sun.security.provider.certpath.DistributionPointFetcher

David Pomeroy dfpomeroy at gmail.com
Tue Jun 28 09:57:22 PDT 2011


Hi Xuelei,

Attached is the certpath debug output.

Here is some more info about my test setup.

Dev Root CA issued Dev Sub CA
Dev Sub CA issued client cert
Dev Root CA issued Dev Crl Server cert
Crl is issued by Dev Crl Server, URL is http://localhost/crl.crl
Dev Root CA, Dev Sub CA, and Dev Crl Server have all been added to the
server's truststore.

I have specified the issuer distribution point in the CRL,
onlyContainsUserCerts=true, onlyContainsCACerts=false, indirectCRL=true,
onlyContainsAttributeCerts=false

The client cert specifies crlIssuer=Dev Crl Server.

Thanks, Dave


On Mon, Jun 27, 2011 at 10:05 PM, Xuelei.Fan at Oracle.Com <
Xuelei.Fan at oracle.com> wrote:

> Can you provide the code to reproduce the exception? Or is it possible
> attach the CertPath building debugger log?
>
> Xuelei
>
> On Jun 28, 2011, at 11:59 AM, David Pomeroy <dfpomeroy at gmail.com> wrote:
>
> > Hello All,
> >
> > I am trying to get a servlet to download and check a CRL.  The CRLDP is
> in the client's certificate and the CRL is marked "indirect CRL" so that it
> can be signed by a different key than the client cert issuer.  The following
> block of code is invoked but the DistributionPointFetcher can't seem to
> build a valid path and a CRLException is thrown.  My assumption was this
> would work if I included the CRL signing certificate in my truststore.  What
> I find odd while stepping through this in a debugger is that the
> "certStores" object contains only the client certificate which is to be
> validated, so it makes sense that X509CertSelector doesn't find the right
> cert in there.
> >
> > Has anyone got indirect CRLs validated before?  I'd be interested in the
> details of a test setup that works.  I can provide more details of my test
> setup if necessary.
> >
> > Thanks, David
> >
> >
> >         // Obtain and validate the certification path for the complete
> >         // CRL issuer (if indirect CRL). If a key usage extension is
> present
> >         // in the CRL issuer's certificate, verify that the cRLSign bit
> is set.
> >         if (indirectCRL) {
> >             X509CertSelector certSel = new X509CertSelector();
> >             certSel.setSubject(crlIssuer.asX500Principal());
> >             boolean[] crlSign =
> {false,false,false,false,false,false,true};
> >             certSel.setKeyUsage(crlSign);
> >             PKIXBuilderParameters params = null;
> >             try {
> >                 params = new PKIXBuilderParameters
> >                     (Collections.singleton(anchor), certSel);
> >             } catch (InvalidAlgorithmParameterException iape) {
> >                 throw new CRLException(iape);
> >             }
> >             params.setCertStores(certStores);
> >             params.setSigProvider(provider);
> >             try {
> >                 CertPathBuilder builder =
> CertPathBuilder.getInstance("PKIX");
> >                 PKIXCertPathBuilderResult result =
> >                     (PKIXCertPathBuilderResult) builder.build(params);
> >                 prevKey = result.getPublicKey();
> >             } catch (Exception e) {
> >                 throw new CRLException(e);
> >             }
> >         }
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.openjdk.java.net/pipermail/security-dev/attachments/20110628/5c5f9762/attachment.html 
-------------- next part --------------
certpath: PKIXCertPathValidator.engineValidate()...
certpath: PKIXCertPathValidator.engineValidate() reversing certpath...
certpath: PKIXCertPathValidator.engineValidate() anchor.getTrustedCert() != null
certpath: PKIXCertPathValidator.isWorthTrying() checking if this trusted cert is worth trying ...
certpath: NO - don't try this trustedCert
certpath: PKIXCertPathValidator.engineValidate() anchor.getTrustedCert() != null
certpath: PKIXCertPathValidator.isWorthTrying() checking if this trusted cert is worth trying ...
certpath: NO - don't try this trustedCert
certpath: PKIXCertPathValidator.engineValidate() anchor.getTrustedCert() != null
certpath: PKIXCertPathValidator.isWorthTrying() checking if this trusted cert is worth trying ...
certpath: YES - try this trustedCert
certpath: anchor.getTrustedCert().getSubjectX500Principal() = CN=Dev Sub CA
certpath: --------------------------------------------------------------
certpath: Executing PKIX certification path validation algorithm.
certpath: Checking cert1 ...
certpath: Set of critical extensions:
certpath: 2.5.29.15
certpath: 2.5.29.37
certpath: 2.5.29.19
certpath: -Using checker1 ... [sun.security.provider.certpath.AlgorithmChecker]
certpath: -checker1 validation succeeded
certpath: -Using checker2 ... [sun.security.provider.certpath.KeyChecker]
certpath: -checker2 validation succeeded
certpath: -Using checker3 ... [sun.security.provider.certpath.ConstraintsChecker]
certpath: ---checking basic constraints...
certpath: i = 1
certpath: maxPathLength = 1
certpath: after processing, maxPathLength = 1
certpath: basic constraints verified.
certpath: ---checking name constraints...
certpath: prevNC = null
certpath: newNC = null
certpath: mergedNC = null
certpath: name constraints verified.
certpath: -checker3 validation succeeded
certpath: -Using checker4 ... [sun.security.provider.certpath.PolicyChecker]
certpath: PolicyChecker.checkPolicy() ---checking certificate policies...
certpath: PolicyChecker.checkPolicy() certIndex = 1
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: explicitPolicy = 2
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyMapping = 2
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: inhibitAnyPolicy = 2
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyTree = anyPolicy  ROOT

