sun.security.provider.certpath.DistributionPointFetcher
David Pomeroy
dfpomeroy at gmail.com
Tue Jun 28 20:51:58 UTC 2011
Hi Sean,
openjdk7 complained that my Crl Server certificate did not contain a Subject
Key Identifier. Once I added this, validating the indirect CRL issuer
worked as expected.
When I switched back to openjdk6, the CRL validation still fails. I have
attached the certpath debug from each jvm. If you look at the line
"certpath: SunCertPathBuilder.engineBuild([", jdk6 only adds my Sub CA
certificate as a trusted source, where jdk7 adds all 3 certs from the
truststore, including the Crl Issuer's certificate. Perhaps jdk6 is looking
for specific criteria in the trusted certificates for use in validating the
CRL?
When I switched back to sun jdk 6, I got a different error. It's as if it
is not even trying to build a verification path at all. I attached that
debug as well.
Thanks for jdk7 suggestion, I definitely learned something. However, I'd
really like to get this working on a version 6 jvm. Any workaround
suggestions from you or the group would be greatly appreciated.
Thanks, Dave
On Tue, Jun 28, 2011 at 11:14 AM, Sean Mullan <sean.mullan at oracle.com>wrote:
> On 6/28/11 1:01 PM, David Pomeroy wrote:
>
>> Hi Sean,
>>
>> I am using Open JDK 6. Are the indirect CRL bugs in JDK 6 documented
>> anywhere?
>> Are there any workarounds?
>>
>
> See:
>
> http://bugs.sun.com/**bugdatabase/view_bug.do?bug_**id=6509162<http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6509162>
> http://bugs.sun.com/**bugdatabase/view_bug.do?bug_**id=6542169<http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6542169>
>
> No known workarounds. It would help if you tested with JDK 7 [1] so we
> could verify if the problem has fixed.
>
> If it still fails with JDK 7, please file a bug (and attach a test program)
> at http://bugs.sun.com
>
> Thanks,
> Sean
>
> [1] http://jdk7.java.net/download.**html<http://jdk7.java.net/download.html>
>
>
>> I am setting enableCRLDP.
>>
>> Thanks, Dave
>>
>> On Tue, Jun 28, 2011 at 5:46 AM, Sean Mullan <sean.mullan at oracle.com
>> <mailto:sean.mullan at oracle.com**>> wrote:
>>
>> Are you using JDK 7? There were some bugs fixed with indirect CRLs in
>> JDK 7.
>>
>> Also, make sure you set the system property
>> com.sun.security.enableCRLDP to the
>> value true when running, ex: java -Dcom.sun.security.__**enableCRLDP=true
>> ...
>>
>> --Sean
>>
>>
>> On 6/28/11 1:05 AM, Xuelei.Fan at Oracle.Com wrote:
>>
>> Can you provide the code to reproduce the exception? Or is it
>> possible
>> attach
>> the CertPath building debugger log?
>>
>> Xuelei
>>
>> On Jun 28, 2011, at 11:59 AM, David Pomeroy<dfpomeroy at gmail.com
>> <mailto:dfpomeroy at gmail.com>> wrote:
>>
>>
>> Hello All,
>>
>> I am trying to get a servlet to download and check a CRL. The
>> CRLDP
>> is in
>> the client's certificate and the CRL is marked "indirect CRL"
>> so that it
>> can be signed by a different key than the client cert issuer.
>> The
>> following block of code is invoked but the
>> DistributionPointFetcher
>> can't
>> seem to build a valid path and a CRLException is thrown. My
>> assumption was
>> this would work if I included the CRL signing certificate in my
>> truststore.
>> What I find odd while stepping through this in a debugger is
>> that the
>> "certStores" object contains only the client certificate which
>> is to be
>> validated, so it makes sense that X509CertSelector doesn't find
>> the
>> right
>> cert in there.
>>
>> Has anyone got indirect CRLs validated before? I'd be
>> interested in the
>> details of a test setup that works. I can provide more details
>> of
>> my test
>> setup if necessary.
>>
>> Thanks, David
>>
>>
>> // Obtain and validate the certification path for the complete
>> // CRL
>> issuer (if indirect CRL). If a key usage extension is present
>> // in
>> the CRL
>> issuer's certificate, verify that the cRLSign bit is set. if
>> (indirectCRL)
>> { X509CertSelector certSel = new X509CertSelector();
>> certSel.setSubject(crlIssuer._**_asX500Principal()); boolean[]
>> crlSign =
>> {false,false,false,false,__**false,false,true};
>> certSel.setKeyUsage(crlSign);
>> PKIXBuilderParameters params = null; try { params = new
>> PKIXBuilderParameters (Collections.singleton(anchor)**__,
>> certSel); }
>> catch
>> (__**InvalidAlgorithmParameterExcep**__tion iape) { throw new
>>
>> CRLException(iape);
>> } params.setCertStores(__**certStores);
>> params.setSigProvider(__**provider); try {
>> CertPathBuilder builder = CertPathBuilder.getInstance("_**
>> _PKIX");
>> PKIXCertPathBuilderResult result = (PKIXCertPathBuilderResult)
>> builder.build(params); prevKey = result.getPublicKey(); } catch
>> (Exception
>> e) { throw new CRLException(e); } }
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20110628/e04100c1/attachment.htm>
-------------- next part --------------
certpath: PKIXCertPathValidator.engineValidate()...
certpath: PKIXCertPathValidator.engineValidate() reversing certpath...
certpath: PKIXCertPathValidator.engineValidate() anchor.getTrustedCert() != null
certpath: PKIXCertPathValidator.isWorthTrying() checking if this trusted cert is worth trying ...
certpath: YES - try this trustedCert
certpath: anchor.getTrustedCert().getSubjectX500Principal() = CN=Dev Sub CA, OU=
certpath: --------------------------------------------------------------
certpath: Executing PKIX certification path validation algorithm.
certpath: Checking cert1 ...
certpath: Set of critical extensions:
certpath: 2.5.29.15
certpath: 2.5.29.37
certpath: 2.5.29.19
certpath: -Using checker1 ... [sun.security.provider.certpath.AlgorithmChecker]
certpath: -checker1 validation succeeded
certpath: -Using checker2 ... [sun.security.provider.certpath.KeyChecker]
certpath: -checker2 validation succeeded
certpath: -Using checker3 ... [sun.security.provider.certpath.ConstraintsChecker]
certpath: ---checking basic constraints...
certpath: i = 1
certpath: maxPathLength = 1
certpath: after processing, maxPathLength = 1
certpath: basic constraints verified.
certpath: ---checking name constraints...
certpath: prevNC = null
certpath: newNC = null
certpath: mergedNC = null
certpath: name constraints verified.
