[security-dev 00783]: Re: CRL Distribution Points and Issuing DistributionPoint Extension
Sean Mullan
Sean.Mullan at Sun.COM
Tue Apr 21 17:54:49 UTC 2009
Xuelei Fan wrote:
> In line 318, if "idpExt == null" is true, "false" will return. I don't
> find any spec support such logic, it might be a bug here. I think the
> codes should looks like:
> 318 if (idpExt != null &&
> 319 ((Boolean) idpExt.get
> 320
> (IssuingDistributionPointExtension.INDIRECT_CRL)).equals
> 321 (Boolean.FALSE)) {
> 322 return false;
>
> Any comments?
RFC 5280 (Section 6.3.3 (b) (1)) says:
If the DP includes cRLIssuer, then verify that the issuer
field in the complete CRL matches cRLIssuer in the DP and
that the complete CRL contains an issuing distribution
point extension with the indirectCRL boolean asserted.
Otherwise, verify that the CRL issuer matches the
certificate issuer.
I think the original code is correct. In this case, the DP includes cRLIssuer,
but the complete CRL doesn't contain an issuing distribution extension, thus it
should fail, right?
--Sean
More information about the security-dev
mailing list