certpath: PolicyChecker.processPolicies() no policies present in cert
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: explicitPolicy = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyMapping = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: inhibitAnyPolicy = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyTree = null
certpath: PolicyChecker.checkPolicy() certificate policies verified
certpath: -checker4 validation succeeded
certpath: -Using checker5 ... [sun.security.provider.certpath.BasicChecker]
certpath: ---checking timestamp:Tue Jun 28 09:14:19 PDT 2011...
certpath: timestamp verified.
certpath: ---checking subject/issuer name chaining...
certpath: subject/issuer name chaining verified.
certpath: ---checking signature...
certpath: signature verified.
certpath: BasicChecker.updateState issuer: CN=Dev Sub CA; subject: CN=234159080345657; serial#: 1250
certpath: -checker5 validation succeeded
certpath: -Using checker6 ... [sun.security.provider.certpath.CrlRevocationChecker]
certpath: CrlRevocationChecker.verifyRevocationStatus() ---checking revocation status...
certpath: DistributionPointFetcher.getCRLs: Checking CRLDPs for CN=234159080345657
certpath: Trying to fetch CRL from DP http://localhost/crl.crl
certpath: CertStore URI:http://localhost/crl.crl
certpath: Downloading new CRL...
certpath: idpName: URIName: http://localhost/crl.crl
certpath: pointName: URIName: http://localhost/crl.crl
certpath: SunCertPathBuilder.engineBuild([
[
  Trust Anchors: [[
  Trusted CA cert: [
[
  Version: V3
  Subject: CN=Dev Sub CA
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 2048 bits
  modulus: 31696243932874256364335990637094427770482150137369453879629054046277594694178299662030613175940051336592870418113037419713357290194638536691606561721465520703526043819995453182453582996601875791731978172486235451952100860390268691062261564472533003331397217240833053175303404082306509973352439625645600600400408333148563265268164313890699450748266186324338577359913955542853478283626859231040995581139161097669581270909389409188385131437359048571882558660942248026022064839125345179031998211043815799677884832277271147572182551216847408958538553541983556420628304268943945349378863098906567967665152779703018233229929
  public exponent: 65537
  Validity: [From: Sat Jun 25 14:32:02 PDT 2011,
               To: Sat Aug 24 14:32:02 PDT 2030]
  Issuer: CN=Dev Root CA
  SerialNumber: [    01f4]

Certificate Extensions: 2
[1]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

[2]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:0
]

