Re: sun.security.provider.certpath.DistributionPointFetcher

Mon, 27 Jun 2011 22:14:00 -0700 

Can you provide the code to reproduce the exception? Or is it possible attach 
the CertPath building debugger log?

Xuelei

On Jun 28, 2011, at 11:59 AM, David Pomeroy <dfpome...@gmail.com> wrote:

> Hello All,
> 
> I am trying to get a servlet to download and check a CRL.  The CRLDP is in 
> the client's certificate and the CRL is marked "indirect CRL" so that it can 
> be signed by a different key than the client cert issuer.  The following 
> block of code is invoked but the DistributionPointFetcher can't seem to build 
> a valid path and a CRLException is thrown.  My assumption was this would work 
> if I included the CRL signing certificate in my truststore.  What I find odd 
> while stepping through this in a debugger is that the "certStores" object 
> contains only the client certificate which is to be validated, so it makes 
> sense that X509CertSelector doesn't find the right cert in there.  
> 
> Has anyone got indirect CRLs validated before?  I'd be interested in the 
> details of a test setup that works.  I can provide more details of my test 
> setup if necessary.
> 
> Thanks, David
> 
> 
>         // Obtain and validate the certification path for the complete
>         // CRL issuer (if indirect CRL). If a key usage extension is present
>         // in the CRL issuer's certificate, verify that the cRLSign bit is 
> set.
>         if (indirectCRL) {
>             X509CertSelector certSel = new X509CertSelector();
>             certSel.setSubject(crlIssuer.asX500Principal());
>             boolean[] crlSign = {false,false,false,false,false,false,true};
>             certSel.setKeyUsage(crlSign);
>             PKIXBuilderParameters params = null;
>             try {
>                 params = new PKIXBuilderParameters
>                     (Collections.singleton(anchor), certSel);
>             } catch (InvalidAlgorithmParameterException iape) {
>                 throw new CRLException(iape);
>             }
>             params.setCertStores(certStores);
>             params.setSigProvider(provider);
>             try {
>                 CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
>                 PKIXCertPathBuilderResult result =
>                     (PKIXCertPathBuilderResult) builder.build(params);
>                 prevKey = result.getPublicKey();
>             } catch (Exception e) {
>                 throw new CRLException(e);
>             }
>         }

Reply via email to