sun.security.provider.certpath.DistributionPointFetcher

David Pomeroy dfpomeroy at gmail.com
Tue Jun 28 13:51:58 PDT 2011


Hi Sean,

openjdk7 complained that my Crl Server certificate did not contain a Subject
Key Identifier.  Once I added this, validating the indirect CRL issuer
worked as expected.

When I switched back to openjdk6, the CRL validation still fails.  I have
attached the certpath debug from each jvm.  If you look at the line
"certpath: SunCertPathBuilder.engineBuild([", jdk6 only adds my Sub CA
certificate as a trusted source, where jdk7 adds all 3 certs from the
truststore, including the Crl Issuer's certificate.  Perhaps jdk6 is looking
for specific criteria in the trusted certificates for use in validating the
CRL?

When I switched back to sun jdk 6, I got a different error.  It's as if it
is not even trying to build a verification path at all.  I attached that
debug as well.

Thanks for jdk7 suggestion, I definitely learned something.  However, I'd
really like to get this working on a version 6 jvm.  Any workaround
suggestions from you or the group would be greatly appreciated.

Thanks, Dave


On Tue, Jun 28, 2011 at 11:14 AM, Sean Mullan <sean.mullan at oracle.com>wrote:

> On 6/28/11 1:01 PM, David Pomeroy wrote:
>
>> Hi Sean,
>>
>> I am using Open JDK 6.  Are the indirect CRL bugs in JDK 6 documented
>> anywhere?
>> Are there any workarounds?
>>
>
> See:
>
> http://bugs.sun.com/**bugdatabase/view_bug.do?bug_**id=6509162<http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6509162>
> http://bugs.sun.com/**bugdatabase/view_bug.do?bug_**id=6542169<http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6542169>
>
> No known workarounds. It would help if you tested with JDK 7 [1] so we
> could verify if the problem has fixed.
>
> If it still fails with JDK 7, please file a bug (and attach a test program)
> at http://bugs.sun.com
>
> Thanks,
> Sean
>
> [1] http://jdk7.java.net/download.**html<http://jdk7.java.net/download.html>
>
>
>> I am setting enableCRLDP.
>>
>> Thanks, Dave
>>
>> On Tue, Jun 28, 2011 at 5:46 AM, Sean Mullan <sean.mullan at oracle.com
>> <mailto:sean.mullan at oracle.com**>> wrote:
>>
>>    Are you using JDK 7? There were some bugs fixed with indirect CRLs in
>> JDK 7.
>>
>>    Also, make sure you set the system property
>> com.sun.security.enableCRLDP to the
>>    value true when running, ex: java -Dcom.sun.security.__**enableCRLDP=true
>> ...
>>
>>    --Sean
>>
>>
>>    On 6/28/11 1:05 AM, Xuelei.Fan at Oracle.Com wrote:
>>
>>        Can you provide the code to reproduce the exception? Or is it
>> possible
>>        attach
>>        the CertPath building debugger log?
>>
>>        Xuelei
>>
>>        On Jun 28, 2011, at 11:59 AM, David Pomeroy<dfpomeroy at gmail.com
>>        <mailto:dfpomeroy at gmail.com>>  wrote:
>>
>>
>>            Hello All,
>>
>>            I am trying to get a servlet to download and check a CRL.  The
>> CRLDP
>>            is in
>>            the client's certificate and the CRL is marked "indirect CRL"
>> so that it
>>            can be signed by a different key than the client cert issuer.
>>  The
>>            following block of code is invoked but the
>> DistributionPointFetcher
>>            can't
>>            seem to build a valid path and a CRLException is thrown.  My
>>            assumption was
>>            this would work if I included the CRL signing certificate in my
>>            truststore.
>>            What I find odd while stepping through this in a debugger is
>> that the
>>            "certStores" object contains only the client certificate which
>> is to be
>>            validated, so it makes sense that X509CertSelector doesn't find
>> the
>>            right
>>            cert in there.
>>
>>            Has anyone got indirect CRLs validated before?  I'd be
>> interested in the
>>            details of a test setup that works.  I can provide more details
>> of
>>            my test
>>            setup if necessary.
>>
>>            Thanks, David
>>
>>
>>            // Obtain and validate the certification path for the complete
>> // CRL
>>            issuer (if indirect CRL). If a key usage extension is present
>> // in
>>            the CRL
>>            issuer's certificate, verify that the cRLSign bit is set. if
>>            (indirectCRL)
>>            { X509CertSelector certSel = new X509CertSelector();
>>            certSel.setSubject(crlIssuer._**_asX500Principal()); boolean[]
>> crlSign =
>>            {false,false,false,false,__**false,false,true};
>>            certSel.setKeyUsage(crlSign);
>>            PKIXBuilderParameters params = null; try { params = new
>>            PKIXBuilderParameters (Collections.singleton(anchor)**__,
>> certSel); }
>>            catch
>>            (__**InvalidAlgorithmParameterExcep**__tion iape) { throw new
>>
>>            CRLException(iape);
>>            } params.setCertStores(__**certStores);
>>            params.setSigProvider(__**provider); try {
>>            CertPathBuilder builder = CertPathBuilder.getInstance("_**
>> _PKIX");
>>            PKIXCertPathBuilderResult result = (PKIXCertPathBuilderResult)
>>            builder.build(params); prevKey = result.getPublicKey(); } catch
>>            (Exception
>>            e) { throw new CRLException(e); } }
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.openjdk.java.net/pipermail/security-dev/attachments/20110628/e04100c1/attachment.html 
-------------- next part --------------
certpath: PKIXCertPathValidator.engineValidate()...
certpath: PKIXCertPathValidator.engineValidate() reversing certpath...
certpath: PKIXCertPathValidator.engineValidate() anchor.getTrustedCert() != null
certpath: PKIXCertPathValidator.isWorthTrying() checking if this trusted cert is worth trying ...
certpath: YES - try this trustedCert
certpath: anchor.getTrustedCert().getSubjectX500Principal() = CN=Dev Sub CA, OU=
certpath: --------------------------------------------------------------
certpath: Executing PKIX certification path validation algorithm.
certpath: Checking cert1 ...
certpath: Set of critical extensions:
certpath: 2.5.29.15
certpath: 2.5.29.37
certpath: 2.5.29.19
certpath: -Using checker1 ... [sun.security.provider.certpath.AlgorithmChecker]
certpath: -checker1 validation succeeded
certpath: -Using checker2 ... [sun.security.provider.certpath.KeyChecker]
certpath: -checker2 validation succeeded
certpath: -Using checker3 ... [sun.security.provider.certpath.ConstraintsChecker]
certpath: ---checking basic constraints...
certpath: i = 1
certpath: maxPathLength = 1
certpath: after processing, maxPathLength = 1
certpath: basic constraints verified.
certpath: ---checking name constraints...
certpath: prevNC = null
certpath: newNC = null
certpath: mergedNC = null
certpath: name constraints verified.
certpath: -checker3 validation succeeded
certpath: -Using checker4 ... [sun.security.provider.certpath.PolicyChecker]
certpath: PolicyChecker.checkPolicy() ---checking certificate policies...
certpath: PolicyChecker.checkPolicy() certIndex = 1
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: explicitPolicy = 2
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyMapping = 2
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: inhibitAnyPolicy = 2
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyTree = anyPolicy  ROOT

