<html><body bgcolor="#FFFFFF"><div><br><br>On Jun 29, 2011, at 4:51 AM, David Pomeroy <<a href="mailto:dfpomeroy@gmail.com">dfpomeroy@gmail.com</a>> wrote:<br><br></div><div></div><blockquote type="cite"><div>Hi Sean,<br><br>openjdk7 complained that my Crl Server certificate did not contain a Subject Key Identifier. </div></blockquote>It's a must-to-have field to comply with RFC 5280.<div><br><blockquote type="cite"><div>Once I added this, validating the indirect CRL issuer worked as expected.<br><br></div></blockquote><div>Glad to know it works in JDK 7.</div><br><blockquote type="cite"><div>When I switched back to openjdk6, the CRL validation still fails. I have attached the certpath debug from each jvm. If you look at the line "certpath: SunCertPathBuilder.engineBuild([", jdk6 only adds my Sub CA certificate as a trusted source, where jdk7 adds all 3 certs from the truststore, including the Crl Issuer's certificate. Perhaps jdk6 is looking for specific criteria in the trusted certificates for use in validating the CRL? <br>
<br>When I switched back to sun jdk 6, I got a different error. It's as if it is not even trying to build a verification path at all. I attached that debug as well.<br><br>Thanks for jdk7 suggestion, I definitely learned something. However, I'd really like to get this working on a version 6 jvm. Any workaround suggestions from you or the group would be greatly appreciated. <br></div></blockquote>No known workaround. You may be able to disable certificate status checking in the default provider, and check the certificate status by a customized PKIXCertPathChecker.</div><div><br></div><div>Xuelei</div><div><br><blockquote type="cite"><div>
<br>Thanks, Dave<br><br><br><div class="gmail_quote">On Tue, Jun 28, 2011 at 11:14 AM, Sean Mullan <span dir="ltr"><<a href="mailto:sean.mullan@oracle.com" target="_blank"><a href="mailto:sean.mullan@oracle.com">sean.mullan@oracle.com</a></a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div>On 6/28/11 1:01 PM, David Pomeroy wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
Hi Sean,<br>
<br>
I am using Open JDK 6. Are the indirect CRL bugs in JDK 6 documented anywhere?<br>
Are there any workarounds?<br>
</blockquote>
<br></div>
See:<br>
<br>
<a href="http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6509162" target="_blank"><a href="http://bugs.sun.com/">http://bugs.sun.com/</a><u></u>bugdatabase/view_bug.do?bug_<u></u>id=6509162</a><br>
<a href="http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6542169" target="_blank"><a href="http://bugs.sun.com/">http://bugs.sun.com/</a><u></u>bugdatabase/view_bug.do?bug_<u></u>id=6542169</a><br>
<br>
No known workarounds. It would help if you tested with JDK 7 [1] so we could verify if the problem has fixed.<br>
<br>
If it still fails with JDK 7, please file a bug (and attach a test program) at <a href="http://bugs.sun.com" target="_blank"><a href="http://bugs.sun.com">http://bugs.sun.com</a></a><br>
<br>
Thanks,<br>
Sean<br>
<br>
[1] <a href="http://jdk7.java.net/download.html" target="_blank"><a href="http://jdk7.java.net/download">http://jdk7.java.net/download</a>.<u></u>html</a><br>
<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><div>
<br>
I am setting enableCRLDP.<br>
<br>
Thanks, Dave<br>
<br>
On Tue, Jun 28, 2011 at 5:46 AM, Sean Mullan <<a href="mailto:sean.mullan@oracle.com" target="_blank"><a href="mailto:sean.mullan@oracle.com">sean.mullan@oracle.com</a></a><br></div><div>
<mailto:<a href="mailto:sean.mullan@oracle.com" target="_blank"><a href="mailto:sean.mullan@oracle.com">sean.mullan@oracle.com</a></a><u></u>>> wrote:<br>
<br>
Are you using JDK 7? There were some bugs fixed with indirect CRLs in JDK 7.<br>
<br>
Also, make sure you set the system property com.sun.security.enableCRLDP to the<br>
value true when running, ex: java -Dcom.sun.security.__<u></u>enableCRLDP=true ...<br>
<br>
--Sean<br>
<br>
<br>
On 6/28/11 1:05 AM, <a href="mailto:Xuelei.Fan@Oracle.Com">Xuelei.Fan@Oracle.Com</a> wrote:<br>
<br>
Can you provide the code to reproduce the exception? Or is it possible<br>
attach<br>
the CertPath building debugger log?<br>
<br>
Xuelei<br>
<br>
On Jun 28, 2011, at 11:59 AM, David Pomeroy<<a href="mailto:dfpomeroy@gmail.com" target="_blank"><a href="mailto:dfpomeroy@gmail.com">dfpomeroy@gmail.com</a></a><br></div>
<mailto:<a href="mailto:dfpomeroy@gmail.com" target="_blank"><a href="mailto:dfpomeroy@gmail.com">dfpomeroy@gmail.com</a></a>>> wrote:<div><div></div><div><br>
<br>
Hello All,<br>
<br>
I am trying to get a servlet to download and check a CRL. The CRLDP<br>
is in<br>
the client's certificate and the CRL is marked "indirect CRL" so that it<br>
can be signed by a different key than the client cert issuer. The<br>
following block of code is invoked but the DistributionPointFetcher<br>
can't<br>
seem to build a valid path and a CRLException is thrown. My<br>
assumption was<br>
this would work if I included the CRL signing certificate in my<br>
truststore.<br>
What I find odd while stepping through this in a debugger is that the<br>
"certStores" object contains only the client certificate which is to be<br>
validated, so it makes sense that X509CertSelector doesn't find the<br>
right<br>
cert in there.<br>
<br>
Has anyone got indirect CRLs validated before? I'd be interested in the<br>
details of a test setup that works. I can provide more details of<br>
my test<br>
setup if necessary.<br>
<br>
Thanks, David<br>
<br>
<br>
// Obtain and validate the certification path for the complete // CRL<br>
issuer (if indirect CRL). If a key usage extension is present // in<br>
the CRL<br>
issuer's certificate, verify that the cRLSign bit is set. if<br>
(indirectCRL)<br>
{ X509CertSelector certSel = new X509CertSelector();<br>
certSel.setSubject(crlIssuer._<u></u>_asX500Principal()); boolean[] crlSign =<br>
{false,false,false,false,__<u></u>false,false,true};<br>
certSel.setKeyUsage(crlSign);<br>
PKIXBuilderParameters params = null; try { params = new<br>
PKIXBuilderParameters (Collections.singleton(anchor)<u></u>__, certSel); }<br>
catch<br></div></div>
(__<u></u>InvalidAlgorithmParameterExcep<u></u>__tion iape) { throw new<div><br>
CRLException(iape);<br>
} params.setCertStores(__<u></u>certStores);<br>
params.setSigProvider(__<u></u>provider); try {<br>
CertPathBuilder builder = CertPathBuilder.getInstance("_<u></u>_PKIX");<br>
PKIXCertPathBuilderResult result = (PKIXCertPathBuilderResult)<br>
builder.build(params); prevKey = result.getPublicKey(); } catch<br>
(Exception<br>
e) { throw new CRLException(e); } }<br>
<br>
<br>
</div></blockquote>
</blockquote></div><br>
</div></blockquote><blockquote type="cite"><div><openjdk6-fails.txt></div></blockquote><blockquote type="cite"><div><openjdk7-succeeds.txt></div></blockquote><blockquote type="cite"><div><sunjdk6-fails.txt></div></blockquote></div></body></html>