]
  Algorithm: [SHA1withRSA]
  Signature:
0000: 18 8C C1 CA 2D F8 C4 3B   AC F2 F4 29 87 70 E9 BE  ....-..;...).p..
0010: BF 55 69 BC 50 17 37 7A   94 10 05 64 D9 58 5E 8F  .Ui.P.7z...d.X^.
0020: 56 9C 38 F6 C8 E6 F9 08   DF 86 B0 E7 1A 4D 0A 8E  V.8..........M..
0030: 85 E6 BE F4 D4 90 CF B5   AD D4 49 77 DC FE 51 7C  ..........Iw..Q.
0040: A8 07 AB 07 30 52 1A 91   4C 9F 65 67 BF 74 73 C1  ....0R..L.eg.ts.
0050: 8A E6 E7 64 19 40 1B 01   66 A1 F0 9D 15 FE F4 E5  ...d. at ..f.......
0060: C3 79 50 53 FF 6D BD A3   06 46 5B 87 79 E5 DE BB  .yPS.m...F[.y...
0070: 94 2B 1E 8B 4C DF A3 EA   CD C0 D4 F9 41 3B CA BE  .+..L.......A;..
0080: 18 AC 8F 50 03 94 9A EF   A1 6E 05 75 C4 E3 EC E8  ...P.....n.u....
0090: 85 79 CE 6C 31 70 27 93   9E 51 16 67 A1 81 1B C7  .y.l1p'..Q.g....
00A0: 3F DC FD E5 01 21 9C 21   44 71 7B A9 57 F8 57 79  ?....!.!Dq..W.Wy
00B0: 45 6F 37 5F F8 A4 DE CA   0A 06 7C C3 8B 94 22 67  Eo7_.........."g
00C0: 9A 93 8B D2 51 E6 3F 1F   09 24 A8 23 70 04 95 F7  ....Q.?..$.#p...
00D0: 48 42 F6 D2 D2 54 43 E9   0F C9 04 85 5E EA 46 31  HB...TC.....^.F1
00E0: 8A CF E8 F3 9C 76 D2 DE   9B ED F7 1C 15 C1 02 05  .....v..........
00F0: D7 ED 18 6B 74 CC 80 9D   2F 3D BF EC 24 20 00 E6  ...kt.../=..$ ..

]
]
  Initial Policy OIDs: any
  Validity Date: null
  Signature Provider: null
  Default Revocation Enabled: true
  Explicit Policy Required: false
  Policy Mapping Inhibited: false
  Any Policy Inhibited: false
  Policy Qualifiers Rejected: true
  Target Cert Constraints: X509CertSelector: [
  Subject: CN=Dev CRL Server,
  matchAllSubjectAltNames flag: true
  Key Usage: KeyUsage [
  Crl_Sign
]

