sun.security.provider.certpath.DistributionPointFetcher
David Pomeroy
dfpomeroy at gmail.com
Tue Jun 28 16:57:22 UTC 2011
Hi Xuelei,
Attached is the certpath debug output.
Here is some more info about my test setup.
Dev Root CA issued Dev Sub CA
Dev Sub CA issued client cert
Dev Root CA issued Dev Crl Server cert
Crl is issued by Dev Crl Server, URL is http://localhost/crl.crl
Dev Root CA, Dev Sub CA, and Dev Crl Server have all been added to the
server's truststore.
I have specified the issuer distribution point in the CRL,
onlyContainsUserCerts=true, onlyContainsCACerts=false, indirectCRL=true,
onlyContainsAttributeCerts=false
The client cert specifies crlIssuer=Dev Crl Server.
Thanks, Dave
On Mon, Jun 27, 2011 at 10:05 PM, Xuelei.Fan at Oracle.Com <
Xuelei.Fan at oracle.com> wrote:
> Can you provide the code to reproduce the exception? Or is it possible
> attach the CertPath building debugger log?
>
> Xuelei
>
> On Jun 28, 2011, at 11:59 AM, David Pomeroy <dfpomeroy at gmail.com> wrote:
>
> > Hello All,
> >
> > I am trying to get a servlet to download and check a CRL. The CRLDP is
> in the client's certificate and the CRL is marked "indirect CRL" so that it
> can be signed by a different key than the client cert issuer. The following
> block of code is invoked but the DistributionPointFetcher can't seem to
> build a valid path and a CRLException is thrown. My assumption was this
> would work if I included the CRL signing certificate in my truststore. What
> I find odd while stepping through this in a debugger is that the
> "certStores" object contains only the client certificate which is to be
> validated, so it makes sense that X509CertSelector doesn't find the right
> cert in there.
> >
> > Has anyone got indirect CRLs validated before? I'd be interested in the
> details of a test setup that works. I can provide more details of my test
> setup if necessary.
> >
> > Thanks, David
> >
> >
> > // Obtain and validate the certification path for the complete
> > // CRL issuer (if indirect CRL). If a key usage extension is
> present
> > // in the CRL issuer's certificate, verify that the cRLSign bit
> is set.
> > if (indirectCRL) {
> > X509CertSelector certSel = new X509CertSelector();
> > certSel.setSubject(crlIssuer.asX500Principal());
> > boolean[] crlSign =
> {false,false,false,false,false,false,true};
> > certSel.setKeyUsage(crlSign);
> > PKIXBuilderParameters params = null;
> > try {
> > params = new PKIXBuilderParameters
> > (Collections.singleton(anchor), certSel);
> > } catch (InvalidAlgorithmParameterException iape) {
> > throw new CRLException(iape);
> > }
> > params.setCertStores(certStores);
> > params.setSigProvider(provider);
> > try {
> > CertPathBuilder builder =
> CertPathBuilder.getInstance("PKIX");
> > PKIXCertPathBuilderResult result =
> > (PKIXCertPathBuilderResult) builder.build(params);
> > prevKey = result.getPublicKey();
> > } catch (Exception e) {
> > throw new CRLException(e);
> > }
> > }
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20110628/5c5f9762/attachment.htm>
-------------- next part --------------
certpath: PKIXCertPathValidator.engineValidate()...
certpath: PKIXCertPathValidator.engineValidate() reversing certpath...
certpath: PKIXCertPathValidator.engineValidate() anchor.getTrustedCert() != null
certpath: PKIXCertPathValidator.isWorthTrying() checking if this trusted cert is worth trying ...
certpath: NO - don't try this trustedCert
certpath: PKIXCertPathValidator.engineValidate() anchor.getTrustedCert() != null
certpath: PKIXCertPathValidator.isWorthTrying() checking if this trusted cert is worth trying ...
certpath: NO - don't try this trustedCert
certpath: PKIXCertPathValidator.engineValidate() anchor.getTrustedCert() != null
certpath: PKIXCertPathValidator.isWorthTrying() checking if this trusted cert is worth trying ...
certpath: YES - try this trustedCert
certpath: anchor.getTrustedCert().getSubjectX500Principal() = CN=Dev Sub CA
certpath: --------------------------------------------------------------
certpath: Executing PKIX certification path validation algorithm.