certpath: -checker3 validation succeeded
certpath: -Using checker4 ... [sun.security.provider.certpath.PolicyChecker]
certpath: PolicyChecker.checkPolicy() ---checking certificate policies...
certpath: PolicyChecker.checkPolicy() certIndex = 1
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: explicitPolicy = 2
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyMapping = 2
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: inhibitAnyPolicy = 2
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyTree = anyPolicy ROOT
certpath: PolicyChecker.processPolicies() no policies present in cert
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: explicitPolicy = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyMapping = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: inhibitAnyPolicy = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyTree = null
certpath: PolicyChecker.checkPolicy() certificate policies verified
certpath: -checker4 validation succeeded
certpath: -Using checker5 ... [sun.security.provider.certpath.BasicChecker]
certpath: ---checking timestamp:Tue Jun 28 13:22:23 PDT 2011...
certpath: timestamp verified.
certpath: ---checking subject/issuer name chaining...
certpath: subject/issuer name chaining verified.
certpath: ---checking signature...
certpath: signature verified.
certpath: BasicChecker.updateState issuer: CN=Dev Sub CA, OU=; subject: CN=234159080345657; serial#: 1250
certpath: -checker5 validation succeeded
certpath: -Using checker6 ... [sun.security.provider.certpath.CrlRevocationChecker]
certpath: CrlRevocationChecker.verifyRevocationStatus() ---checking revocation status...
certpath: DistributionPointFetcher.getCRLs: Checking CRLDPs for CN=234159080345657
certpath: Trying to fetch CRL from DP http://localhost/crl.crl
certpath: CertStore URI:http://localhost/crl.crl
certpath: Downloading new CRL...
certpath: idpName: URIName: http://localhost/crl.crl
certpath: pointName: URIName: http://localhost/crl.crl
certpath: SunCertPathBuilder.engineBuild([
[
Trust Anchors: [[
Trusted CA cert: [
[
Version: V3
Subject: CN=Dev Sub CA, OU=
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus: 31696243932874256364335990637094427770482150137369453879629054046277594694178299662030613175940051336592870418113037419713357290194638536691606561721465520703526043819995453182453582996601875791731978172486235451952100860390268691062261564472533003331397217240833053175303404082306509973352439625645600600400408333148563265268164313890699450748266186324338577359913955542853478283626859231040995581139161097669581270909389409188385131437359048571882558660942248026022064839125345179031998211043815799677884832277271147572182551216847408958538553541983556420628304268943945349378863098906567967665152779703018233229929
public exponent: 65537
Validity: [From: Sat Jun 25 14:32:02 PDT 2011,
To: Sat Aug 24 14:32:02 PDT 2030]
Issuer: CN=Dev Root CA, OU=
SerialNumber: [ 01f4]
Certificate Extensions: 2
[1]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
[2]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:0
]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 18 8C C1 CA 2D F8 C4 3B AC F2 F4 29 87 70 E9 BE ....-..;...).p..
0010: BF 55 69 BC 50 17 37 7A 94 10 05 64 D9 58 5E 8F .Ui.P.7z...d.X^.
0020: 56 9C 38 F6 C8 E6 F9 08 DF 86 B0 E7 1A 4D 0A 8E V.8..........M..
0030: 85 E6 BE F4 D4 90 CF B5 AD D4 49 77 DC FE 51 7C ..........Iw..Q.
0040: A8 07 AB 07 30 52 1A 91 4C 9F 65 67 BF 74 73 C1 ....0R..L.eg.ts.
0050: 8A E6 E7 64 19 40 1B 01 66 A1 F0 9D 15 FE F4 E5 ...d. at ..f.......
0060: C3 79 50 53 FF 6D BD A3 06 46 5B 87 79 E5 DE BB .yPS.m...F[.y...
0070: 94 2B 1E 8B 4C DF A3 EA CD C0 D4 F9 41 3B CA BE .+..L.......A;..
0080: 18 AC 8F 50 03 94 9A EF A1 6E 05 75 C4 E3 EC E8 ...P.....n.u....
0090: 85 79 CE 6C 31 70 27 93 9E 51 16 67 A1 81 1B C7 .y.l1p'..Q.g....
00A0: 3F DC FD E5 01 21 9C 21 44 71 7B A9 57 F8 57 79 ?....!.!Dq..W.Wy
00B0: 45 6F 37 5F F8 A4 DE CA 0A 06 7C C3 8B 94 22 67 Eo7_.........."g
00C0: 9A 93 8B D2 51 E6 3F 1F 09 24 A8 23 70 04 95 F7 ....Q.?..$.#p...
00D0: 48 42 F6 D2 D2 54 43 E9 0F C9 04 85 5E EA 46 31 HB...TC.....^.F1
00E0: 8A CF E8 F3 9C 76 D2 DE 9B ED F7 1C 15 C1 02 05 .....v..........
00F0: D7 ED 18 6B 74 CC 80 9D 2F 3D BF EC 24 20 00 E6 ...kt.../=..$ ..
]
]
Initial Policy OIDs: any
Validity Date: null
Signature Provider: null
Default Revocation Enabled: true
Explicit Policy Required: false
Policy Mapping Inhibited: false
Any Policy Inhibited: false
Policy Qualifiers Rejected: true
Target Cert Constraints: X509CertSelector: [
Subject: CN=Dev CRL Server,OU=
matchAllSubjectAltNames flag: true
Key Usage: KeyUsage [
Crl_Sign
]
]
Certification Path Checkers: [[]]
CertStores: [[java.security.cert.CertStore at 101f935]]
] Maximum Path Length: 5
]
)
certpath: SunCertPathBuilder.buildForward()...
certpath: SunCertPathBuilder.depthFirstSearchForward(CN=Dev CRL Server, OU=, State [
issuerDN of last cert: null
traversedCACerts: 0
init: true
keyParamsNeeded: false
subjectNamesTraversed:
[]]
)
certpath: ForwardBuilder.getMatchingCerts()...
certpath: ForwardBuilder.getMatchingEECerts()...
certpath: X509CertSelector.match(SN: 4e2
Issuer: CN=Dev Sub CA, OU=
Subject: CN=234159080345657)
certpath: X509CertSelector.match: subject DNs don't match
certpath: ForwardBuilder.getMatchingCACerts()...
