David Pomeroy dfpomeroy at
Mon Jun 27 20:59:21 PDT 2011

Hello All,

I am trying to get a servlet to download and check a CRL.  The CRLDP is in
the client's certificate and the CRL is marked "indirect CRL" so that it can
be signed by a different key than the client cert issuer.  The following
block of code is invoked but the DistributionPointFetcher can't seem to
build a valid path and a CRLException is thrown.  My assumption was this
would work if I included the CRL signing certificate in my truststore.  What
I find odd while stepping through this in a debugger is that the
"certStores" object contains only the client certificate which is to be
validated, so it makes sense that X509CertSelector doesn't find the right
cert in there.

Has anyone got indirect CRLs validated before?  I'd be interested in the
details of a test setup that works.  I can provide more details of my test
setup if necessary.

Thanks, David

        // Obtain and validate the certification path for the complete
        // CRL issuer (if indirect CRL). If a key usage extension is present
        // in the CRL issuer's certificate, verify that the cRLSign bit is
        if (indirectCRL) {
            X509CertSelector certSel = new X509CertSelector();
            boolean[] crlSign = {false,false,false,false,false,false,true};
            PKIXBuilderParameters params = null;
            try {
                params = new PKIXBuilderParameters
                    (Collections.singleton(anchor), certSel);
            } catch (InvalidAlgorithmParameterException iape) {
                throw new CRLException(iape);
            try {
                CertPathBuilder builder =
                PKIXCertPathBuilderResult result =
                prevKey = result.getPublicKey();
            } catch (Exception e) {
                throw new CRLException(e);
-------------- next part --------------
An HTML attachment was scrubbed...

More information about the security-dev mailing list