sun.security.provider.certpath.DistributionPointFetcher
Xuelei Fan
xuelei.fan at oracle.com
Tue Jun 28 17:01:24 UTC 2011
Thanks for the feedback, I will look into the log If I can get some time
tomorrow.
Thanks,
Xuelei
On 6/29/2011 12:57 AM, David Pomeroy wrote:
> Hi Xuelei,
>
> Attached is the certpath debug output.
>
> Here is some more info about my test setup.
>
> Dev Root CA issued Dev Sub CA
> Dev Sub CA issued client cert
> Dev Root CA issued Dev Crl Server cert
> Crl is issued by Dev Crl Server, URL is http://localhost/crl.crl
> Dev Root CA, Dev Sub CA, and Dev Crl Server have all been added to the
> server's truststore.
>
> I have specified the issuer distribution point in the CRL,
> onlyContainsUserCerts=true, onlyContainsCACerts=false, indirectCRL=true,
> onlyContainsAttributeCerts=false
>
> The client cert specifies crlIssuer=Dev Crl Server.
>
> Thanks, Dave
>
>
> On Mon, Jun 27, 2011 at 10:05 PM, Xuelei.Fan at Oracle.Com
> <Xuelei.Fan at oracle.com <mailto:Xuelei.Fan at oracle.com>> wrote:
>
> Can you provide the code to reproduce the exception? Or is it
> possible attach the CertPath building debugger log?
>
> Xuelei
>
> On Jun 28, 2011, at 11:59 AM, David Pomeroy <dfpomeroy at gmail.com
> <mailto:dfpomeroy at gmail.com>> wrote:
>
> > Hello All,
> >
> > I am trying to get a servlet to download and check a CRL. The
> CRLDP is in the client's certificate and the CRL is marked "indirect
> CRL" so that it can be signed by a different key than the client
> cert issuer. The following block of code is invoked but the
> DistributionPointFetcher can't seem to build a valid path and a
> CRLException is thrown. My assumption was this would work if I
> included the CRL signing certificate in my truststore. What I find
> odd while stepping through this in a debugger is that the
> "certStores" object contains only the client certificate which is to
> be validated, so it makes sense that X509CertSelector doesn't find
> the right cert in there.
> >
> > Has anyone got indirect CRLs validated before? I'd be interested
> in the details of a test setup that works. I can provide more
> details of my test setup if necessary.
> >
> > Thanks, David
> >
> >
> > // Obtain and validate the certification path for the complete
> > // CRL issuer (if indirect CRL). If a key usage extension
> is present
> > // in the CRL issuer's certificate, verify that the
> cRLSign bit is set.
> > if (indirectCRL) {
> > X509CertSelector certSel = new X509CertSelector();
> > certSel.setSubject(crlIssuer.asX500Principal());
> > boolean[] crlSign =
> {false,false,false,false,false,false,true};
> > certSel.setKeyUsage(crlSign);
> > PKIXBuilderParameters params = null;
> > try {
> > params = new PKIXBuilderParameters
> > (Collections.singleton(anchor), certSel);
> > } catch (InvalidAlgorithmParameterException iape) {
> > throw new CRLException(iape);
> > }
> > params.setCertStores(certStores);
> > params.setSigProvider(provider);
> > try {
> > CertPathBuilder builder =
> CertPathBuilder.getInstance("PKIX");
> > PKIXCertPathBuilderResult result =
> > (PKIXCertPathBuilderResult) builder.build(params);
> > prevKey = result.getPublicKey();
> > } catch (Exception e) {
> > throw new CRLException(e);
> > }
> > }
>
>
More information about the security-dev
mailing list