certpath: PolicyChecker.processPolicies() no policies present in cert
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: explicitPolicy = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyMapping = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: inhibitAnyPolicy = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyTree = null
certpath: PolicyChecker.checkPolicy() certificate policies verified
certpath: -checker4 validation succeeded
certpath: -Using checker5 ... [sun.security.provider.certpath.BasicChecker]
certpath: ---checking timestamp:Tue Jun 28 13:22:23 PDT 2011...
certpath: timestamp verified.
certpath: ---checking subject/issuer name chaining...
certpath: subject/issuer name chaining verified.
certpath: ---checking signature...
certpath: signature verified.
certpath: BasicChecker.updateState issuer: CN=Dev Sub CA, OU=; subject: CN=234159080345657; serial#: 1250
certpath: -checker5 validation succeeded
certpath: -Using checker6 ... [sun.security.provider.certpath.CrlRevocationChecker]
certpath: CrlRevocationChecker.verifyRevocationStatus() ---checking revocation status...
certpath: DistributionPointFetcher.getCRLs: Checking CRLDPs for CN=234159080345657
certpath: Trying to fetch CRL from DP http://localhost/crl.crl
certpath: CertStore URI:http://localhost/crl.crl
certpath: Downloading new CRL...
certpath: idpName: URIName: http://localhost/crl.crl
certpath: pointName: URIName: http://localhost/crl.crl
certpath: SunCertPathBuilder.engineBuild([
[
  Trust Anchors: [[
  Trusted CA cert: [
[
  Version: V3
  Subject: CN=Dev Sub CA, OU=
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 2048 bits
  modulus: 31696243932874256364335990637094427770482150137369453879629054046277594694178299662030613175940051336592870418113037419713357290194638536691606561721465520703526043819995453182453582996601875791731978172486235451952100860390268691062261564472533003331397217240833053175303404082306509973352439625645600600400408333148563265268164313890699450748266186324338577359913955542853478283626859231040995581139161097669581270909389409188385131437359048571882558660942248026022064839125345179031998211043815799677884832277271147572182551216847408958538553541983556420628304268943945349378863098906567967665152779703018233229929
  public exponent: 65537
  Validity: [From: Sat Jun 25 14:32:02 PDT 2011,
               To: Sat Aug 24 14:32:02 PDT 2030]
  Issuer: CN=Dev Root CA, OU=
  SerialNumber: [    01f4]

Certificate Extensions: 2
[1]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

[2]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:0
]

]
  Algorithm: [SHA1withRSA]
  Signature:
0000: 18 8C C1 CA 2D F8 C4 3B   AC F2 F4 29 87 70 E9 BE  ....-..;...).p..
0010: BF 55 69 BC 50 17 37 7A   94 10 05 64 D9 58 5E 8F  .Ui.P.7z...d.X^.
0020: 56 9C 38 F6 C8 E6 F9 08   DF 86 B0 E7 1A 4D 0A 8E  V.8..........M..
0030: 85 E6 BE F4 D4 90 CF B5   AD D4 49 77 DC FE 51 7C  ..........Iw..Q.
0040: A8 07 AB 07 30 52 1A 91   4C 9F 65 67 BF 74 73 C1  ....0R..L.eg.ts.
0050: 8A E6 E7 64 19 40 1B 01   66 A1 F0 9D 15 FE F4 E5  ...d. at ..f.......
0060: C3 79 50 53 FF 6D BD A3   06 46 5B 87 79 E5 DE BB  .yPS.m...F[.y...
0070: 94 2B 1E 8B 4C DF A3 EA   CD C0 D4 F9 41 3B CA BE  .+..L.......A;..
0080: 18 AC 8F 50 03 94 9A EF   A1 6E 05 75 C4 E3 EC E8  ...P.....n.u....
0090: 85 79 CE 6C 31 70 27 93   9E 51 16 67 A1 81 1B C7  .y.l1p'..Q.g....
00A0: 3F DC FD E5 01 21 9C 21   44 71 7B A9 57 F8 57 79  ?....!.!Dq..W.Wy
00B0: 45 6F 37 5F F8 A4 DE CA   0A 06 7C C3 8B 94 22 67  Eo7_.........."g
00C0: 9A 93 8B D2 51 E6 3F 1F   09 24 A8 23 70 04 95 F7  ....Q.?..$.#p...
00D0: 48 42 F6 D2 D2 54 43 E9   0F C9 04 85 5E EA 46 31  HB...TC.....^.F1
00E0: 8A CF E8 F3 9C 76 D2 DE   9B ED F7 1C 15 C1 02 05  .....v..........
00F0: D7 ED 18 6B 74 CC 80 9D   2F 3D BF EC 24 20 00 E6  ...kt.../=..$ ..

]
]
  Initial Policy OIDs: any
  Validity Date: null
  Signature Provider: null
  Default Revocation Enabled: true
  Explicit Policy Required: false
  Policy Mapping Inhibited: false
  Any Policy Inhibited: false
  Policy Qualifiers Rejected: true
  Target Cert Constraints: X509CertSelector: [
  Subject: CN=Dev CRL Server,OU=
  matchAllSubjectAltNames flag: true
  Key Usage: KeyUsage [
  Crl_Sign
]