]
  Certification Path Checkers: [[]]
  CertStores: [[java.security.cert.CertStore at e4b3b8]]
]  Maximum Path Length: 5
]
)
certpath: SunCertPathBuilder.buildForward()...
certpath: SunCertPathBuilder.depthFirstSearchForward(CN=Dev CRL Server, State [
  issuerDN of last cert: null
  traversedCACerts: 0
  init: true
  keyParamsNeeded: false
  subjectNamesTraversed: 
[]]
)
certpath: ForwardBuilder.getMatchingCerts()...
certpath: ForwardBuilder.getMatchingEECerts()...
certpath: X509CertSelector.match(SN: 4e2
  Issuer: CN=Dev Sub CA
  Subject: CN=234159080345657)
certpath: X509CertSelector.match: subject DNs don't match
certpath: ForwardBuilder.getMatchingCACerts()...
certpath: ForwardBuilder.getMatchingCACerts(): ca is target
certpath: X509CertSelector.match(SN: 1f4
  Issuer: CN=Dev Root CA
  Subject: CN=Dev Sub CA)
certpath: X509CertSelector.match: subject DNs don't match
certpath: X509CertSelector.match(SN: 4e2
  Issuer: CN=Dev Sub CA
  Subject: CN=234159080345657)
certpath: X509CertSelector.match: subject DNs don't match
certpath: ForwardBuilder.getMatchingCACerts: found 0 CA certs
certpath: SunCertPathBuilder.depthFirstSearchForward(): certs.size=0
certpath: SunCertPathBuilder.engineBuild: 2nd pass
certpath: SunCertPathBuilder.buildForward()...
certpath: SunCertPathBuilder.depthFirstSearchForward(CN=Dev CRL Server State [
  issuerDN of last cert: null
  traversedCACerts: 0
  init: true
  keyParamsNeeded: false
  subjectNamesTraversed: 
[]]
)
certpath: ForwardBuilder.getMatchingCerts()...
certpath: ForwardBuilder.getMatchingEECerts()...
certpath: X509CertSelector.match(SN: 4e2
  Issuer: CN=Dev Sub CA
  Subject: CN=234159080345657)
certpath: X509CertSelector.match: subject DNs don't match
certpath: ForwardBuilder.getMatchingCACerts()...
certpath: ForwardBuilder.getMatchingCACerts(): ca is target
certpath: X509CertSelector.match(SN: 1f4
  Issuer: CN=Dev Root CA
  Subject: CN=Dev Sub CA)
certpath: X509CertSelector.match: subject DNs don't match
certpath: X509CertSelector.match(SN: 4e2
  Issuer: CN=Dev Sub CA
  Subject: CN=234159080345657)
certpath: X509CertSelector.match: subject DNs don't match
certpath: ForwardBuilder.getMatchingCACerts: found 0 CA certs
certpath: SunCertPathBuilder.depthFirstSearchForward(): certs.size=0
certpath: Exception verifying CRL: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
java.security.cert.CRLException: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.provider.certpath.DistributionPointFetcher.verifyCRL(DistributionPointFetcher.java:540)
	at sun.security.provider.certpath.DistributionPointFetcher.getCRLs(DistributionPointFetcher.java:195)
	at sun.security.provider.certpath.DistributionPointFetcher.getCRLs(DistributionPointFetcher.java:121)
	at sun.security.provider.certpath.CrlRevocationChecker.verifyRevocationStatus(CrlRevocationChecker.java:309)
	at sun.security.provider.certpath.CrlRevocationChecker.verifyRevocationStatus(CrlRevocationChecker.java:248)
	at sun.security.provider.certpath.CrlRevocationChecker.check(CrlRevocationChecker.java:189)
	at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:131)
	at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:325)
	at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:187)
	at java.security.cert.CertPathValidator.validate(CertPathValidator.java:267)
	at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:283)
	at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:271)
	at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:191)
	at sun.security.validator.Validator.validate(Validator.java:235)
	at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:147)
	at sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:188)
	at sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:258)
	at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1414)
	at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:179)
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:610)
	at sun.security.ssl.Handshaker$1.run(Handshaker.java:550)
	at sun.security.ssl.Handshaker$1.run(Handshaker.java:548)
	at java.security.AccessController.doPrivileged(Native Method)
	at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:969)
************
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
	at java.lang.Thread.run(Thread.java:636)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:197)
	at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:255)
	at sun.security.provider.certpath.DistributionPointFetcher.verifyCRL(DistributionPointFetcher.java:536)
	... 43 more
certpath: Returning 0 CRLs
certpath: CrlRevocationChecker.verifyRevocationStatus() crls.size() = 0
certpath: CrlRevocationChecker.verifyRevocationStatus() approved crls.size() = 0
certpath: CrlRevocationChecker.verifyWithSeparateSigningKey() ---checking revocation status...
certpath: CrlRevocationChecker.buildToNewKey() starting work
certpath: CrlRevocationChecker.buildToNewKey() about to try build ...
certpath: SunCertPathBuilder.engineBuild([
[
  Trust Anchors: [[
  Trusted CA cert: [
[
  Version: V3
  Subject: CN=Dev Sub CA
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 2048 bits
  modulus: 31696243932874256364335990637094427770482150137369453879629054046277594694178299662030613175940051336592870418113037419713357290194638536691606561721465520703526043819995453182453582996601875791731978172486235451952100860390268691062261564472533003331397217240833053175303404082306509973352439625645600600400408333148563265268164313890699450748266186324338577359913955542853478283626859231040995581139161097669581270909389409188385131437359048571882558660942248026022064839125345179031998211043815799677884832277271147572182551216847408958538553541983556420628304268943945349378863098906567967665152779703018233229929
  public exponent: 65537
  Validity: [From: Sat Jun 25 14:32:02 PDT 2011,
               To: Sat Aug 24 14:32:02 PDT 2030]
  Issuer: CN=Dev Root CA
  SerialNumber: [    01f4]

Certificate Extensions: 2
[1]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

[2]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:0
]