certpath: Checking cert1 ...
certpath: Set of critical extensions:
certpath: 2.5.29.15
certpath: 2.5.29.37
certpath: 2.5.29.19
certpath: -Using checker1 ... [sun.security.provider.certpath.AlgorithmChecker]
certpath: -checker1 validation succeeded
certpath: -Using checker2 ... [sun.security.provider.certpath.KeyChecker]
certpath: -checker2 validation succeeded
certpath: -Using checker3 ... [sun.security.provider.certpath.ConstraintsChecker]
certpath: ---checking basic constraints...
certpath: i = 1
certpath: maxPathLength = 1
certpath: after processing, maxPathLength = 1
certpath: basic constraints verified.
certpath: ---checking name constraints...
certpath: prevNC = null
certpath: newNC = null
certpath: mergedNC = null
certpath: name constraints verified.
certpath: -checker3 validation succeeded
certpath: -Using checker4 ... [sun.security.provider.certpath.PolicyChecker]
certpath: PolicyChecker.checkPolicy() ---checking certificate policies...
certpath: PolicyChecker.checkPolicy() certIndex = 1
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: explicitPolicy = 2
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyMapping = 2
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: inhibitAnyPolicy = 2
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyTree = anyPolicy ROOT
certpath: PolicyChecker.processPolicies() no policies present in cert
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: explicitPolicy = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyMapping = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: inhibitAnyPolicy = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyTree = null
certpath: PolicyChecker.checkPolicy() certificate policies verified
certpath: -checker4 validation succeeded
certpath: -Using checker5 ... [sun.security.provider.certpath.BasicChecker]
certpath: ---checking timestamp:Tue Jun 28 09:14:19 PDT 2011...
certpath: timestamp verified.
certpath: ---checking subject/issuer name chaining...
certpath: subject/issuer name chaining verified.
certpath: ---checking signature...
certpath: signature verified.
certpath: BasicChecker.updateState issuer: CN=Dev Sub CA; subject: CN=234159080345657; serial#: 1250
certpath: -checker5 validation succeeded
certpath: -Using checker6 ... [sun.security.provider.certpath.CrlRevocationChecker]
certpath: CrlRevocationChecker.verifyRevocationStatus() ---checking revocation status...
certpath: DistributionPointFetcher.getCRLs: Checking CRLDPs for CN=234159080345657
certpath: Trying to fetch CRL from DP http://localhost/crl.crl
certpath: CertStore URI:http://localhost/crl.crl
certpath: Downloading new CRL...
certpath: idpName: URIName: http://localhost/crl.crl
certpath: pointName: URIName: http://localhost/crl.crl
certpath: SunCertPathBuilder.engineBuild([
[
Trust Anchors: [[
Trusted CA cert: [
[
Version: V3
Subject: CN=Dev Sub CA
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus: 31696243932874256364335990637094427770482150137369453879629054046277594694178299662030613175940051336592870418113037419713357290194638536691606561721465520703526043819995453182453582996601875791731978172486235451952100860390268691062261564472533003331397217240833053175303404082306509973352439625645600600400408333148563265268164313890699450748266186324338577359913955542853478283626859231040995581139161097669581270909389409188385131437359048571882558660942248026022064839125345179031998211043815799677884832277271147572182551216847408958538553541983556420628304268943945349378863098906567967665152779703018233229929
public exponent: 65537
Validity: [From: Sat Jun 25 14:32:02 PDT 2011,
To: Sat Aug 24 14:32:02 PDT 2030]
Issuer: CN=Dev Root CA
SerialNumber: [ 01f4]
Certificate Extensions: 2
[1]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
[2]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:0
]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 18 8C C1 CA 2D F8 C4 3B AC F2 F4 29 87 70 E9 BE ....-..;...).p..
0010: BF 55 69 BC 50 17 37 7A 94 10 05 64 D9 58 5E 8F .Ui.P.7z...d.X^.
0020: 56 9C 38 F6 C8 E6 F9 08 DF 86 B0 E7 1A 4D 0A 8E V.8..........M..
0030: 85 E6 BE F4 D4 90 CF B5 AD D4 49 77 DC FE 51 7C ..........Iw..Q.
0040: A8 07 AB 07 30 52 1A 91 4C 9F 65 67 BF 74 73 C1 ....0R..L.eg.ts.
