[security-dev 00778]: CRL Distribution Points and Issuing DistributionPoint Extension

Xuelei Fan Xuelei.Fan at Sun.COM
Mon Apr 20 19:54:31 PDT 2009


Hi,

In the DistributionPointFetcher.verifyCRL() [1], if CRL issuer in a 
certificate CRLDP is set, the CRL must set IssuingDistributionPoint 
extension, otherwise, the verification will failed. The codes:
      300     boolean verifyCRL(X509CertImpl certImpl, DistributionPoint 
point,
      301         X509CRL crl, boolean[] reasonsMask, boolean signFlag,
      302         PublicKey prevKey, String provider, TrustAnchor anchor,
      303         List<CertStore> certStores) throws CRLException, 
IOException {
      304         boolean indirectCRL = false;
      305         X509CRLImpl crlImpl = X509CRLImpl.toImpl(crl);
      306         IssuingDistributionPointExtension idpExt =
      307             crlImpl.getIssuingDistributionPointExtension();
      308         X500Name certIssuer = (X500Name) certImpl.getIssuerDN();
      309         X500Name crlIssuer = (X500Name) crlImpl.getIssuerDN();
      310
      311         // if crlIssuer is set, verify that it matches the 
issuer of the
      312         // CRL and the CRL contains an IDP extension with the 
indirectCRL
      313         // boolean asserted. Otherwise, verify that the CRL 
issuer matches the
      314         // certificate issuer.
      315         GeneralNames pointCrlIssuers = point.getCRLIssuer();
      316         X500Name pointCrlIssuer = null;
      317         if (pointCrlIssuers != null) {
      318             if (idpExt == null ||
      319                 ((Boolean) idpExt.get
      320                     
(IssuingDistributionPointExtension.INDIRECT_CRL)).equals
      321                         (Boolean.FALSE)) {
      322                 return false;
      323             }

In line 318, if "idpExt == null" is true, "false" will return. I don't 
find any spec support such logic, it might be a bug here. I think the 
codes should looks like:
      318             if (idpExt != null &&
      319                 ((Boolean) idpExt.get
      320                     
(IssuingDistributionPointExtension.INDIRECT_CRL)).equals
      321                         (Boolean.FALSE)) {
      322                 return false;

Any comments?

Thanks,
Xuelei

[1]: 
http://hg.openjdk.java.net/jdk7/tl/jdk/file/e281812be4ce/src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java 




More information about the security-dev mailing list