certpath: ForwardBuilder.getMatchingCACerts(): ca is target
certpath: X509CertSelector.match(SN: 1f4
Issuer: CN=Dev Root CA, OU=
Subject: CN=Dev Sub CA, OU=)
certpath: X509CertSelector.match: subject DNs don't match
certpath: X509CertSelector.match(SN: 4e2
Issuer: CN=Dev Sub CA, OU=
Subject: CN=234159080345657)
certpath: X509CertSelector.match: subject DNs don't match
certpath: ForwardBuilder.getMatchingCACerts: found 0 CA certs
certpath: SunCertPathBuilder.depthFirstSearchForward(): certs.size=0
certpath: SunCertPathBuilder.engineBuild: 2nd pass
certpath: SunCertPathBuilder.buildForward()...
certpath: SunCertPathBuilder.depthFirstSearchForward(CN=Dev CRL Server, OU=, State [
issuerDN of last cert: null
traversedCACerts: 0
init: true
keyParamsNeeded: false
subjectNamesTraversed:
[]]
)
certpath: ForwardBuilder.getMatchingCerts()...
certpath: ForwardBuilder.getMatchingEECerts()...
certpath: X509CertSelector.match(SN: 4e2
Issuer: CN=Dev Sub CA, OU=
Subject: CN=234159080345657)
certpath: X509CertSelector.match: subject DNs don't match
certpath: ForwardBuilder.getMatchingCACerts()...
certpath: ForwardBuilder.getMatchingCACerts(): ca is target
certpath: X509CertSelector.match(SN: 1f4
Issuer: CN=Dev Root CA, OU=
Subject: CN=Dev Sub CA, OU=)
certpath: X509CertSelector.match: subject DNs don't match
certpath: X509CertSelector.match(SN: 4e2
Issuer: CN=Dev Sub CA, OU=
Subject: CN=234159080345657)
certpath: X509CertSelector.match: subject DNs don't match
certpath: ForwardBuilder.getMatchingCACerts: found 0 CA certs
certpath: SunCertPathBuilder.depthFirstSearchForward(): certs.size=0
certpath: Exception verifying CRL: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
java.security.cert.CRLException: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.DistributionPointFetcher.verifyCRL(DistributionPointFetcher.java:540)
at sun.security.provider.certpath.DistributionPointFetcher.getCRLs(DistributionPointFetcher.java:195)
at sun.security.provider.certpath.DistributionPointFetcher.getCRLs(DistributionPointFetcher.java:121)
at sun.security.provider.certpath.CrlRevocationChecker.verifyRevocationStatus(CrlRevocationChecker.java:309)
at sun.security.provider.certpath.CrlRevocationChecker.verifyRevocationStatus(CrlRevocationChecker.java:248)
at sun.security.provider.certpath.CrlRevocationChecker.check(CrlRevocationChecker.java:189)
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:131)
at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:325)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:187)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:267)
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:283)
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:271)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:191)
at sun.security.validator.Validator.validate(Validator.java:235)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:147)
at sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:188)
at sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:258)
at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1414)
at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:179)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:610)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:550)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:548)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:969)
*******************
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
at java.lang.Thread.run(Thread.java:636)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:197)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:255)
at sun.security.provider.certpath.DistributionPointFetcher.verifyCRL(DistributionPointFetcher.java:536)
... 43 more
certpath: Returning 0 CRLs
certpath: CrlRevocationChecker.verifyRevocationStatus() crls.size() = 0
certpath: CrlRevocationChecker.verifyRevocationStatus() approved crls.size() = 0
certpath: CrlRevocationChecker.verifyWithSeparateSigningKey() ---checking revocation status...
certpath: CrlRevocationChecker.buildToNewKey() starting work
certpath: CrlRevocationChecker.buildToNewKey() about to try build ...
certpath: SunCertPathBuilder.engineBuild([
[
Trust Anchors: [[
Trusted CA cert: [
[
Version: V3
Subject: CN=Dev Sub CA, OU=
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus: 31696243932874256364335990637094427770482150137369453879629054046277594694178299662030613175940051336592870418113037419713357290194638536691606561721465520703526043819995453182453582996601875791731978172486235451952100860390268691062261564472533003331397217240833053175303404082306509973352439625645600600400408333148563265268164313890699450748266186324338577359913955542853478283626859231040995581139161097669581270909389409188385131437359048571882558660942248026022064839125345179031998211043815799677884832277271147572182551216847408958538553541983556420628304268943945349378863098906567967665152779703018233229929
public exponent: 65537
Validity: [From: Sat Jun 25 14:32:02 PDT 2011,
To: Sat Aug 24 14:32:02 PDT 2030]
Issuer: CN=Dev Root CA, OU=
SerialNumber: [ 01f4]
Certificate Extensions: 2
[1]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
[2]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:0
]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 18 8C C1 CA 2D F8 C4 3B AC F2 F4 29 87 70 E9 BE ....-..;...).p..
0010: BF 55 69 BC 50 17 37 7A 94 10 05 64 D9 58 5E 8F .Ui.P.7z...d.X^.
0020: 56 9C 38 F6 C8 E6 F9 08 DF 86 B0 E7 1A 4D 0A 8E V.8..........M..
0030: 85 E6 BE F4 D4 90 CF B5 AD D4 49 77 DC FE 51 7C ..........Iw..Q.
0040: A8 07 AB 07 30 52 1A 91 4C 9F 65 67 BF 74 73 C1 ....0R..L.eg.ts.
0050: 8A E6 E7 64 19 40 1B 01 66 A1 F0 9D 15 FE F4 E5 ...d. at ..f.......
0060: C3 79 50 53 FF 6D BD A3 06 46 5B 87 79 E5 DE BB .yPS.m...F[.y...
0070: 94 2B 1E 8B 4C DF A3 EA CD C0 D4 F9 41 3B CA BE .+..L.......A;..
0080: 18 AC 8F 50 03 94 9A EF A1 6E 05 75 C4 E3 EC E8 ...P.....n.u....
0090: 85 79 CE 6C 31 70 27 93 9E 51 16 67 A1 81 1B C7 .y.l1p'..Q.g....
00A0: 3F DC FD E5 01 21 9C 21 44 71 7B A9 57 F8 57 79 ?....!.!Dq..W.Wy
00B0: 45 6F 37 5F F8 A4 DE CA 0A 06 7C C3 8B 94 22 67 Eo7_.........."g
00C0: 9A 93 8B D2 51 E6 3F 1F 09 24 A8 23 70 04 95 F7 ....Q.?..$.#p...
00D0: 48 42 F6 D2 D2 54 43 E9 0F C9 04 85 5E EA 46 31 HB...TC.....^.F1
00E0: 8A CF E8 F3 9C 76 D2 DE 9B ED F7 1C 15 C1 02 05 .....v..........
00F0: D7 ED 18 6B 74 CC 80 9D 2F 3D BF EC 24 20 00 E6 ...kt.../=..$ ..