0050: 8A E6 E7 64 19 40 1B 01 66 A1 F0 9D 15 FE F4 E5 ...d. at ..f.......
0060: C3 79 50 53 FF 6D BD A3 06 46 5B 87 79 E5 DE BB .yPS.m...F[.y...
0070: 94 2B 1E 8B 4C DF A3 EA CD C0 D4 F9 41 3B CA BE .+..L.......A;..
0080: 18 AC 8F 50 03 94 9A EF A1 6E 05 75 C4 E3 EC E8 ...P.....n.u....
0090: 85 79 CE 6C 31 70 27 93 9E 51 16 67 A1 81 1B C7 .y.l1p'..Q.g....
00A0: 3F DC FD E5 01 21 9C 21 44 71 7B A9 57 F8 57 79 ?....!.!Dq..W.Wy
00B0: 45 6F 37 5F F8 A4 DE CA 0A 06 7C C3 8B 94 22 67 Eo7_.........."g
00C0: 9A 93 8B D2 51 E6 3F 1F 09 24 A8 23 70 04 95 F7 ....Q.?..$.#p...
00D0: 48 42 F6 D2 D2 54 43 E9 0F C9 04 85 5E EA 46 31 HB...TC.....^.F1
00E0: 8A CF E8 F3 9C 76 D2 DE 9B ED F7 1C 15 C1 02 05 .....v..........
00F0: D7 ED 18 6B 74 CC 80 9D 2F 3D BF EC 24 20 00 E6 ...kt.../=..$ ..
]
]
Initial Policy OIDs: any
Validity Date: null
Signature Provider: null
Default Revocation Enabled: true
Explicit Policy Required: false
Policy Mapping Inhibited: false
Any Policy Inhibited: false
Policy Qualifiers Rejected: true
Target Cert Constraints: X509CertSelector: [
Subject: CN=Dev CRL Server,
matchAllSubjectAltNames flag: true
Key Usage: KeyUsage [
Crl_Sign
]
]
Certification Path Checkers: [[]]
CertStores: [[java.security.cert.CertStore at e4b3b8]]
] Maximum Path Length: 5
]
)
certpath: SunCertPathBuilder.buildForward()...
certpath: SunCertPathBuilder.depthFirstSearchForward(CN=Dev CRL Server, State [
issuerDN of last cert: null
traversedCACerts: 0
init: true
keyParamsNeeded: false
subjectNamesTraversed:
[]]
)
certpath: ForwardBuilder.getMatchingCerts()...
certpath: ForwardBuilder.getMatchingEECerts()...
certpath: X509CertSelector.match(SN: 4e2
Issuer: CN=Dev Sub CA
Subject: CN=234159080345657)
certpath: X509CertSelector.match: subject DNs don't match
certpath: ForwardBuilder.getMatchingCACerts()...
certpath: ForwardBuilder.getMatchingCACerts(): ca is target
certpath: X509CertSelector.match(SN: 1f4
Issuer: CN=Dev Root CA
Subject: CN=Dev Sub CA)
certpath: X509CertSelector.match: subject DNs don't match
certpath: X509CertSelector.match(SN: 4e2
Issuer: CN=Dev Sub CA
Subject: CN=234159080345657)
certpath: X509CertSelector.match: subject DNs don't match
certpath: ForwardBuilder.getMatchingCACerts: found 0 CA certs
certpath: SunCertPathBuilder.depthFirstSearchForward(): certs.size=0
certpath: SunCertPathBuilder.engineBuild: 2nd pass
certpath: SunCertPathBuilder.buildForward()...
certpath: SunCertPathBuilder.depthFirstSearchForward(CN=Dev CRL Server State [
issuerDN of last cert: null
traversedCACerts: 0
init: true
keyParamsNeeded: false
subjectNamesTraversed:
[]]
)
certpath: ForwardBuilder.getMatchingCerts()...
certpath: ForwardBuilder.getMatchingEECerts()...
certpath: X509CertSelector.match(SN: 4e2
Issuer: CN=Dev Sub CA
Subject: CN=234159080345657)
certpath: X509CertSelector.match: subject DNs don't match
certpath: ForwardBuilder.getMatchingCACerts()...
