Hi Xuelei,<br><br>Attached is the certpath debug output. <br><br>Here is some more info about my test setup.<br><br>Dev Root CA issued Dev Sub CA<br>Dev Sub CA issued client cert<br>Dev Root CA issued Dev Crl Server cert<br>
Crl is issued by Dev Crl Server, URL is <a href="http://localhost/crl.crl">http://localhost/crl.crl</a><br>Dev Root CA, Dev Sub CA, and Dev Crl Server have all been added to the server's truststore.<br><br>I have specified the issuer distribution point in the CRL, onlyContainsUserCerts=true, onlyContainsCACerts=false, indirectCRL=true, onlyContainsAttributeCerts=false<br>
<br>The client cert specifies crlIssuer=Dev Crl Server.<br><br>Thanks, Dave<br><br><br><div class="gmail_quote">On Mon, Jun 27, 2011 at 10:05 PM, Xuelei.Fan@Oracle.Com <span dir="ltr"><<a href="mailto:Xuelei.Fan@oracle.com">Xuelei.Fan@oracle.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">Can you provide the code to reproduce the exception? Or is it possible attach the CertPath building debugger log?<br>
<font color="#888888"><br>
Xuelei<br>
</font><div><div></div><div class="h5"><br>
On Jun 28, 2011, at 11:59 AM, David Pomeroy <<a href="mailto:dfpomeroy@gmail.com">dfpomeroy@gmail.com</a>> wrote:<br>
<br>
> Hello All,<br>
><br>
> I am trying to get a servlet to download and check a CRL. The CRLDP is in the client's certificate and the CRL is marked "indirect CRL" so that it can be signed by a different key than the client cert issuer. The following block of code is invoked but the DistributionPointFetcher can't seem to build a valid path and a CRLException is thrown. My assumption was this would work if I included the CRL signing certificate in my truststore. What I find odd while stepping through this in a debugger is that the "certStores" object contains only the client certificate which is to be validated, so it makes sense that X509CertSelector doesn't find the right cert in there.<br>
><br>
> Has anyone got indirect CRLs validated before? I'd be interested in the details of a test setup that works. I can provide more details of my test setup if necessary.<br>
><br>
> Thanks, David<br>
><br>
><br>
> // Obtain and validate the certification path for the complete<br>
> // CRL issuer (if indirect CRL). If a key usage extension is present<br>
> // in the CRL issuer's certificate, verify that the cRLSign bit is set.<br>
> if (indirectCRL) {<br>
> X509CertSelector certSel = new X509CertSelector();<br>
> certSel.setSubject(crlIssuer.asX500Principal());<br>
> boolean[] crlSign = {false,false,false,false,false,false,true};<br>
> certSel.setKeyUsage(crlSign);<br>
> PKIXBuilderParameters params = null;<br>
> try {<br>
> params = new PKIXBuilderParameters<br>
> (Collections.singleton(anchor), certSel);<br>
> } catch (InvalidAlgorithmParameterException iape) {<br>
> throw new CRLException(iape);<br>
> }<br>
> params.setCertStores(certStores);<br>
> params.setSigProvider(provider);<br>
> try {<br>
> CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");<br>
> PKIXCertPathBuilderResult result =<br>
> (PKIXCertPathBuilderResult) builder.build(params);<br>
> prevKey = result.getPublicKey();<br>
> } catch (Exception e) {<br>
> throw new CRLException(e);<br>
> }<br>
> }<br>
</div></div></blockquote></div><br>