[security-dev 00783]: Re: CRL Distribution Points and Issuing DistributionPoint Extension

Sean Mullan Sean.Mullan at Sun.COM
Tue Apr 21 10:54:49 PDT 2009


Xuelei Fan wrote:

> In line 318, if "idpExt == null" is true, "false" will return. I don't 
> find any spec support such logic, it might be a bug here. I think the 
> codes should looks like:
>      318             if (idpExt != null &&
>      319                 ((Boolean) idpExt.get
>      320                     
> (IssuingDistributionPointExtension.INDIRECT_CRL)).equals
>      321                         (Boolean.FALSE)) {
>      322                 return false;
> 
> Any comments?

RFC 5280 (Section 6.3.3 (b) (1)) says:

If the DP includes cRLIssuer, then verify that the issuer
field in the complete CRL matches cRLIssuer in the DP and
that the complete CRL contains an issuing distribution
point extension with the indirectCRL boolean asserted.
Otherwise, verify that the CRL issuer matches the
certificate issuer.

I think the original code is correct. In this case, the DP includes cRLIssuer, 
but the complete CRL doesn't contain an issuing distribution extension, thus it 
should fail, right?

--Sean




More information about the security-dev mailing list