certpath: ForwardBuilder.getMatchingCACerts(): ca is target
certpath: X509CertSelector.match(SN: 1f4
Issuer: CN=Dev Root CA
Subject: CN=Dev Sub CA)
certpath: X509CertSelector.match: subject DNs don't match
certpath: X509CertSelector.match(SN: 4e2
Issuer: CN=Dev Sub CA
Subject: CN=234159080345657)
certpath: X509CertSelector.match: subject DNs don't match
certpath: ForwardBuilder.getMatchingCACerts: found 0 CA certs
certpath: SunCertPathBuilder.depthFirstSearchForward(): certs.size=0
certpath: Exception verifying CRL: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
java.security.cert.CRLException: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.DistributionPointFetcher.verifyCRL(DistributionPointFetcher.java:540)
at sun.security.provider.certpath.DistributionPointFetcher.getCRLs(DistributionPointFetcher.java:195)
at sun.security.provider.certpath.DistributionPointFetcher.getCRLs(DistributionPointFetcher.java:121)
at sun.security.provider.certpath.CrlRevocationChecker.verifyRevocationStatus(CrlRevocationChecker.java:309)
at sun.security.provider.certpath.CrlRevocationChecker.verifyRevocationStatus(CrlRevocationChecker.java:248)
at sun.security.provider.certpath.CrlRevocationChecker.check(CrlRevocationChecker.java:189)
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:131)
at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:325)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:187)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:267)
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:283)
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:271)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:191)
at sun.security.validator.Validator.validate(Validator.java:235)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:147)
at sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:188)
at sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:258)
at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1414)
at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:179)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:610)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:550)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:548)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:969)
************
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
at java.lang.Thread.run(Thread.java:636)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:197)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:255)
at sun.security.provider.certpath.DistributionPointFetcher.verifyCRL(DistributionPointFetcher.java:536)
... 43 more
certpath: Returning 0 CRLs
certpath: CrlRevocationChecker.verifyRevocationStatus() crls.size() = 0
certpath: CrlRevocationChecker.verifyRevocationStatus() approved crls.size() = 0
certpath: CrlRevocationChecker.verifyWithSeparateSigningKey() ---checking revocation status...
certpath: CrlRevocationChecker.buildToNewKey() starting work
certpath: CrlRevocationChecker.buildToNewKey() about to try build ...
certpath: SunCertPathBuilder.engineBuild([
[
Trust Anchors: [[
Trusted CA cert: [
[
Version: V3
Subject: CN=Dev Sub CA
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus: 31696243932874256364335990637094427770482150137369453879629054046277594694178299662030613175940051336592870418113037419713357290194638536691606561721465520703526043819995453182453582996601875791731978172486235451952100860390268691062261564472533003331397217240833053175303404082306509973352439625645600600400408333148563265268164313890699450748266186324338577359913955542853478283626859231040995581139161097669581270909389409188385131437359048571882558660942248026022064839125345179031998211043815799677884832277271147572182551216847408958538553541983556420628304268943945349378863098906567967665152779703018233229929
public exponent: 65537
Validity: [From: Sat Jun 25 14:32:02 PDT 2011,
To: Sat Aug 24 14:32:02 PDT 2030]
Issuer: CN=Dev Root CA
SerialNumber: [ 01f4]
Certificate Extensions: 2
[1]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
[2]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:0
]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 18 8C C1 CA 2D F8 C4 3B AC F2 F4 29 87 70 E9 BE ....-..;...).p..
0010: BF 55 69 BC 50 17 37 7A 94 10 05 64 D9 58 5E 8F .Ui.P.7z...d.X^.
0020: 56 9C 38 F6 C8 E6 F9 08 DF 86 B0 E7 1A 4D 0A 8E V.8..........M..
0030: 85 E6 BE F4 D4 90 CF B5 AD D4 49 77 DC FE 51 7C ..........Iw..Q.
0040: A8 07 AB 07 30 52 1A 91 4C 9F 65 67 BF 74 73 C1 ....0R..L.eg.ts.
0050: 8A E6 E7 64 19 40 1B 01 66 A1 F0 9D 15 FE F4 E5 ...d. at ..f.......
0060: C3 79 50 53 FF 6D BD A3 06 46 5B 87 79 E5 DE BB .yPS.m...F[.y...
0070: 94 2B 1E 8B 4C DF A3 EA CD C0 D4 F9 41 3B CA BE .+..L.......A;..
