Xuelei.Fan at Oracle.Com Xuelei.Fan at Oracle.Com
Mon Jun 27 22:05:05 PDT 2011

Can you provide the code to reproduce the exception? Or is it possible attach the CertPath building debugger log?


On Jun 28, 2011, at 11:59 AM, David Pomeroy <dfpomeroy at> wrote:

> Hello All,
> I am trying to get a servlet to download and check a CRL.  The CRLDP is in the client's certificate and the CRL is marked "indirect CRL" so that it can be signed by a different key than the client cert issuer.  The following block of code is invoked but the DistributionPointFetcher can't seem to build a valid path and a CRLException is thrown.  My assumption was this would work if I included the CRL signing certificate in my truststore.  What I find odd while stepping through this in a debugger is that the "certStores" object contains only the client certificate which is to be validated, so it makes sense that X509CertSelector doesn't find the right cert in there.  
> Has anyone got indirect CRLs validated before?  I'd be interested in the details of a test setup that works.  I can provide more details of my test setup if necessary.
> Thanks, David
>         // Obtain and validate the certification path for the complete
>         // CRL issuer (if indirect CRL). If a key usage extension is present
>         // in the CRL issuer's certificate, verify that the cRLSign bit is set.
>         if (indirectCRL) {
>             X509CertSelector certSel = new X509CertSelector();
>             certSel.setSubject(crlIssuer.asX500Principal());
>             boolean[] crlSign = {false,false,false,false,false,false,true};
>             certSel.setKeyUsage(crlSign);
>             PKIXBuilderParameters params = null;
>             try {
>                 params = new PKIXBuilderParameters
>                     (Collections.singleton(anchor), certSel);
>             } catch (InvalidAlgorithmParameterException iape) {
>                 throw new CRLException(iape);
>             }
>             params.setCertStores(certStores);
>             params.setSigProvider(provider);
>             try {
>                 CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
>                 PKIXCertPathBuilderResult result =
>                     (PKIXCertPathBuilderResult);
>                 prevKey = result.getPublicKey();
>             } catch (Exception e) {
>                 throw new CRLException(e);
>             }
>         }

More information about the security-dev mailing list