();
310
311 // if crlIssuer is set, verify that it matches the
issuer of the
312 // CRL and the CRL contains an IDP extension with the
indirectCRL
313 // boolean asserted. Otherwise, verify that the CRL
issuer matches the
314 // certificate issuer.
315 GeneralNames pointCrlIssuers = point.getCRLIssuer();
316 X500Name pointCrlIssuer = null;
317 if (pointCrlIssuers != null) {
318 if (idpExt == null ||
319 ((Boolean) idpExt.get
320
(IssuingDistributionPointExtension.INDIRECT_CRL)).equals
321 (Boolean.FALSE)) {
322 return false;
323 }
In line 318, if "idpExt == null" is true, "false" will return. I don't
find any spec support such logic, it might be a bug here. I think the
codes should looks like:
318 if (idpExt != null &&
319 ((Boolean) idpExt.get
320
(IssuingDistributionPointExtension.INDIRECT_CRL)).equals
321 (Boolean.FALSE)) {
322 return false;
Any comments?
Thanks,
Xuelei
[1]:
http://hg.openjdk.java.net/jdk7/tl/jdk/file/e281812be4ce/src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java
More information about the security-dev
mailing list