0080: 18 AC 8F 50 03 94 9A EF A1 6E 05 75 C4 E3 EC E8 ...P.....n.u....
0090: 85 79 CE 6C 31 70 27 93 9E 51 16 67 A1 81 1B C7 .y.l1p'..Q.g....
00A0: 3F DC FD E5 01 21 9C 21 44 71 7B A9 57 F8 57 79 ?....!.!Dq..W.Wy
00B0: 45 6F 37 5F F8 A4 DE CA 0A 06 7C C3 8B 94 22 67 Eo7_.........."g
00C0: 9A 93 8B D2 51 E6 3F 1F 09 24 A8 23 70 04 95 F7 ....Q.?..$.#p...
00D0: 48 42 F6 D2 D2 54 43 E9 0F C9 04 85 5E EA 46 31 HB...TC.....^.F1
00E0: 8A CF E8 F3 9C 76 D2 DE 9B ED F7 1C 15 C1 02 05 .....v..........
00F0: D7 ED 18 6B 74 CC 80 9D 2F 3D BF EC 24 20 00 E6 ...kt.../=..$ ..
]
]
Initial Policy OIDs: any
Validity Date: null
Signature Provider: null
Default Revocation Enabled: false
Explicit Policy Required: false
Policy Mapping Inhibited: false
Any Policy Inhibited: false
Policy Qualifiers Rejected: true
Target Cert Constraints: RejectCertSelector: [
X509CertSelector: [
Subject: CN=Dev Sub CA,
matchAllSubjectAltNames flag: true
Key Usage: KeyUsage [
Crl_Sign
]
][Sun RSA public key, 2048 bits
modulus: 31696243932874256364335990637094427770482150137369453879629054046277594694178299662030613175940051336592870418113037419713357290194638536691606561721465520703526043819995453182453582996601875791731978172486235451952100860390268691062261564472533003331397217240833053175303404082306509973352439625645600600400408333148563265268164313890699450748266186324338577359913955542853478283626859231040995581139161097669581270909389409188385131437359048571882558660942248026022064839125345179031998211043815799677884832277271147572182551216847408958538553541983556420628304268943945349378863098906567967665152779703018233229929
public exponent: 65537]]
Certification Path Checkers: [[]]
CertStores: [[]]
] Maximum Path Length: 5
]
)
certpath: SunCertPathBuilder.buildForward()...
certpath: SunCertPathBuilder.depthFirstSearchForward(CN=Dev Sub CA State [
issuerDN of last cert: null
traversedCACerts: 0
init: true
keyParamsNeeded: false
subjectNamesTraversed:
[]]
)
certpath: ForwardBuilder.getMatchingCerts()...
certpath: ForwardBuilder.getMatchingEECerts()...
certpath: ForwardBuilder.getMatchingCACerts()...
certpath: ForwardBuilder.getMatchingCACerts(): ca is target
certpath: X509CertSelector.match(SN: 1f4
Issuer: CN=Dev Root CA
Subject: CN=Dev Sub CA)
certpath: X509CertSelector.match returning: true
certpath: RejectCertSelector.match: bad key
certpath: ForwardBuilder.getMatchingCACerts: found 0 CA certs
certpath: SunCertPathBuilder.depthFirstSearchForward(): certs.size=0
certpath: SunCertPathBuilder.engineBuild: 2nd pass
certpath: SunCertPathBuilder.buildForward()...
certpath: SunCertPathBuilder.depthFirstSearchForward(CN=Dev Sub CA State [
issuerDN of last cert: null
traversedCACerts: 0
init: true
keyParamsNeeded: false
subjectNamesTraversed:
[]]
)
certpath: ForwardBuilder.getMatchingCerts()...
certpath: ForwardBuilder.getMatchingEECerts()...
certpath: ForwardBuilder.getMatchingCACerts()...
certpath: ForwardBuilder.getMatchingCACerts(): ca is target
certpath: X509CertSelector.match(SN: 1f4
Issuer: CN=Dev Root CA
Subject: CN=Dev Sub CA)
certpath: X509CertSelector.match returning: true
certpath: RejectCertSelector.match: bad key
certpath: ForwardBuilder.getMatchingCACerts: found 0 CA certs
certpath: SunCertPathBuilder.depthFirstSearchForward(): certs.size=0
More information about the security-dev
mailing list