Sean Mullan sean.mullan at
Tue Jun 28 05:46:01 PDT 2011

Are you using JDK 7? There were some bugs fixed with indirect CRLs in JDK 7.

Also, make sure you set the system property to the
value true when running, ex: java ...


On 6/28/11 1:05 AM, Xuelei.Fan at Oracle.Com wrote:
> Can you provide the code to reproduce the exception? Or is it possible attach
> the CertPath building debugger log?
> Xuelei
> On Jun 28, 2011, at 11:59 AM, David Pomeroy<dfpomeroy at>  wrote:
>> Hello All,
>> I am trying to get a servlet to download and check a CRL.  The CRLDP is in
>> the client's certificate and the CRL is marked "indirect CRL" so that it
>> can be signed by a different key than the client cert issuer.  The
>> following block of code is invoked but the DistributionPointFetcher can't
>> seem to build a valid path and a CRLException is thrown.  My assumption was
>> this would work if I included the CRL signing certificate in my truststore.
>> What I find odd while stepping through this in a debugger is that the
>> "certStores" object contains only the client certificate which is to be
>> validated, so it makes sense that X509CertSelector doesn't find the right
>> cert in there.
>> Has anyone got indirect CRLs validated before?  I'd be interested in the
>> details of a test setup that works.  I can provide more details of my test
>> setup if necessary.
>> Thanks, David
>> // Obtain and validate the certification path for the complete // CRL
>> issuer (if indirect CRL). If a key usage extension is present // in the CRL
>> issuer's certificate, verify that the cRLSign bit is set. if (indirectCRL)
>> { X509CertSelector certSel = new X509CertSelector();
>> certSel.setSubject(crlIssuer.asX500Principal()); boolean[] crlSign =
>> {false,false,false,false,false,false,true}; certSel.setKeyUsage(crlSign);
>> PKIXBuilderParameters params = null; try { params = new
>> PKIXBuilderParameters (Collections.singleton(anchor), certSel); } catch
>> (InvalidAlgorithmParameterException iape) { throw new CRLException(iape);
>> } params.setCertStores(certStores); params.setSigProvider(provider); try {
>> CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
>> PKIXCertPathBuilderResult result = (PKIXCertPathBuilderResult)
>>; prevKey = result.getPublicKey(); } catch (Exception
>> e) { throw new CRLException(e); } }

More information about the security-dev mailing list