]
]
Initial Policy OIDs: any
Validity Date: null
Signature Provider: null
Default Revocation Enabled: false
Explicit Policy Required: false
Policy Mapping Inhibited: false
Any Policy Inhibited: false
Policy Qualifiers Rejected: true
Target Cert Constraints: RejectCertSelector: [
X509CertSelector: [
Subject: CN=Dev Sub CA,OU=
matchAllSubjectAltNames flag: true
Key Usage: KeyUsage [
Crl_Sign
]
][Sun RSA public key, 2048 bits
modulus: 31696243932874256364335990637094427770482150137369453879629054046277594694178299662030613175940051336592870418113037419713357290194638536691606561721465520703526043819995453182453582996601875791731978172486235451952100860390268691062261564472533003331397217240833053175303404082306509973352439625645600600400408333148563265268164313890699450748266186324338577359913955542853478283626859231040995581139161097669581270909389409188385131437359048571882558660942248026022064839125345179031998211043815799677884832277271147572182551216847408958538553541983556420628304268943945349378863098906567967665152779703018233229929
public exponent: 65537]]
Certification Path Checkers: [[]]
CertStores: [[]]
] Maximum Path Length: 5
]
)
certpath: SunCertPathBuilder.buildForward()...
certpath: SunCertPathBuilder.depthFirstSearchForward(CN=Dev Sub CA, OU=, State [
issuerDN of last cert: null
traversedCACerts: 0
init: true
keyParamsNeeded: false
subjectNamesTraversed:
[]]
)
certpath: ForwardBuilder.getMatchingCerts()...
certpath: ForwardBuilder.getMatchingEECerts()...
certpath: ForwardBuilder.getMatchingCACerts()...
certpath: ForwardBuilder.getMatchingCACerts(): ca is target
certpath: X509CertSelector.match(SN: 1f4
Issuer: CN=Dev Root CA, OU=
Subject: CN=Dev Sub CA, OU=)
certpath: X509CertSelector.match returning: true
certpath: RejectCertSelector.match: bad key
certpath: ForwardBuilder.getMatchingCACerts: found 0 CA certs
certpath: SunCertPathBuilder.depthFirstSearchForward(): certs.size=0
certpath: SunCertPathBuilder.engineBuild: 2nd pass
certpath: SunCertPathBuilder.buildForward()...
certpath: SunCertPathBuilder.depthFirstSearchForward(CN=Dev Sub CA, OU=, State [
issuerDN of last cert: null
traversedCACerts: 0
init: true
keyParamsNeeded: false
subjectNamesTraversed:
[]]
)
certpath: ForwardBuilder.getMatchingCerts()...
certpath: ForwardBuilder.getMatchingEECerts()...
certpath: ForwardBuilder.getMatchingCACerts()...
certpath: ForwardBuilder.getMatchingCACerts(): ca is target
certpath: X509CertSelector.match(SN: 1f4
Issuer: CN=Dev Root CA, OU=
Subject: CN=Dev Sub CA, OU=)
certpath: X509CertSelector.match returning: true
certpath: RejectCertSelector.match: bad key
certpath: ForwardBuilder.getMatchingCACerts: found 0 CA certs
certpath: SunCertPathBuilder.depthFirstSearchForward(): certs.size=0
certpath: PKIXCertPathValidator.engineValidate() anchor.getTrustedCert() != null
certpath: PKIXCertPathValidator.isWorthTrying() checking if this trusted cert is worth trying ...
certpath: NO - don't try this trustedCert
certpath: PKIXCertPathValidator.engineValidate() anchor.getTrustedCert() != null
certpath: PKIXCertPathValidator.isWorthTrying() checking if this trusted cert is worth trying ...
certpath: NO - don't try this trustedCert
-------------- next part --------------
certpath: PKIXCertPathValidator.engineValidate()...
certpath: PKIXCertPathValidator.engineValidate() reversing certpath...
certpath: PKIXCertPathValidator.engineValidate() anchor.getTrustedCert() != null
certpath: PKIXCertPathValidator.isWorthTrying() checking if this trusted cert is worth trying ...
certpath: X509CertSelector.match(SN: 1f5
Issuer: CN=Dev Root CA, OU=
Subject: CN=Dev CRL Server, OU=)
certpath: X509CertSelector.match: subject DNs don't match
certpath: NO - don't try this trustedCert
certpath: PKIXCertPathValidator.engineValidate() anchor.getTrustedCert() != null
certpath: PKIXCertPathValidator.isWorthTrying() checking if this trusted cert is worth trying ...
certpath: X509CertSelector.match(SN: b3ea5693a7cf4afa
Issuer: CN=Dev Root CA, OU=
Subject: CN=Dev Root CA, OU=)
certpath: X509CertSelector.match: subject DNs don't match
certpath: NO - don't try this trustedCert
certpath: PKIXCertPathValidator.engineValidate() anchor.getTrustedCert() != null
certpath: PKIXCertPathValidator.isWorthTrying() checking if this trusted cert is worth trying ...
certpath: X509CertSelector.match(SN: 1f4
Issuer: CN=Dev Root CA, OU=
Subject: CN=Dev Sub CA, OU=)
certpath: X509CertSelector.match returning: true
certpath: YES - try this trustedCert
certpath: anchor.getTrustedCert().getSubjectX500Principal() = CN=Dev Sub CA, OU=
certpath: --------------------------------------------------------------
certpath: Executing PKIX certification path validation algorithm.
certpath: Checking cert1 ...
certpath: Set of critical extensions:
certpath: 2.5.29.15
certpath: 2.5.29.37
certpath: 2.5.29.19
certpath: -Using checker1 ... [sun.security.provider.certpath.AlgorithmChecker]
certpath: -checker1 validation succeeded
certpath: -Using checker2 ... [sun.security.provider.certpath.KeyChecker]
certpath: -checker2 validation succeeded
certpath: -Using checker3 ... [sun.security.provider.certpath.ConstraintsChecker]
certpath: ---checking basic constraints...
certpath: i = 1
certpath: maxPathLength = 1
certpath: after processing, maxPathLength = 1
certpath: basic constraints verified.
certpath: ---checking name constraints...
certpath: prevNC = null
certpath: newNC = null
certpath: mergedNC = null
certpath: name constraints verified.
certpath: -checker3 validation succeeded
certpath: -Using checker4 ... [sun.security.provider.certpath.PolicyChecker]
certpath: PolicyChecker.checkPolicy() ---checking certificate policies...
certpath: PolicyChecker.checkPolicy() certIndex = 1
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: explicitPolicy = 2
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyMapping = 2
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: inhibitAnyPolicy = 2
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyTree = anyPolicy ROOT
certpath: PolicyChecker.processPolicies() no policies present in cert
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: explicitPolicy = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyMapping = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: inhibitAnyPolicy = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyTree = null
certpath: PolicyChecker.checkPolicy() certificate policies verified
certpath: -checker4 validation succeeded
certpath: -Using checker5 ... [sun.security.provider.certpath.BasicChecker]
certpath: ---checking timestamp:Tue Jun 28 13:30:06 PDT 2011...
