sun.security.provider.certpath.DistributionPointFetcher

Tue Jun 28 17:01:24 UTC 2011

Thanks for the feedback, I will look into the log If I can get some time
tomorrow.

Thanks,
Xuelei

On 6/29/2011 12:57 AM, David Pomeroy wrote:
> Hi Xuelei,
> 
> Attached is the certpath debug output. 
> 
> Here is some more info about my test setup.
> 
> Dev Root CA issued Dev Sub CA
> Dev Sub CA issued client cert
> Dev Root CA issued Dev Crl Server cert
> Crl is issued by Dev Crl Server, URL is http://localhost/crl.crl
> Dev Root CA, Dev Sub CA, and Dev Crl Server have all been added to the
> server's truststore.
> 
> I have specified the issuer distribution point in the CRL,
> onlyContainsUserCerts=true, onlyContainsCACerts=false, indirectCRL=true,
> onlyContainsAttributeCerts=false
> 
> The client cert specifies crlIssuer=Dev Crl Server.
> 
> Thanks, Dave
> 
> 
> On Mon, Jun 27, 2011 at 10:05 PM, Xuelei.Fan at Oracle.Com
> <Xuelei.Fan at oracle.com <mailto:Xuelei.Fan at oracle.com>> wrote:
> 
>     Can you provide the code to reproduce the exception? Or is it
>     possible attach the CertPath building debugger log?
> 
>     Xuelei
> 
>     On Jun 28, 2011, at 11:59 AM, David Pomeroy <dfpomeroy at gmail.com
>     <mailto:dfpomeroy at gmail.com>> wrote:
> 
>     > Hello All,
>     >
>     > I am trying to get a servlet to download and check a CRL.  The
>     CRLDP is in the client's certificate and the CRL is marked "indirect
>     CRL" so that it can be signed by a different key than the client
>     cert issuer.  The following block of code is invoked but the
>     DistributionPointFetcher can't seem to build a valid path and a
>     CRLException is thrown.  My assumption was this would work if I
>     included the CRL signing certificate in my truststore.  What I find
>     odd while stepping through this in a debugger is that the
>     "certStores" object contains only the client certificate which is to
>     be validated, so it makes sense that X509CertSelector doesn't find
>     the right cert in there.
>     >
>     > Has anyone got indirect CRLs validated before?  I'd be interested
>     in the details of a test setup that works.  I can provide more
>     details of my test setup if necessary.
>     >
>     > Thanks, David
>     >
>     >
>     >         // Obtain and validate the certification path for the complete
>     >         // CRL issuer (if indirect CRL). If a key usage extension
>     is present
>     >         // in the CRL issuer's certificate, verify that the
>     cRLSign bit is set.
>     >         if (indirectCRL) {
>     >             X509CertSelector certSel = new X509CertSelector();
>     >             certSel.setSubject(crlIssuer.asX500Principal());
>     >             boolean[] crlSign =
>     {false,false,false,false,false,false,true};
>     >             certSel.setKeyUsage(crlSign);
>     >             PKIXBuilderParameters params = null;
>     >             try {
>     >                 params = new PKIXBuilderParameters
>     >                     (Collections.singleton(anchor), certSel);
>     >             } catch (InvalidAlgorithmParameterException iape) {
>     >                 throw new CRLException(iape);
>     >             }
>     >             params.setCertStores(certStores);
>     >             params.setSigProvider(provider);
>     >             try {
>     >                 CertPathBuilder builder =
>     CertPathBuilder.getInstance("PKIX");
>     >                 PKIXCertPathBuilderResult result =
>     >                     (PKIXCertPathBuilderResult) builder.build(params);
>     >                 prevKey = result.getPublicKey();
>     >             } catch (Exception e) {
>     >                 throw new CRLException(e);
>     >             }
>     >         }
> 
> 