]
  Certification Path Checkers: [[]]
  CertStores: [[java.security.cert.CertStore at 101f935]]
]  Maximum Path Length: 5
]
)
certpath: SunCertPathBuilder.buildForward()...
certpath: SunCertPathBuilder.depthFirstSearchForward(CN=Dev CRL Server, OU=, State [
  issuerDN of last cert: null
  traversedCACerts: 0
  init: true
  keyParamsNeeded: false
  subjectNamesTraversed: 
[]]
)
certpath: ForwardBuilder.getMatchingCerts()...
certpath: ForwardBuilder.getMatchingEECerts()...
certpath: X509CertSelector.match(SN: 4e2
  Issuer: CN=Dev Sub CA, OU=
  Subject: CN=234159080345657)
certpath: X509CertSelector.match: subject DNs don't match
certpath: ForwardBuilder.getMatchingCACerts()...
certpath: ForwardBuilder.getMatchingCACerts(): ca is target
certpath: X509CertSelector.match(SN: 1f4
  Issuer: CN=Dev Root CA, OU=
  Subject: CN=Dev Sub CA, OU=)
certpath: X509CertSelector.match: subject DNs don't match
certpath: X509CertSelector.match(SN: 4e2
  Issuer: CN=Dev Sub CA, OU=
  Subject: CN=234159080345657)
certpath: X509CertSelector.match: subject DNs don't match
certpath: ForwardBuilder.getMatchingCACerts: found 0 CA certs
certpath: SunCertPathBuilder.depthFirstSearchForward(): certs.size=0
certpath: SunCertPathBuilder.engineBuild: 2nd pass
certpath: SunCertPathBuilder.buildForward()...
certpath: SunCertPathBuilder.depthFirstSearchForward(CN=Dev CRL Server, OU=, State [
  issuerDN of last cert: null
  traversedCACerts: 0
  init: true
  keyParamsNeeded: false
  subjectNamesTraversed: 
[]]
)
certpath: ForwardBuilder.getMatchingCerts()...
certpath: ForwardBuilder.getMatchingEECerts()...
certpath: X509CertSelector.match(SN: 4e2
  Issuer: CN=Dev Sub CA, OU=
  Subject: CN=234159080345657)
certpath: X509CertSelector.match: subject DNs don't match
certpath: ForwardBuilder.getMatchingCACerts()...
certpath: ForwardBuilder.getMatchingCACerts(): ca is target
certpath: X509CertSelector.match(SN: 1f4
  Issuer: CN=Dev Root CA, OU=
  Subject: CN=Dev Sub CA, OU=)
certpath: X509CertSelector.match: subject DNs don't match
certpath: X509CertSelector.match(SN: 4e2
  Issuer: CN=Dev Sub CA, OU=
  Subject: CN=234159080345657)
certpath: X509CertSelector.match: subject DNs don't match
certpath: ForwardBuilder.getMatchingCACerts: found 0 CA certs
certpath: SunCertPathBuilder.depthFirstSearchForward(): certs.size=0
certpath: Exception verifying CRL: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
java.security.cert.CRLException: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.provider.certpath.DistributionPointFetcher.verifyCRL(DistributionPointFetcher.java:540)
	at sun.security.provider.certpath.DistributionPointFetcher.getCRLs(DistributionPointFetcher.java:195)
	at sun.security.provider.certpath.DistributionPointFetcher.getCRLs(DistributionPointFetcher.java:121)
	at sun.security.provider.certpath.CrlRevocationChecker.verifyRevocationStatus(CrlRevocationChecker.java:309)
	at sun.security.provider.certpath.CrlRevocationChecker.verifyRevocationStatus(CrlRevocationChecker.java:248)
	at sun.security.provider.certpath.CrlRevocationChecker.check(CrlRevocationChecker.java:189)
	at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:131)
	at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:325)
	at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:187)
	at java.security.cert.CertPathValidator.validate(CertPathValidator.java:267)
	at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:283)
	at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:271)
	at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:191)
	at sun.security.validator.Validator.validate(Validator.java:235)
	at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:147)
	at sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:188)
	at sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:258)
	at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1414)
	at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:179)
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:610)
	at sun.security.ssl.Handshaker$1.run(Handshaker.java:550)
	at sun.security.ssl.Handshaker$1.run(Handshaker.java:548)
	at java.security.AccessController.doPrivileged(Native Method)
	at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:969)
*******************
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
	at java.lang.Thread.run(Thread.java:636)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:197)
	at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:255)
	at sun.security.provider.certpath.DistributionPointFetcher.verifyCRL(DistributionPointFetcher.java:536)
	... 43 more
certpath: Returning 0 CRLs
certpath: CrlRevocationChecker.verifyRevocationStatus() crls.size() = 0
certpath: CrlRevocationChecker.verifyRevocationStatus() approved crls.size() = 0
certpath: CrlRevocationChecker.verifyWithSeparateSigningKey() ---checking revocation status...
certpath: CrlRevocationChecker.buildToNewKey() starting work
certpath: CrlRevocationChecker.buildToNewKey() about to try build ...
certpath: SunCertPathBuilder.engineBuild([
[
  Trust Anchors: [[
  Trusted CA cert: [
[
  Version: V3
  Subject: CN=Dev Sub CA, OU=
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 2048 bits
  modulus: 31696243932874256364335990637094427770482150137369453879629054046277594694178299662030613175940051336592870418113037419713357290194638536691606561721465520703526043819995453182453582996601875791731978172486235451952100860390268691062261564472533003331397217240833053175303404082306509973352439625645600600400408333148563265268164313890699450748266186324338577359913955542853478283626859231040995581139161097669581270909389409188385131437359048571882558660942248026022064839125345179031998211043815799677884832277271147572182551216847408958538553541983556420628304268943945349378863098906567967665152779703018233229929
  public exponent: 65537
  Validity: [From: Sat Jun 25 14:32:02 PDT 2011,
               To: Sat Aug 24 14:32:02 PDT 2030]
  Issuer: CN=Dev Root CA, OU=
  SerialNumber: [    01f4]

Certificate Extensions: 2
[1]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

[2]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:0
]

]
  Algorithm: [SHA1withRSA]
  Signature:
0000: 18 8C C1 CA 2D F8 C4 3B   AC F2 F4 29 87 70 E9 BE  ....-..;...).p..
0010: BF 55 69 BC 50 17 37 7A   94 10 05 64 D9 58 5E 8F  .Ui.P.7z...d.X^.
0020: 56 9C 38 F6 C8 E6 F9 08   DF 86 B0 E7 1A 4D 0A 8E  V.8..........M..
0030: 85 E6 BE F4 D4 90 CF B5   AD D4 49 77 DC FE 51 7C  ..........Iw..Q.
0040: A8 07 AB 07 30 52 1A 91   4C 9F 65 67 BF 74 73 C1  ....0R..L.eg.ts.
0050: 8A E6 E7 64 19 40 1B 01   66 A1 F0 9D 15 FE F4 E5  ...d. at ..f.......
0060: C3 79 50 53 FF 6D BD A3   06 46 5B 87 79 E5 DE BB  .yPS.m...F[.y...
0070: 94 2B 1E 8B 4C DF A3 EA   CD C0 D4 F9 41 3B CA BE  .+..L.......A;..
0080: 18 AC 8F 50 03 94 9A EF   A1 6E 05 75 C4 E3 EC E8  ...P.....n.u....
0090: 85 79 CE 6C 31 70 27 93   9E 51 16 67 A1 81 1B C7  .y.l1p'..Q.g....
00A0: 3F DC FD E5 01 21 9C 21   44 71 7B A9 57 F8 57 79  ?....!.!Dq..W.Wy
00B0: 45 6F 37 5F F8 A4 DE CA   0A 06 7C C3 8B 94 22 67  Eo7_.........."g
00C0: 9A 93 8B D2 51 E6 3F 1F   09 24 A8 23 70 04 95 F7  ....Q.?..$.#p...
00D0: 48 42 F6 D2 D2 54 43 E9   0F C9 04 85 5E EA 46 31  HB...TC.....^.F1
00E0: 8A CF E8 F3 9C 76 D2 DE   9B ED F7 1C 15 C1 02 05  .....v..........
00F0: D7 ED 18 6B 74 CC 80 9D   2F 3D BF EC 24 20 00 E6  ...kt.../=..$ ..