certpath: timestamp verified.
certpath: ---checking subject/issuer name chaining...
certpath: subject/issuer name chaining verified.
certpath: ---checking signature...
certpath: signature verified.
certpath: BasicChecker.updateState issuer: CN=Dev Sub CA, OU=; subject: CN=234159080345657; serial#: 1250
certpath: -checker5 validation succeeded
certpath: -Using checker6 ... [sun.security.provider.certpath.CrlRevocationChecker]
certpath: CrlRevocationChecker.verifyRevocationStatus() ---checking revocation status...
certpath: DistributionPointFetcher.getCRLs: Checking CRLDPs for CN=234159080345657
certpath: Trying to fetch CRL from DP http://localhost/crl.crl
certpath: CertStore URI:http://localhost/crl.crl
certpath: Downloading new CRL...
certpath: X509CertSelector.match(SN: 4e2
Issuer: CN=Dev Sub CA, OU=
Subject: CN=234159080345657)
certpath: X509CertSelector.match: serial numbers don't match
certpath: idpName: URIName: http://localhost/crl.crl
certpath: pointName: URIName: http://localhost/crl.crl
certpath: SunCertPathBuilder.engineBuild([
[
Trust Anchors: [[
Trusted CA cert: [
[
Version: V3
Subject: CN=Dev CRL Server, OU=
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus: 24980366566383945128638357643794029657029045285943186164830889713742551362834167749389432614152878205152916895906818990222151469157749651975682716226521532551743772795359453663649043513571251909768572269499685840508696152707071851577848778512215737819165921470035012545204842514052321365290071098904759989627164571514184109529328628823584694433836465743357765488634438929322668458043955741015078693955669985576547644836720749936335018182113335320658128424355652830916053592288791634131577649438646298447356797700915904869154681646356170626662519966969445719045002066347129088251919800891736186127801862898591100517741
public exponent: 65537
Validity: [From: Tue Jun 28 13:12:40 PDT 2011,
To: Tue Aug 27 13:12:40 PDT 2030]
Issuer: CN=Dev Root CA, OU=
SerialNumber: [ 01f5]
Certificate Extensions: 3
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: B6 61 7F D0 F4 35 07 D6 8A 94 23 9F F3 43 7F 3D .a...5....#..C.=
0010: B9 47 B8 2A .G.*
]
]
[2]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Crl_Sign
]
[3]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 32 FF C1 5C 86 D5 8B 18 76 32 0E D7 D7 CF 80 79 2..\....v2.....y
0010: 63 1E 4C CA 13 8C 12 D6 3D A4 35 8C B2 3E 73 D7 c.L.....=.5..>s.
0020: 62 73 B9 1A 1B CC E4 CB DB 65 BB 06 55 02 1B B0 bs.......e..U...
0030: 3B 18 02 0D E0 CB 11 51 E2 09 8F 1A 02 E4 89 E5 ;......Q........
0040: F5 E8 A6 80 FF 46 29 1A 26 7C 34 1E 27 22 CC 3A .....F).&.4.'".:
0050: 55 49 74 79 C8 81 3F 4B 09 48 DF 55 FB 5E AC 5E UIty..?K.H.U.^.^
0060: 0C FC 7C 82 F3 4A 78 9E C1 8D 54 70 01 F5 DC 40 .....Jx...Tp...@
0070: 2A EB 0B 2C 28 78 28 EA 0A CB 16 05 0F 34 A3 77 *..,(x(......4.w
0080: A1 38 73 C6 60 A4 BB 80 C6 DC B4 2D 87 DB 08 B5 .8s.`......-....
0090: 36 B5 A9 61 8E AA D3 6B A1 8A 75 84 D0 F9 9F 20 6..a...k..u....
00A0: 69 85 48 2C E6 77 7C 51 A9 94 64 57 20 74 2A 55 i.H,.w.Q..dW t*U
00B0: 2D 84 50 DA 88 18 12 87 53 85 BD 30 F2 9B ED 25 -.P.....S..0...%
00C0: 22 E3 83 C3 85 B2 C6 ED 29 E4 2C D0 0A DE F4 9F ".......).,.....
00D0: 23 F2 61 1A AD 06 F0 69 96 F7 55 F4 A5 EB 62 6C #.a....i..U...bl
00E0: 69 25 9A E1 24 3D DE 5C B7 2C 8B 8F 57 89 87 73 i%..$=.\.,..W..s
00F0: CC A9 FA AB BE 98 C7 18 83 58 A5 4C 48 3A B5 48 .........X.LH:.H
]
, [
Trusted CA cert: [
[
Version: V3
Subject: CN=Dev Root CA, OU=
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus: 24637538804312205538510193595756724743325964269149416473394433546273135490969532105800215896570721673979864000715385570349798964196021422587598377112256888670572719359535872155212046138681275316524517840249828650662576857366275328692936166990172596647562891910011544929645642031355229648076882498870763322728297961825305636336880972539564887325894581099371420734033338545900589971532305701911274609225936502298743355013219541966106004726727418768005124171502080427307695896502316295331353703554687316602668770219332060142717112374169447603885749795034258281027062466095065057099231648298625670334329042316857245052951
public exponent: 65537
Validity: [From: Tue Jun 28 12:37:41 PDT 2011,
To: Tue Aug 27 12:37:41 PDT 2030]
Issuer: CN=Dev Root CA, OU=
SerialNumber: [ b3ea5693 a7cf4afa]
Certificate Extensions: 2
[1]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
[2]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:1
]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 7B ED 50 86 50 BD 5A 19 DA EB A1 53 A1 D8 4C 40 ..P.P.Z....S..L@
0010: ED 67 1E C8 4C E6 6D 1E 95 E6 B6 31 F2 FC 63 0C .g..L.m....1..c.
0020: EE 51 82 FD 33 BC 0D 7F FF F6 7D 98 4C 6C DA 94 .Q..3.......Ll..
0030: 8E 6F 4C 7B B8 AF 77 63 93 71 AB 2D 06 75 64 D0 .oL...wc.q.-.ud.
0040: 3F 41 71 E3 0D 13 9E BE 27 57 81 C1 78 4C DE FF ?Aq.....'W..xL..
