Webrev updated that a CRL issuer now can delegated itself as CRL issuer
in the DistributionPoint extension.
------------
DistributionPointFetcher.java:
if (pointCrlIssuers != null) {
......
if (match == false) {
return false;
}
+
+ // we accept the case that a CRL issuer provide status
+ // information for itself.
+ if (ForwardBuilder.issues(certImpl, crlImpl, provider)) {
+ // reset the public key used to verify the CRL's signature
+ prevKey = certImpl.getPublicKey();
+ } else {
indirectCRL = true;
+ }
} else if (crlIssuer.equals(certIssuer) == false) {
----------
Thanks,
Xuelei
Xuelei Fan wrote:
Hi,
bug description:
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6852744
webrev: http://cr.openjdk.java.net/~xuelei/6852744/webrev/
Evaluation of the bug:
1. There is a loop of forward builder for self-issused intermediate
certificates.
The ForwardBuilder looks for the next certificate based on
IssuerDN/SubjectDN. However, a self-issued certificate has the same
IssuerDN and SubjectDN, the looking will loop on the self-issued
certificate untill the loop detected.
2. Circular dependences
In the PIT tests, the valid of the intermediate CA certificate
(oldCA) depends on the CRL; the valid of CRL depends on its issuer,
the self-issued intermediate CA certificate (newWithOldCA); the valid
of newWithOldCA depends on its issuer, the oldCA, here comes a dead loop.
Thanks,
Xuelei