]
]
  Initial Policy OIDs: any
  Validity Date: null
  Signature Provider: null
  Default Revocation Enabled: false
  Explicit Policy Required: false
  Policy Mapping Inhibited: false
  Any Policy Inhibited: false
  Policy Qualifiers Rejected: true
  Target Cert Constraints: RejectCertSelector: [
X509CertSelector: [
  Subject: CN=Dev Sub CA,OU=
  matchAllSubjectAltNames flag: true
  Key Usage: KeyUsage [
  Crl_Sign
]

][Sun RSA public key, 2048 bits
  modulus: 31696243932874256364335990637094427770482150137369453879629054046277594694178299662030613175940051336592870418113037419713357290194638536691606561721465520703526043819995453182453582996601875791731978172486235451952100860390268691062261564472533003331397217240833053175303404082306509973352439625645600600400408333148563265268164313890699450748266186324338577359913955542853478283626859231040995581139161097669581270909389409188385131437359048571882558660942248026022064839125345179031998211043815799677884832277271147572182551216847408958538553541983556420628304268943945349378863098906567967665152779703018233229929
  public exponent: 65537]]
  Certification Path Checkers: [[]]
  CertStores: [[]]
]  Maximum Path Length: 5
]
)
certpath: SunCertPathBuilder.buildForward()...
certpath: SunCertPathBuilder.depthFirstSearchForward(CN=Dev Sub CA, OU=, State [
  issuerDN of last cert: null
  traversedCACerts: 0
  init: true
  keyParamsNeeded: false
  subjectNamesTraversed: 
[]]
)
certpath: ForwardBuilder.getMatchingCerts()...
certpath: ForwardBuilder.getMatchingEECerts()...
certpath: ForwardBuilder.getMatchingCACerts()...
certpath: ForwardBuilder.getMatchingCACerts(): ca is target
certpath: X509CertSelector.match(SN: 1f4
  Issuer: CN=Dev Root CA, OU=
  Subject: CN=Dev Sub CA, OU=)
certpath: X509CertSelector.match returning: true
certpath: RejectCertSelector.match: bad key
certpath: ForwardBuilder.getMatchingCACerts: found 0 CA certs
certpath: SunCertPathBuilder.depthFirstSearchForward(): certs.size=0
certpath: SunCertPathBuilder.engineBuild: 2nd pass
certpath: SunCertPathBuilder.buildForward()...
certpath: SunCertPathBuilder.depthFirstSearchForward(CN=Dev Sub CA, OU=, State [
  issuerDN of last cert: null
  traversedCACerts: 0
  init: true
  keyParamsNeeded: false
  subjectNamesTraversed: 
[]]
)
certpath: ForwardBuilder.getMatchingCerts()...
certpath: ForwardBuilder.getMatchingEECerts()...
certpath: ForwardBuilder.getMatchingCACerts()...
certpath: ForwardBuilder.getMatchingCACerts(): ca is target
certpath: X509CertSelector.match(SN: 1f4
  Issuer: CN=Dev Root CA, OU=
  Subject: CN=Dev Sub CA, OU=)
certpath: X509CertSelector.match returning: true
certpath: RejectCertSelector.match: bad key
certpath: ForwardBuilder.getMatchingCACerts: found 0 CA certs
certpath: SunCertPathBuilder.depthFirstSearchForward(): certs.size=0
certpath: PKIXCertPathValidator.engineValidate() anchor.getTrustedCert() != null
certpath: PKIXCertPathValidator.isWorthTrying() checking if this trusted cert is worth trying ...
certpath: NO - don't try this trustedCert
certpath: PKIXCertPathValidator.engineValidate() anchor.getTrustedCert() != null
certpath: PKIXCertPathValidator.isWorthTrying() checking if this trusted cert is worth trying ...
certpath: NO - don't try this trustedCert
-------------- next part --------------
certpath: PKIXCertPathValidator.engineValidate()...
certpath: PKIXCertPathValidator.engineValidate() reversing certpath...
certpath: PKIXCertPathValidator.engineValidate() anchor.getTrustedCert() != null
certpath: PKIXCertPathValidator.isWorthTrying() checking if this trusted cert is worth trying ...
certpath: X509CertSelector.match(SN: 1f5
  Issuer: CN=Dev Root CA, OU=
  Subject: CN=Dev CRL Server, OU=)
certpath: X509CertSelector.match: subject DNs don't match
certpath: NO - don't try this trustedCert
certpath: PKIXCertPathValidator.engineValidate() anchor.getTrustedCert() != null
certpath: PKIXCertPathValidator.isWorthTrying() checking if this trusted cert is worth trying ...
certpath: X509CertSelector.match(SN: b3ea5693a7cf4afa
  Issuer: CN=Dev Root CA, OU=
  Subject: CN=Dev Root CA, OU=)
certpath: X509CertSelector.match: subject DNs don't match
certpath: NO - don't try this trustedCert
certpath: PKIXCertPathValidator.engineValidate() anchor.getTrustedCert() != null
certpath: PKIXCertPathValidator.isWorthTrying() checking if this trusted cert is worth trying ...
certpath: X509CertSelector.match(SN: 1f4
  Issuer: CN=Dev Root CA, OU=
  Subject: CN=Dev Sub CA, OU=)
certpath: X509CertSelector.match returning: true
certpath: YES - try this trustedCert
certpath: anchor.getTrustedCert().getSubjectX500Principal() = CN=Dev Sub CA, OU=
certpath: --------------------------------------------------------------
certpath: Executing PKIX certification path validation algorithm.
certpath: Checking cert1 ...
certpath: Set of critical extensions:
certpath: 2.5.29.15
certpath: 2.5.29.37
certpath: 2.5.29.19
certpath: -Using checker1 ... [sun.security.provider.certpath.AlgorithmChecker]
certpath: -checker1 validation succeeded
certpath: -Using checker2 ... [sun.security.provider.certpath.KeyChecker]
certpath: -checker2 validation succeeded
certpath: -Using checker3 ... [sun.security.provider.certpath.ConstraintsChecker]
certpath: ---checking basic constraints...
certpath: i = 1
certpath: maxPathLength = 1
certpath: after processing, maxPathLength = 1
certpath: basic constraints verified.
certpath: ---checking name constraints...
certpath: prevNC = null
certpath: newNC = null
certpath: mergedNC = null
certpath: name constraints verified.
certpath: -checker3 validation succeeded
certpath: -Using checker4 ... [sun.security.provider.certpath.PolicyChecker]
certpath: PolicyChecker.checkPolicy() ---checking certificate policies...
certpath: PolicyChecker.checkPolicy() certIndex = 1
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: explicitPolicy = 2
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyMapping = 2
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: inhibitAnyPolicy = 2
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyTree = anyPolicy  ROOT

