[security-dev 00508]: Re: SSLContextFactory

[Sean Mullan]

Hi Bruno,

Bruno Harbulot wrote:
> Hi Xuelei,
> 
> Thanks for looking into this.
> I agree with you, everything that's required is already in the JavaSE 
> API. I find, however, that using these classes requires a careful 
> reading of the JSSE ref. guide and the Certification path ref. guide, 
> both of which are rather long and non-trivial (at least to me). I 
> suspect many developers don't have time to get into such a depth of 
> details.
> 
> One of the use-cases that was the motivation for PKIXSSLContextFactory 
> in jSSLutils was to be able to add CRLs quite easily. Thus, you get 
> something like this:
> 
> PKIXSSLContextFactory sslContextFactory =
>     new PKIXSSLContextFactory(keyStore, "keypassword", trustStore);
> sslContextFactory.addCrl("http://ca.example.org/root-crl");
> sslContextFactory.addCrl("http://ca.example.org/intermediate-crl");
> SSLContext sslContext = sslContextFactory.buildSSLContext();
> 
> It's true that it's not possible to cover all cases, but I would guess 
> that there is small set of cases that are more frequent (such as adding 
> CRLs explicitly).

Do you find that there are still many use cases that require you to manually add 
CRLs? Most CAs that I know of now include the information to obtain CRLs in the 
certificate itself, in the CRL Distribution Point Extension.

We support this extension in our PKIX CertPath implementation. The 
implementation will automatically download these CRLs and cache them in memory 
for a short time. However, you must enable the system property 
com.sun.security.enableCRLDP to the value true. We should probably change it to 
be enabled by default because I don't think many users know about this property 
and it is somewhat buried in the CertPath docs in one of the appendices.

--Sean