0050: 83 36 41 D3 15 12 E3 86 B7 9D 17 90 46 4D 5C 4C .6A.........FM\L
0060: 55 B1 0D F1 42 B1 69 C7 ED CC 40 DC 73 70 60 44 U...B.i... at .sp`D
0070: 92 8F 30 EF 33 22 FB EC 0A 23 A6 1C 06 25 89 65 ..0.3"...#...%.e
0080: 61 39 53 EA AB E2 7E 4C A9 7D 2A D6 A1 E6 25 9F a9S....L..*...%.
0090: E4 1B A6 30 9A 25 C0 13 0D CF EC F3 2E 6D D5 E5 ...0.%.......m..
00A0: 87 69 FC FA 7A 55 1C 67 9D 50 F2 AE 77 6C C8 E5 .i..zU.g.P..wl..
00B0: CD 24 D9 26 51 BA 83 E4 9A 1F 60 8E A0 83 AF CA .$.&Q.....`.....
00C0: E8 EC BE 62 46 44 6C 81 E1 2C 85 EA 87 F9 F3 90 ...bFDl..,......
00D0: EB 90 75 5D 28 8B 29 7F 1A F0 3A 80 84 E0 99 4F ..u](.)...:....O
00E0: 68 61 90 B7 89 A5 94 68 4D 61 99 29 A3 69 D4 6E ha.....hMa.).i.n
00F0: 25 17 91 F7 E1 1E FD CA 18 3C 57 97 80 5F 34 4E %........<W.._4N
]
, [
Trusted CA cert: [
[
Version: V3
Subject: CN=Dev Sub CA, OU=
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus: 31696243932874256364335990637094427770482150137369453879629054046277594694178299662030613175940051336592870418113037419713357290194638536691606561721465520703526043819995453182453582996601875791731978172486235451952100860390268691062261564472533003331397217240833053175303404082306509973352439625645600600400408333148563265268164313890699450748266186324338577359913955542853478283626859231040995581139161097669581270909389409188385131437359048571882558660942248026022064839125345179031998211043815799677884832277271147572182551216847408958538553541983556420628304268943945349378863098906567967665152779703018233229929
public exponent: 65537
Validity: [From: Sat Jun 25 14:32:02 PDT 2011,
To: Sat Aug 24 14:32:02 PDT 2030]
Issuer: CN=Dev Root CA, OU=
SerialNumber: [ 01f4]
Certificate Extensions: 2
[1]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
[2]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:0
]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 18 8C C1 CA 2D F8 C4 3B AC F2 F4 29 87 70 E9 BE ....-..;...).p..
0010: BF 55 69 BC 50 17 37 7A 94 10 05 64 D9 58 5E 8F .Ui.P.7z...d.X^.
0020: 56 9C 38 F6 C8 E6 F9 08 DF 86 B0 E7 1A 4D 0A 8E V.8..........M..
0030: 85 E6 BE F4 D4 90 CF B5 AD D4 49 77 DC FE 51 7C ..........Iw..Q.
0040: A8 07 AB 07 30 52 1A 91 4C 9F 65 67 BF 74 73 C1 ....0R..L.eg.ts.
0050: 8A E6 E7 64 19 40 1B 01 66 A1 F0 9D 15 FE F4 E5 ...d. at ..f.......
0060: C3 79 50 53 FF 6D BD A3 06 46 5B 87 79 E5 DE BB .yPS.m...F[.y...
0070: 94 2B 1E 8B 4C DF A3 EA CD C0 D4 F9 41 3B CA BE .+..L.......A;..
0080: 18 AC 8F 50 03 94 9A EF A1 6E 05 75 C4 E3 EC E8 ...P.....n.u....
0090: 85 79 CE 6C 31 70 27 93 9E 51 16 67 A1 81 1B C7 .y.l1p'..Q.g....
00A0: 3F DC FD E5 01 21 9C 21 44 71 7B A9 57 F8 57 79 ?....!.!Dq..W.Wy
00B0: 45 6F 37 5F F8 A4 DE CA 0A 06 7C C3 8B 94 22 67 Eo7_.........."g
00C0: 9A 93 8B D2 51 E6 3F 1F 09 24 A8 23 70 04 95 F7 ....Q.?..$.#p...
00D0: 48 42 F6 D2 D2 54 43 E9 0F C9 04 85 5E EA 46 31 HB...TC.....^.F1
00E0: 8A CF E8 F3 9C 76 D2 DE 9B ED F7 1C 15 C1 02 05 .....v..........
00F0: D7 ED 18 6B 74 CC 80 9D 2F 3D BF EC 24 20 00 E6 ...kt.../=..$ ..
]
, [
Trusted CA Public Key: Sun RSA public key, 2048 bits
modulus: 31696243932874256364335990637094427770482150137369453879629054046277594694178299662030613175940051336592870418113037419713357290194638536691606561721465520703526043819995453182453582996601875791731978172486235451952100860390268691062261564472533003331397217240833053175303404082306509973352439625645600600400408333148563265268164313890699450748266186324338577359913955542853478283626859231040995581139161097669581270909389409188385131437359048571882558660942248026022064839125345179031998211043815799677884832277271147572182551216847408958538553541983556420628304268943945349378863098906567967665152779703018233229929
public exponent: 65537
Trusted CA Issuer Name: CN=Dev Sub CA,OU=
]
Initial Policy OIDs: any
Validity Date: null
Signature Provider: null
Default Revocation Enabled: true
Explicit Policy Required: false
Policy Mapping Inhibited: false
Any Policy Inhibited: false
Policy Qualifiers Rejected: true
Target Cert Constraints: X509CertSelector: [
Serial Number: 501
Subject: CN=Dev CRL Server,OU=
matchAllSubjectAltNames flag: true
Subject Key Identifier: 0000: 04 14 B6 61 7F D0 F4 35 07 D6 8A 94 23 9F F3 43 ...a...5....#..C
0010: 7F 3D B9 47 B8 2A .=.G.*
Key Usage: KeyUsage [
Crl_Sign
]
]
Certification Path Checkers: [[]]
CertStores: [[java.security.cert.CertStore at d9922f]]
] Maximum Path Length: 5
]
)
certpath: SunCertPathBuilder.buildForward()...
certpath: SunCertPathBuilder.depthFirstSearchForward(CN=Dev CRL Server, OU=, State [
issuerDN of last cert: null
traversedCACerts: 0
init: true
keyParamsNeeded: false
subjectNamesTraversed:
[]]
)
certpath: ForwardBuilder.getMatchingCerts()...
certpath: ForwardBuilder.getMatchingEECerts()...
certpath: X509CertSelector.match(SN: 4e2
Issuer: CN=Dev Sub CA, OU=
Subject: CN=234159080345657)
certpath: X509CertSelector.match: serial numbers don't match
certpath: ForwardBuilder.getMatchingCACerts()...