certpath: PolicyChecker.processPolicies() no policies present in cert
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: explicitPolicy = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyMapping = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: inhibitAnyPolicy = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyTree = null
certpath: PolicyChecker.checkPolicy() certificate policies verified
certpath: -checker4 validation succeeded
certpath: -Using checker5 ... [sun.security.provider.certpath.BasicChecker]
certpath: ---checking timestamp:Tue Jun 28 13:30:06 PDT 2011...
certpath: timestamp verified.
certpath: ---checking subject/issuer name chaining...
certpath: subject/issuer name chaining verified.
certpath: ---checking signature...
certpath: signature verified.
certpath: BasicChecker.updateState issuer: CN=Dev Sub CA, OU=; subject: CN=234159080345657; serial#: 1250
certpath: -checker5 validation succeeded
certpath: -Using checker6 ... [sun.security.provider.certpath.CrlRevocationChecker]
certpath: CrlRevocationChecker.verifyRevocationStatus() ---checking revocation status...
certpath: DistributionPointFetcher.getCRLs: Checking CRLDPs for CN=234159080345657
certpath: Trying to fetch CRL from DP http://localhost/crl.crl
certpath: CertStore URI:http://localhost/crl.crl
certpath: Downloading new CRL...
certpath: X509CertSelector.match(SN: 4e2
  Issuer: CN=Dev Sub CA, OU=
  Subject: CN=234159080345657)
certpath: X509CertSelector.match: serial numbers don't match
certpath: idpName: URIName: http://localhost/crl.crl
certpath: pointName: URIName: http://localhost/crl.crl
certpath: SunCertPathBuilder.engineBuild([
[
  Trust Anchors: [[
  Trusted CA cert: [
[
  Version: V3
  Subject: CN=Dev CRL Server, OU=
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 2048 bits
  modulus: 24980366566383945128638357643794029657029045285943186164830889713742551362834167749389432614152878205152916895906818990222151469157749651975682716226521532551743772795359453663649043513571251909768572269499685840508696152707071851577848778512215737819165921470035012545204842514052321365290071098904759989627164571514184109529328628823584694433836465743357765488634438929322668458043955741015078693955669985576547644836720749936335018182113335320658128424355652830916053592288791634131577649438646298447356797700915904869154681646356170626662519966969445719045002066347129088251919800891736186127801862898591100517741
  public exponent: 65537
  Validity: [From: Tue Jun 28 13:12:40 PDT 2011,
               To: Tue Aug 27 13:12:40 PDT 2030]
  Issuer: CN=Dev Root CA, OU=
  SerialNumber: [    01f5]

Certificate Extensions: 3
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: B6 61 7F D0 F4 35 07 D6   8A 94 23 9F F3 43 7F 3D  .a...5....#..C.=
0010: B9 47 B8 2A                                        .G.*
]
]

[2]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Crl_Sign
]

[3]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:false
  PathLen: undefined
]

]
  Algorithm: [SHA1withRSA]
  Signature:
0000: 32 FF C1 5C 86 D5 8B 18   76 32 0E D7 D7 CF 80 79  2..\....v2.....y
0010: 63 1E 4C CA 13 8C 12 D6   3D A4 35 8C B2 3E 73 D7  c.L.....=.5..>s.
0020: 62 73 B9 1A 1B CC E4 CB   DB 65 BB 06 55 02 1B B0  bs.......e..U...
0030: 3B 18 02 0D E0 CB 11 51   E2 09 8F 1A 02 E4 89 E5  ;......Q........
0040: F5 E8 A6 80 FF 46 29 1A   26 7C 34 1E 27 22 CC 3A  .....F).&.4.'".:
0050: 55 49 74 79 C8 81 3F 4B   09 48 DF 55 FB 5E AC 5E  UIty..?K.H.U.^.^
0060: 0C FC 7C 82 F3 4A 78 9E   C1 8D 54 70 01 F5 DC 40  .....Jx...Tp...@
0070: 2A EB 0B 2C 28 78 28 EA   0A CB 16 05 0F 34 A3 77  *..,(x(......4.w
0080: A1 38 73 C6 60 A4 BB 80   C6 DC B4 2D 87 DB 08 B5  .8s.`......-....
0090: 36 B5 A9 61 8E AA D3 6B   A1 8A 75 84 D0 F9 9F 20  6..a...k..u.... 
00A0: 69 85 48 2C E6 77 7C 51   A9 94 64 57 20 74 2A 55  i.H,.w.Q..dW t*U
00B0: 2D 84 50 DA 88 18 12 87   53 85 BD 30 F2 9B ED 25  -.P.....S..0...%
00C0: 22 E3 83 C3 85 B2 C6 ED   29 E4 2C D0 0A DE F4 9F  ".......).,.....
00D0: 23 F2 61 1A AD 06 F0 69   96 F7 55 F4 A5 EB 62 6C  #.a....i..U...bl
00E0: 69 25 9A E1 24 3D DE 5C   B7 2C 8B 8F 57 89 87 73  i%..$=.\.,..W..s
00F0: CC A9 FA AB BE 98 C7 18   83 58 A5 4C 48 3A B5 48  .........X.LH:.H

]
, [
  Trusted CA cert: [
[
  Version: V3
  Subject: CN=Dev Root CA, OU=
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 2048 bits
  modulus: 24637538804312205538510193595756724743325964269149416473394433546273135490969532105800215896570721673979864000715385570349798964196021422587598377112256888670572719359535872155212046138681275316524517840249828650662576857366275328692936166990172596647562891910011544929645642031355229648076882498870763322728297961825305636336880972539564887325894581099371420734033338545900589971532305701911274609225936502298743355013219541966106004726727418768005124171502080427307695896502316295331353703554687316602668770219332060142717112374169447603885749795034258281027062466095065057099231648298625670334329042316857245052951
  public exponent: 65537
  Validity: [From: Tue Jun 28 12:37:41 PDT 2011,
               To: Tue Aug 27 12:37:41 PDT 2030]
  Issuer: CN=Dev Root CA, OU=
  SerialNumber: [    b3ea5693 a7cf4afa]

Certificate Extensions: 2
[1]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_CertSign
  Crl_Sign
]

[2]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:1
]