]
  Algorithm: [SHA1withRSA]
  Signature:
0000: 18 8C C1 CA 2D F8 C4 3B   AC F2 F4 29 87 70 E9 BE  ....-..;...).p..
0010: BF 55 69 BC 50 17 37 7A   94 10 05 64 D9 58 5E 8F  .Ui.P.7z...d.X^.
0020: 56 9C 38 F6 C8 E6 F9 08   DF 86 B0 E7 1A 4D 0A 8E  V.8..........M..
0030: 85 E6 BE F4 D4 90 CF B5   AD D4 49 77 DC FE 51 7C  ..........Iw..Q.
0040: A8 07 AB 07 30 52 1A 91   4C 9F 65 67 BF 74 73 C1  ....0R..L.eg.ts.
0050: 8A E6 E7 64 19 40 1B 01   66 A1 F0 9D 15 FE F4 E5  ...d. at ..f.......
0060: C3 79 50 53 FF 6D BD A3   06 46 5B 87 79 E5 DE BB  .yPS.m...F[.y...
0070: 94 2B 1E 8B 4C DF A3 EA   CD C0 D4 F9 41 3B CA BE  .+..L.......A;..
0080: 18 AC 8F 50 03 94 9A EF   A1 6E 05 75 C4 E3 EC E8  ...P.....n.u....
0090: 85 79 CE 6C 31 70 27 93   9E 51 16 67 A1 81 1B C7  .y.l1p'..Q.g....
00A0: 3F DC FD E5 01 21 9C 21   44 71 7B A9 57 F8 57 79  ?....!.!Dq..W.Wy
00B0: 45 6F 37 5F F8 A4 DE CA   0A 06 7C C3 8B 94 22 67  Eo7_.........."g
00C0: 9A 93 8B D2 51 E6 3F 1F   09 24 A8 23 70 04 95 F7  ....Q.?..$.#p...
00D0: 48 42 F6 D2 D2 54 43 E9   0F C9 04 85 5E EA 46 31  HB...TC.....^.F1
00E0: 8A CF E8 F3 9C 76 D2 DE   9B ED F7 1C 15 C1 02 05  .....v..........
00F0: D7 ED 18 6B 74 CC 80 9D   2F 3D BF EC 24 20 00 E6  ...kt.../=..$ ..

]
]
  Initial Policy OIDs: any
  Validity Date: null
  Signature Provider: null
  Default Revocation Enabled: false
  Explicit Policy Required: false
  Policy Mapping Inhibited: false
  Any Policy Inhibited: false
  Policy Qualifiers Rejected: true
  Target Cert Constraints: RejectCertSelector: [
X509CertSelector: [
  Subject: CN=Dev Sub CA,
  matchAllSubjectAltNames flag: true
  Key Usage: KeyUsage [
  Crl_Sign
]

][Sun RSA public key, 2048 bits
  modulus: 31696243932874256364335990637094427770482150137369453879629054046277594694178299662030613175940051336592870418113037419713357290194638536691606561721465520703526043819995453182453582996601875791731978172486235451952100860390268691062261564472533003331397217240833053175303404082306509973352439625645600600400408333148563265268164313890699450748266186324338577359913955542853478283626859231040995581139161097669581270909389409188385131437359048571882558660942248026022064839125345179031998211043815799677884832277271147572182551216847408958538553541983556420628304268943945349378863098906567967665152779703018233229929
  public exponent: 65537]]
  Certification Path Checkers: [[]]
  CertStores: [[]]
]  Maximum Path Length: 5
]
)
certpath: SunCertPathBuilder.buildForward()...
certpath: SunCertPathBuilder.depthFirstSearchForward(CN=Dev Sub CA State [
  issuerDN of last cert: null
  traversedCACerts: 0
  init: true
  keyParamsNeeded: false
  subjectNamesTraversed: 
[]]
)
certpath: ForwardBuilder.getMatchingCerts()...
certpath: ForwardBuilder.getMatchingEECerts()...
certpath: ForwardBuilder.getMatchingCACerts()...
certpath: ForwardBuilder.getMatchingCACerts(): ca is target
certpath: X509CertSelector.match(SN: 1f4
  Issuer: CN=Dev Root CA
  Subject: CN=Dev Sub CA)
certpath: X509CertSelector.match returning: true
certpath: RejectCertSelector.match: bad key
certpath: ForwardBuilder.getMatchingCACerts: found 0 CA certs
certpath: SunCertPathBuilder.depthFirstSearchForward(): certs.size=0
certpath: SunCertPathBuilder.engineBuild: 2nd pass
certpath: SunCertPathBuilder.buildForward()...
certpath: SunCertPathBuilder.depthFirstSearchForward(CN=Dev Sub CA State [
  issuerDN of last cert: null
  traversedCACerts: 0
  init: true
  keyParamsNeeded: false
  subjectNamesTraversed: 
[]]
)
certpath: ForwardBuilder.getMatchingCerts()...
certpath: ForwardBuilder.getMatchingEECerts()...
certpath: ForwardBuilder.getMatchingCACerts()...
certpath: ForwardBuilder.getMatchingCACerts(): ca is target
certpath: X509CertSelector.match(SN: 1f4
  Issuer: CN=Dev Root CA
  Subject: CN=Dev Sub CA)
certpath: X509CertSelector.match returning: true
certpath: RejectCertSelector.match: bad key
certpath: ForwardBuilder.getMatchingCACerts: found 0 CA certs
certpath: SunCertPathBuilder.depthFirstSearchForward(): certs.size=0


More information about the security-dev mailing list