[security-dev 00784]: Re: CRL Distribution Points and Issuing DistributionPoint Extension

Xuelei Fan Xuelei.Fan at Sun.COM
Wed Apr 22 01:52:25 UTC 2009 

Sean Mullan wrote:
> Xuelei Fan wrote:
>
>> In line 318, if "idpExt == null" is true, "false" will return. I 
>> don't find any spec support such logic, it might be a bug here. I 
>> think the codes should looks like:
>>      318             if (idpExt != null &&
>>      319                 ((Boolean) idpExt.get
>>      320                     
>> (IssuingDistributionPointExtension.INDIRECT_CRL)).equals
>>      321                         (Boolean.FALSE)) {
>>      322                 return false;
>>
>> Any comments?
>
> RFC 5280 (Section 6.3.3 (b) (1)) says:
>
> If the DP includes cRLIssuer, then verify that the issuer
> field in the complete CRL matches cRLIssuer in the DP and
> that the complete CRL contains an issuing distribution
> point extension with the indirectCRL boolean asserted.
> Otherwise, verify that the CRL issuer matches the
> certificate issuer.
>
> I think the original code is correct. In this case, the DP includes 
> cRLIssuer, but the complete CRL doesn't contain an issuing 
> distribution extension, thus it should fail, right?
>
Yes, the spec do require the complete CRL *contains" an issuing DP, I 
agree that the original code is correct. That means that if the DP 
includes cRLIssuer, the conforming implementation must support issuing 
distribution point and every CRL must contains an issuing distribution 
point. Which seems conflict with the description of issuing distribution 
point:

   The issuing distribution point is a critical CRL extension that
   identifies the CRL distribution point and scope for a particular CRL,
   and it indicates whether the CRL covers revocation for end entity
   certificates only, CA certificates only, attribute certificates only,
   or a limited set of reason codes.  Although the extension is
   critical, conforming implementations are not required to support this
   extension.  However, implementations that do not support 
this                     <<<
   extension MUST either treat the status of any certificate not 
listed                <<<
   on this CRL as unknown or locate another CRL that does not 
contain          <<<
   any unrecognized critical extensions.

So could I understand  the section 6.3.3 above as:  If the DP includes 
cRLIssuer, then verify that the issuer field in the complete CRL matches 
cRLIssuer in the DP and if the complete CRL contains an issuing 
distribution point extension, it should be with the indirectCRL boolean 
asserted? Is there any potential security issue?

Thanks,
Xuelei
> --Sean
>

More information about the security-dev mailing list