]
  Algorithm: [SHA1withRSA]
  Signature:
0000: 7B ED 50 86 50 BD 5A 19   DA EB A1 53 A1 D8 4C 40  ..P.P.Z....S..L@
0010: ED 67 1E C8 4C E6 6D 1E   95 E6 B6 31 F2 FC 63 0C  .g..L.m....1..c.
0020: EE 51 82 FD 33 BC 0D 7F   FF F6 7D 98 4C 6C DA 94  .Q..3.......Ll..
0030: 8E 6F 4C 7B B8 AF 77 63   93 71 AB 2D 06 75 64 D0  .oL...wc.q.-.ud.
0040: 3F 41 71 E3 0D 13 9E BE   27 57 81 C1 78 4C DE FF  ?Aq.....'W..xL..
0050: 83 36 41 D3 15 12 E3 86   B7 9D 17 90 46 4D 5C 4C  .6A.........FM\L
0060: 55 B1 0D F1 42 B1 69 C7   ED CC 40 DC 73 70 60 44  U...B.i... at .sp`D
0070: 92 8F 30 EF 33 22 FB EC   0A 23 A6 1C 06 25 89 65  ..0.3"...#...%.e
0080: 61 39 53 EA AB E2 7E 4C   A9 7D 2A D6 A1 E6 25 9F  a9S....L..*...%.
0090: E4 1B A6 30 9A 25 C0 13   0D CF EC F3 2E 6D D5 E5  ...0.%.......m..
00A0: 87 69 FC FA 7A 55 1C 67   9D 50 F2 AE 77 6C C8 E5  .i..zU.g.P..wl..
00B0: CD 24 D9 26 51 BA 83 E4   9A 1F 60 8E A0 83 AF CA  .$.&Q.....`.....
00C0: E8 EC BE 62 46 44 6C 81   E1 2C 85 EA 87 F9 F3 90  ...bFDl..,......
00D0: EB 90 75 5D 28 8B 29 7F   1A F0 3A 80 84 E0 99 4F  ..u](.)...:....O
00E0: 68 61 90 B7 89 A5 94 68   4D 61 99 29 A3 69 D4 6E  ha.....hMa.).i.n
00F0: 25 17 91 F7 E1 1E FD CA   18 3C 57 97 80 5F 34 4E  %........<W.._4N

]
, [
  Trusted CA cert: [
[
  Version: V3
  Subject: CN=Dev Sub CA, OU=
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 2048 bits
  modulus: 31696243932874256364335990637094427770482150137369453879629054046277594694178299662030613175940051336592870418113037419713357290194638536691606561721465520703526043819995453182453582996601875791731978172486235451952100860390268691062261564472533003331397217240833053175303404082306509973352439625645600600400408333148563265268164313890699450748266186324338577359913955542853478283626859231040995581139161097669581270909389409188385131437359048571882558660942248026022064839125345179031998211043815799677884832277271147572182551216847408958538553541983556420628304268943945349378863098906567967665152779703018233229929
  public exponent: 65537
  Validity: [From: Sat Jun 25 14:32:02 PDT 2011,
               To: Sat Aug 24 14:32:02 PDT 2030]
  Issuer: CN=Dev Root CA, OU=
  SerialNumber: [    01f4]

Certificate Extensions: 2
[1]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

[2]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:0
]

]
  Algorithm: [SHA1withRSA]
  Signature:
0000: 18 8C C1 CA 2D F8 C4 3B   AC F2 F4 29 87 70 E9 BE  ....-..;...).p..
0010: BF 55 69 BC 50 17 37 7A   94 10 05 64 D9 58 5E 8F  .Ui.P.7z...d.X^.
0020: 56 9C 38 F6 C8 E6 F9 08   DF 86 B0 E7 1A 4D 0A 8E  V.8..........M..
0030: 85 E6 BE F4 D4 90 CF B5   AD D4 49 77 DC FE 51 7C  ..........Iw..Q.
0040: A8 07 AB 07 30 52 1A 91   4C 9F 65 67 BF 74 73 C1  ....0R..L.eg.ts.
0050: 8A E6 E7 64 19 40 1B 01   66 A1 F0 9D 15 FE F4 E5  ...d. at ..f.......
0060: C3 79 50 53 FF 6D BD A3   06 46 5B 87 79 E5 DE BB  .yPS.m...F[.y...
0070: 94 2B 1E 8B 4C DF A3 EA   CD C0 D4 F9 41 3B CA BE  .+..L.......A;..
0080: 18 AC 8F 50 03 94 9A EF   A1 6E 05 75 C4 E3 EC E8  ...P.....n.u....
0090: 85 79 CE 6C 31 70 27 93   9E 51 16 67 A1 81 1B C7  .y.l1p'..Q.g....
00A0: 3F DC FD E5 01 21 9C 21   44 71 7B A9 57 F8 57 79  ?....!.!Dq..W.Wy
00B0: 45 6F 37 5F F8 A4 DE CA   0A 06 7C C3 8B 94 22 67  Eo7_.........."g
00C0: 9A 93 8B D2 51 E6 3F 1F   09 24 A8 23 70 04 95 F7  ....Q.?..$.#p...
00D0: 48 42 F6 D2 D2 54 43 E9   0F C9 04 85 5E EA 46 31  HB...TC.....^.F1
00E0: 8A CF E8 F3 9C 76 D2 DE   9B ED F7 1C 15 C1 02 05  .....v..........
00F0: D7 ED 18 6B 74 CC 80 9D   2F 3D BF EC 24 20 00 E6  ...kt.../=..$ ..

]
, [
  Trusted CA Public Key: Sun RSA public key, 2048 bits
  modulus: 31696243932874256364335990637094427770482150137369453879629054046277594694178299662030613175940051336592870418113037419713357290194638536691606561721465520703526043819995453182453582996601875791731978172486235451952100860390268691062261564472533003331397217240833053175303404082306509973352439625645600600400408333148563265268164313890699450748266186324338577359913955542853478283626859231040995581139161097669581270909389409188385131437359048571882558660942248026022064839125345179031998211043815799677884832277271147572182551216847408958538553541983556420628304268943945349378863098906567967665152779703018233229929
  public exponent: 65537
  Trusted CA Issuer Name: CN=Dev Sub CA,OU=
]
  Initial Policy OIDs: any
  Validity Date: null
  Signature Provider: null
  Default Revocation Enabled: true
  Explicit Policy Required: false
  Policy Mapping Inhibited: false
  Any Policy Inhibited: false
  Policy Qualifiers Rejected: true
  Target Cert Constraints: X509CertSelector: [
  Serial Number: 501
  Subject: CN=Dev CRL Server,OU=
  matchAllSubjectAltNames flag: true
  Subject Key Identifier: 0000: 04 14 B6 61 7F D0 F4 35   07 D6 8A 94 23 9F F3 43  ...a...5....#..C
0010: 7F 3D B9 47 B8 2A                                  .=.G.*

  Key Usage: KeyUsage [
  Crl_Sign
]