certpath: ForwardBuilder.getMatchingCACerts(): ca is target
certpath: X509CertSelector.match(SN: 1f4
Issuer: CN=Dev Root CA, OU=
Subject: CN=Dev Sub CA, OU=)
certpath: X509CertSelector.match: serial numbers don't match
certpath: X509CertSelector.match(SN: b3ea5693a7cf4afa
Issuer: CN=Dev Root CA, OU=
Subject: CN=Dev Root CA, OU=)
certpath: X509CertSelector.match: serial numbers don't match
certpath: X509CertSelector.match(SN: 1f5
Issuer: CN=Dev Root CA, OU=
Subject: CN=Dev CRL Server, OU=)
certpath: X509CertSelector.match returning: true
certpath: ForwardBuilder.getMatchingCACerts: found matching trust anchor
certpath: SunCertPathBuilder.depthFirstSearchForward(): certs.size=1
certpath: ForwardBuilder.verifyCert(SN: 01f5
Issuer: CN=Dev Root CA, OU=)
Subject: CN=Dev CRL Server, OU=)
certpath: SunCertPathBuilder.depthFirstSearchForward(): commencing final verification
certpath: SunCertPathBuilder.depthFirstSearchForward(): final verification succeeded - path completed!
certpath: SunCertPathBuilder.engineBuild() pathCompleted
certpath: Returning 1 CRLs
certpath: CrlRevocationChecker.verifyRevocationStatus() crls.size() = 0
certpath: CrlRevocationChecker.verifyRevocationStatus() approved crls.size() = 1
certpath: CrlRevocationChecker.verifyRevocationStatus() starting the final sweep...
certpath: CrlRevocationChecker.verifyRevocationStatus cert SN: 1250
certpath: -checker6 validation succeeded
certpath: -Using checker7 ... [sun.security.provider.certpath.AlgorithmChecker]
certpath: -checker7 validation succeeded
certpath: checking for unresolvedCritExts
certpath:
cert1 validation succeeded.
certpath: Cert path validation succeeded. (PKIX validation algorithm)
certpath: --------------------------------------------------------------
-------------- next part --------------
certpath: PKIXCertPathValidator.engineValidate()...
certpath: PKIXCertPathValidator.engineValidate() reversing certpath...
certpath: PKIXCertPathValidator.engineValidate() anchor.getTrustedCert() != null
certpath: PKIXCertPathValidator.isWorthTrying() checking if this trusted cert is worth trying ...
certpath: YES - try this trustedCert
certpath: anchor.getTrustedCert().getSubjectX500Principal() = CN=Dev Sub CA, OU=
certpath: --------------------------------------------------------------
certpath: Executing PKIX certification path validation algorithm.
certpath: Checking cert1 ...
certpath: Set of critical extensions:
certpath: 2.5.29.15
certpath: 2.5.29.37
certpath: 2.5.29.19
certpath: -Using checker1 ... [sun.security.provider.certpath.AlgorithmChecker]
certpath: -checker1 validation succeeded
certpath: -Using checker2 ... [sun.security.provider.certpath.KeyChecker]
certpath: -checker2 validation succeeded
certpath: -Using checker3 ... [sun.security.provider.certpath.ConstraintsChecker]
certpath: ---checking basic constraints...
certpath: i = 1
certpath: maxPathLength = 1
certpath: after processing, maxPathLength = 1
certpath: basic constraints verified.
certpath: ---checking name constraints...
certpath: prevNC = null
certpath: newNC = null
certpath: mergedNC = null
certpath: name constraints verified.
certpath: -checker3 validation succeeded
certpath: -Using checker4 ... [sun.security.provider.certpath.PolicyChecker]
certpath: PolicyChecker.checkPolicy() ---checking certificate policies...
certpath: PolicyChecker.checkPolicy() certIndex = 1
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: explicitPolicy = 2
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyMapping = 2
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: inhibitAnyPolicy = 2
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyTree = anyPolicy ROOT
certpath: PolicyChecker.processPolicies() no policies present in cert
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: explicitPolicy = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyMapping = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: inhibitAnyPolicy = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyTree = null
certpath: PolicyChecker.checkPolicy() certificate policies verified
certpath: -checker4 validation succeeded
certpath: -Using checker5 ... [sun.security.provider.certpath.BasicChecker]
certpath: ---checking timestamp:Tue Jun 28 13:42:02 PDT 2011...
certpath: timestamp verified.
certpath: ---checking subject/issuer name chaining...
certpath: subject/issuer name chaining verified.
certpath: ---checking signature...
certpath: signature verified.
certpath: BasicChecker.updateState issuer: CN=Dev Sub CA, OU=; subject: CN=234159080345657; serial#: 1250
certpath: -checker5 validation succeeded
certpath: -Using checker6 ... [sun.security.provider.certpath.CrlRevocationChecker]
certpath: CrlRevocationChecker.verifyRevocationStatus() ---checking revocation status...
certpath: DistributionPointFetcher.getCRLs: Checking CRLDPs for CN=234159080345657
certpath: Trying to fetch CRL from DP http://localhost/crl.crl
certpath: Downloading new CRL...
certpath: idpName: URIName: http://localhost/crl.crl
certpath: pointName: URIName: http://localhost/crl.crl
certpath: CRL signature failed to verify
certpath: Returning 0 CRLs
certpath: CrlRevocationChecker.verifyWithSeparateSigningKey() ---checking revocation status...
certpath: CrlRevocationChecker.buildToNewKey() starting work
certpath: CrlRevocationChecker.buildToNewKey() about to try build ...
certpath: SunCertPathBuilder.engineBuild([
[
Trust Anchors: [[
Trusted CA cert: [
[
Version: V3
Subject: CN=Dev Sub CA, OU=
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus: 31696243932874256364335990637094427770482150137369453879629054046277594694178299662030613175940051336592870418113037419713357290194638536691606561721465520703526043819995453182453582996601875791731978172486235451952100860390268691062261564472533003331397217240833053175303404082306509973352439625645600600400408333148563265268164313890699450748266186324338577359913955542853478283626859231040995581139161097669581270909389409188385131437359048571882558660942248026022064839125345179031998211043815799677884832277271147572182551216847408958538553541983556420628304268943945349378863098906567967665152779703018233229929
public exponent: 65537
Validity: [From: Sat Jun 25 14:32:02 PDT 2011,
To: Sat Aug 24 14:32:02 PDT 2030]
Issuer: CN=Dev Root CA, OU=
SerialNumber: [ 01f4]
Certificate Extensions: 2
[1]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
[2]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:0
]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 18 8C C1 CA 2D F8 C4 3B AC F2 F4 29 87 70 E9 BE ....-..;...).p..