]
  Certification Path Checkers: [[]]
  CertStores: [[java.security.cert.CertStore at d9922f]]
]  Maximum Path Length: 5
]
)
certpath: SunCertPathBuilder.buildForward()...
certpath: SunCertPathBuilder.depthFirstSearchForward(CN=Dev CRL Server, OU=, State [
  issuerDN of last cert: null
  traversedCACerts: 0
  init: true
  keyParamsNeeded: false
  subjectNamesTraversed: 
[]]
)
certpath: ForwardBuilder.getMatchingCerts()...
certpath: ForwardBuilder.getMatchingEECerts()...
certpath: X509CertSelector.match(SN: 4e2
  Issuer: CN=Dev Sub CA, OU=
  Subject: CN=234159080345657)
certpath: X509CertSelector.match: serial numbers don't match
certpath: ForwardBuilder.getMatchingCACerts()...
certpath: ForwardBuilder.getMatchingCACerts(): ca is target
certpath: X509CertSelector.match(SN: 1f4
  Issuer: CN=Dev Root CA, OU=
  Subject: CN=Dev Sub CA, OU=)
certpath: X509CertSelector.match: serial numbers don't match
certpath: X509CertSelector.match(SN: b3ea5693a7cf4afa
  Issuer: CN=Dev Root CA, OU=
  Subject: CN=Dev Root CA, OU=)
certpath: X509CertSelector.match: serial numbers don't match
certpath: X509CertSelector.match(SN: 1f5
  Issuer: CN=Dev Root CA, OU=
  Subject: CN=Dev CRL Server, OU=)
certpath: X509CertSelector.match returning: true
certpath: ForwardBuilder.getMatchingCACerts: found matching trust anchor
certpath: SunCertPathBuilder.depthFirstSearchForward(): certs.size=1
certpath: ForwardBuilder.verifyCert(SN:     01f5
  Issuer: CN=Dev Root CA, OU=)
  Subject: CN=Dev CRL Server, OU=)
certpath: SunCertPathBuilder.depthFirstSearchForward(): commencing final verification
certpath: SunCertPathBuilder.depthFirstSearchForward(): final verification succeeded - path completed!
certpath: SunCertPathBuilder.engineBuild() pathCompleted
certpath: Returning 1 CRLs
certpath: CrlRevocationChecker.verifyRevocationStatus() crls.size() = 0
certpath: CrlRevocationChecker.verifyRevocationStatus() approved crls.size() = 1
certpath: CrlRevocationChecker.verifyRevocationStatus() starting the final sweep...
certpath: CrlRevocationChecker.verifyRevocationStatus cert SN: 1250
certpath: -checker6 validation succeeded
certpath: -Using checker7 ... [sun.security.provider.certpath.AlgorithmChecker]
certpath: -checker7 validation succeeded
certpath: checking for unresolvedCritExts
certpath: 
cert1 validation succeeded.

certpath: Cert path validation succeeded. (PKIX validation algorithm)
certpath: --------------------------------------------------------------
-------------- next part --------------
certpath: PKIXCertPathValidator.engineValidate()...
certpath: PKIXCertPathValidator.engineValidate() reversing certpath...
certpath: PKIXCertPathValidator.engineValidate() anchor.getTrustedCert() != null
certpath: PKIXCertPathValidator.isWorthTrying() checking if this trusted cert is worth trying ...
certpath: YES - try this trustedCert
certpath: anchor.getTrustedCert().getSubjectX500Principal() = CN=Dev Sub CA, OU=
certpath: --------------------------------------------------------------
certpath: Executing PKIX certification path validation algorithm.
certpath: Checking cert1 ...
certpath: Set of critical extensions:
certpath: 2.5.29.15
certpath: 2.5.29.37
certpath: 2.5.29.19
certpath: -Using checker1 ... [sun.security.provider.certpath.AlgorithmChecker]
certpath: -checker1 validation succeeded
certpath: -Using checker2 ... [sun.security.provider.certpath.KeyChecker]
certpath: -checker2 validation succeeded
certpath: -Using checker3 ... [sun.security.provider.certpath.ConstraintsChecker]
certpath: ---checking basic constraints...
certpath: i = 1
certpath: maxPathLength = 1
certpath: after processing, maxPathLength = 1
certpath: basic constraints verified.
certpath: ---checking name constraints...
certpath: prevNC = null
certpath: newNC = null
certpath: mergedNC = null
certpath: name constraints verified.
certpath: -checker3 validation succeeded
certpath: -Using checker4 ... [sun.security.provider.certpath.PolicyChecker]
certpath: PolicyChecker.checkPolicy() ---checking certificate policies...
certpath: PolicyChecker.checkPolicy() certIndex = 1
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: explicitPolicy = 2
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyMapping = 2
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: inhibitAnyPolicy = 2
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyTree = anyPolicy  ROOT

certpath: PolicyChecker.processPolicies() no policies present in cert
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: explicitPolicy = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyMapping = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: inhibitAnyPolicy = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyTree = null
certpath: PolicyChecker.checkPolicy() certificate policies verified
certpath: -checker4 validation succeeded
certpath: -Using checker5 ... [sun.security.provider.certpath.BasicChecker]
certpath: ---checking timestamp:Tue Jun 28 13:42:02 PDT 2011...
certpath: timestamp verified.
certpath: ---checking subject/issuer name chaining...
certpath: subject/issuer name chaining verified.
certpath: ---checking signature...
certpath: signature verified.
certpath: BasicChecker.updateState issuer: CN=Dev Sub CA, OU=; subject: CN=234159080345657; serial#: 1250
certpath: -checker5 validation succeeded
certpath: -Using checker6 ... [sun.security.provider.certpath.CrlRevocationChecker]
certpath: CrlRevocationChecker.verifyRevocationStatus() ---checking revocation status...
certpath: DistributionPointFetcher.getCRLs: Checking CRLDPs for CN=234159080345657
certpath: Trying to fetch CRL from DP http://localhost/crl.crl
certpath: Downloading new CRL...
certpath: idpName: URIName: http://localhost/crl.crl
certpath: pointName: URIName: http://localhost/crl.crl
certpath: CRL signature failed to verify
certpath: Returning 0 CRLs
certpath: CrlRevocationChecker.verifyWithSeparateSigningKey() ---checking revocation status...
certpath: CrlRevocationChecker.buildToNewKey() starting work
certpath: CrlRevocationChecker.buildToNewKey() about to try build ...
certpath: SunCertPathBuilder.engineBuild([
[
  Trust Anchors: [[
  Trusted CA cert: [
[
  Version: V3
  Subject: CN=Dev Sub CA, OU=
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 2048 bits
  modulus: 31696243932874256364335990637094427770482150137369453879629054046277594694178299662030613175940051336592870418113037419713357290194638536691606561721465520703526043819995453182453582996601875791731978172486235451952100860390268691062261564472533003331397217240833053175303404082306509973352439625645600600400408333148563265268164313890699450748266186324338577359913955542853478283626859231040995581139161097669581270909389409188385131437359048571882558660942248026022064839125345179031998211043815799677884832277271147572182551216847408958538553541983556420628304268943945349378863098906567967665152779703018233229929
  public exponent: 65537
  Validity: [From: Sat Jun 25 14:32:02 PDT 2011,
               To: Sat Aug 24 14:32:02 PDT 2030]
  Issuer: CN=Dev Root CA, OU=
  SerialNumber: [    01f4]

Certificate Extensions: 2
[1]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

[2]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:0
]

]
  Algorithm: [SHA1withRSA]
  Signature:
0000: 18 8C C1 CA 2D F8 C4 3B   AC F2 F4 29 87 70 E9 BE  ....-..;...).p..
0010: BF 55 69 BC 50 17 37 7A   94 10 05 64 D9 58 5E 8F  .Ui.P.7z...d.X^.
0020: 56 9C 38 F6 C8 E6 F9 08   DF 86 B0 E7 1A 4D 0A 8E  V.8..........M..
0030: 85 E6 BE F4 D4 90 CF B5   AD D4 49 77 DC FE 51 7C  ..........Iw..Q.
0040: A8 07 AB 07 30 52 1A 91   4C 9F 65 67 BF 74 73 C1  ....0R..L.eg.ts.
0050: 8A E6 E7 64 19 40 1B 01   66 A1 F0 9D 15 FE F4 E5  ...d. at ..f.......
0060: C3 79 50 53 FF 6D BD A3   06 46 5B 87 79 E5 DE BB  .yPS.m...F[.y...
0070: 94 2B 1E 8B 4C DF A3 EA   CD C0 D4 F9 41 3B CA BE  .+..L.......A;..
0080: 18 AC 8F 50 03 94 9A EF   A1 6E 05 75 C4 E3 EC E8  ...P.....n.u....
0090: 85 79 CE 6C 31 70 27 93   9E 51 16 67 A1 81 1B C7  .y.l1p'..Q.g....
00A0: 3F DC FD E5 01 21 9C 21   44 71 7B A9 57 F8 57 79  ?....!.!Dq..W.Wy
00B0: 45 6F 37 5F F8 A4 DE CA   0A 06 7C C3 8B 94 22 67  Eo7_.........."g
00C0: 9A 93 8B D2 51 E6 3F 1F   09 24 A8 23 70 04 95 F7  ....Q.?..$.#p...
00D0: 48 42 F6 D2 D2 54 43 E9   0F C9 04 85 5E EA 46 31  HB...TC.....^.F1
00E0: 8A CF E8 F3 9C 76 D2 DE   9B ED F7 1C 15 C1 02 05  .....v..........
00F0: D7 ED 18 6B 74 CC 80 9D   2F 3D BF EC 24 20 00 E6  ...kt.../=..$ ..

]
]
  Initial Policy OIDs: any
  Validity Date: null
  Signature Provider: null
  Default Revocation Enabled: false
  Explicit Policy Required: false
  Policy Mapping Inhibited: false
  Any Policy Inhibited: false
  Policy Qualifiers Rejected: true
  Target Cert Constraints: RejectCertSelector: [
X509CertSelector: [
  Subject: CN=Dev Sub CA,OU=
  matchAllSubjectAltNames flag: true
  Key Usage: KeyUsage [
  Crl_Sign
]

][Sun RSA public key, 2048 bits
  modulus: 31696243932874256364335990637094427770482150137369453879629054046277594694178299662030613175940051336592870418113037419713357290194638536691606561721465520703526043819995453182453582996601875791731978172486235451952100860390268691062261564472533003331397217240833053175303404082306509973352439625645600600400408333148563265268164313890699450748266186324338577359913955542853478283626859231040995581139161097669581270909389409188385131437359048571882558660942248026022064839125345179031998211043815799677884832277271147572182551216847408958538553541983556420628304268943945349378863098906567967665152779703018233229929
  public exponent: 65537]]
  Certification Path Checkers: [[]]
  CertStores: [[java.security.cert.CertStore at 73e835]]
]  Maximum Path Length: 5
]
)
certpath: SunCertPathBuilder.buildForward()...
certpath: SunCertPathBuilder.depthFirstSearchForward(CN=Dev Sub CA, OU=, State [
  issuerDN of last cert: null
  traversedCACerts: 0
  init: true
  keyParamsNeeded: false
  subjectNamesTraversed: 
[]]
)
certpath: ForwardBuilder.getMatchingCerts()...
certpath: ForwardBuilder.getMatchingEECerts()...
certpath: X509CertSelector.match(SN: 4e2
  Issuer: CN=Dev Sub CA, OU=
  Subject: CN=234159080345657)
certpath: X509CertSelector.match: subject DNs don't match
certpath: ForwardBuilder.getMatchingCACerts()...
certpath: ForwardBuilder.getMatchingCACerts(): ca is target
certpath: X509CertSelector.match(SN: 1f4
  Issuer: CN=Dev Root CA, OU=
  Subject: CN=Dev Sub CA, OU=)
certpath: X509CertSelector.match returning: true
certpath: RejectCertSelector.match: bad key
certpath: X509CertSelector.match(SN: 4e2
  Issuer: CN=Dev Sub CA, OU=
  Subject: CN=234159080345657)
certpath: X509CertSelector.match: subject DNs don't match
certpath: ForwardBuilder.getMatchingCACerts: found 0 forward certs
certpath: SunCertPathBuilder.depthFirstSearchForward(): certs.size=0
certpath: SunCertPathBuilder.engineBuild: 2nd pass
certpath: SunCertPathBuilder.buildForward()...
certpath: SunCertPathBuilder.depthFirstSearchForward(CN=Dev Sub CA, OU=, State [
  issuerDN of last cert: null
  traversedCACerts: 0
  init: true
  keyParamsNeeded: false
  subjectNamesTraversed: 
[]]
)
certpath: ForwardBuilder.getMatchingCerts()...
certpath: ForwardBuilder.getMatchingEECerts()...
certpath: X509CertSelector.match(SN: 4e2
  Issuer: CN=Dev Sub CA, OU=
  Subject: CN=234159080345657)
certpath: X509CertSelector.match: subject DNs don't match
certpath: ForwardBuilder.getMatchingCACerts()...
certpath: ForwardBuilder.getMatchingCACerts(): ca is target
certpath: X509CertSelector.match(SN: 1f4
  Issuer: CN=Dev Root CA, OU=
  Subject: CN=Dev Sub CA, OU=)
certpath: X509CertSelector.match returning: true
certpath: RejectCertSelector.match: bad key
certpath: X509CertSelector.match(SN: 4e2
  Issuer: CN=Dev Sub CA, OU=
  Subject: CN=234159080345657)
certpath: X509CertSelector.match: subject DNs don't match
certpath: ForwardBuilder.getMatchingCACerts: found 0 forward certs
certpath: SunCertPathBuilder.depthFirstSearchForward(): certs.size=0
certpath: CrlRevocationChecker.verifyWithSeparateSigningKey() got exception sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
certpath: PKIXCertPathValidator.engineValidate() anchor.getTrustedCert() != null
certpath: PKIXCertPathValidator.isWorthTrying() checking if this trusted cert is worth trying ...
certpath: NO - don't try this trustedCert
certpath: PKIXCertPathValidator.engineValidate() anchor.getTrustedCert() != null
certpath: PKIXCertPathValidator.isWorthTrying() checking if this trusted cert is worth trying ...
certpath: NO - don't try this trustedCert


More information about the security-dev mailing list