0010: BF 55 69 BC 50 17 37 7A 94 10 05 64 D9 58 5E 8F .Ui.P.7z...d.X^.
0020: 56 9C 38 F6 C8 E6 F9 08 DF 86 B0 E7 1A 4D 0A 8E V.8..........M..
0030: 85 E6 BE F4 D4 90 CF B5 AD D4 49 77 DC FE 51 7C ..........Iw..Q.
0040: A8 07 AB 07 30 52 1A 91 4C 9F 65 67 BF 74 73 C1 ....0R..L.eg.ts.
0050: 8A E6 E7 64 19 40 1B 01 66 A1 F0 9D 15 FE F4 E5 ...d. at ..f.......
0060: C3 79 50 53 FF 6D BD A3 06 46 5B 87 79 E5 DE BB .yPS.m...F[.y...
0070: 94 2B 1E 8B 4C DF A3 EA CD C0 D4 F9 41 3B CA BE .+..L.......A;..
0080: 18 AC 8F 50 03 94 9A EF A1 6E 05 75 C4 E3 EC E8 ...P.....n.u....
0090: 85 79 CE 6C 31 70 27 93 9E 51 16 67 A1 81 1B C7 .y.l1p'..Q.g....
00A0: 3F DC FD E5 01 21 9C 21 44 71 7B A9 57 F8 57 79 ?....!.!Dq..W.Wy
00B0: 45 6F 37 5F F8 A4 DE CA 0A 06 7C C3 8B 94 22 67 Eo7_.........."g
00C0: 9A 93 8B D2 51 E6 3F 1F 09 24 A8 23 70 04 95 F7 ....Q.?..$.#p...
00D0: 48 42 F6 D2 D2 54 43 E9 0F C9 04 85 5E EA 46 31 HB...TC.....^.F1
00E0: 8A CF E8 F3 9C 76 D2 DE 9B ED F7 1C 15 C1 02 05 .....v..........
00F0: D7 ED 18 6B 74 CC 80 9D 2F 3D BF EC 24 20 00 E6 ...kt.../=..$ ..
]
]
Initial Policy OIDs: any
Validity Date: null
Signature Provider: null
Default Revocation Enabled: false
Explicit Policy Required: false
Policy Mapping Inhibited: false
Any Policy Inhibited: false
Policy Qualifiers Rejected: true
Target Cert Constraints: RejectCertSelector: [
X509CertSelector: [
Subject: CN=Dev Sub CA,OU=
matchAllSubjectAltNames flag: true
Key Usage: KeyUsage [
Crl_Sign
]
][Sun RSA public key, 2048 bits
modulus: 31696243932874256364335990637094427770482150137369453879629054046277594694178299662030613175940051336592870418113037419713357290194638536691606561721465520703526043819995453182453582996601875791731978172486235451952100860390268691062261564472533003331397217240833053175303404082306509973352439625645600600400408333148563265268164313890699450748266186324338577359913955542853478283626859231040995581139161097669581270909389409188385131437359048571882558660942248026022064839125345179031998211043815799677884832277271147572182551216847408958538553541983556420628304268943945349378863098906567967665152779703018233229929
public exponent: 65537]]
Certification Path Checkers: [[]]
CertStores: [[java.security.cert.CertStore at 73e835]]
] Maximum Path Length: 5
]
)
certpath: SunCertPathBuilder.buildForward()...
certpath: SunCertPathBuilder.depthFirstSearchForward(CN=Dev Sub CA, OU=, State [
issuerDN of last cert: null
traversedCACerts: 0
init: true
keyParamsNeeded: false
subjectNamesTraversed:
[]]
)
certpath: ForwardBuilder.getMatchingCerts()...
certpath: ForwardBuilder.getMatchingEECerts()...
certpath: X509CertSelector.match(SN: 4e2
Issuer: CN=Dev Sub CA, OU=
Subject: CN=234159080345657)
certpath: X509CertSelector.match: subject DNs don't match
certpath: ForwardBuilder.getMatchingCACerts()...
certpath: ForwardBuilder.getMatchingCACerts(): ca is target
certpath: X509CertSelector.match(SN: 1f4
Issuer: CN=Dev Root CA, OU=
Subject: CN=Dev Sub CA, OU=)
certpath: X509CertSelector.match returning: true
certpath: RejectCertSelector.match: bad key
certpath: X509CertSelector.match(SN: 4e2
Issuer: CN=Dev Sub CA, OU=
Subject: CN=234159080345657)
certpath: X509CertSelector.match: subject DNs don't match
certpath: ForwardBuilder.getMatchingCACerts: found 0 forward certs
certpath: SunCertPathBuilder.depthFirstSearchForward(): certs.size=0
certpath: SunCertPathBuilder.engineBuild: 2nd pass
certpath: SunCertPathBuilder.buildForward()...
certpath: SunCertPathBuilder.depthFirstSearchForward(CN=Dev Sub CA, OU=, State [
issuerDN of last cert: null
traversedCACerts: 0
init: true
keyParamsNeeded: false
subjectNamesTraversed:
[]]
)
certpath: ForwardBuilder.getMatchingCerts()...
certpath: ForwardBuilder.getMatchingEECerts()...
certpath: X509CertSelector.match(SN: 4e2
Issuer: CN=Dev Sub CA, OU=
Subject: CN=234159080345657)
certpath: X509CertSelector.match: subject DNs don't match
certpath: ForwardBuilder.getMatchingCACerts()...
certpath: ForwardBuilder.getMatchingCACerts(): ca is target
certpath: X509CertSelector.match(SN: 1f4
Issuer: CN=Dev Root CA, OU=
Subject: CN=Dev Sub CA, OU=)
certpath: X509CertSelector.match returning: true
certpath: RejectCertSelector.match: bad key
certpath: X509CertSelector.match(SN: 4e2
Issuer: CN=Dev Sub CA, OU=
Subject: CN=234159080345657)
certpath: X509CertSelector.match: subject DNs don't match
certpath: ForwardBuilder.getMatchingCACerts: found 0 forward certs
certpath: SunCertPathBuilder.depthFirstSearchForward(): certs.size=0
certpath: CrlRevocationChecker.verifyWithSeparateSigningKey() got exception sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
certpath: PKIXCertPathValidator.engineValidate() anchor.getTrustedCert() != null
certpath: PKIXCertPathValidator.isWorthTrying() checking if this trusted cert is worth trying ...
certpath: NO - don't try this trustedCert
certpath: PKIXCertPathValidator.engineValidate() anchor.getTrustedCert() != null
certpath: PKIXCertPathValidator.isWorthTrying() checking if this trusted cert is worth trying ...
certpath: NO - don't try this trustedCert
More information about the security-dev
mailing list