Hi Xuelei, Attached is the certpath debug output.
Here is some more info about my test setup. Dev Root CA issued Dev Sub CA Dev Sub CA issued client cert Dev Root CA issued Dev Crl Server cert Crl is issued by Dev Crl Server, URL is http://localhost/crl.crl Dev Root CA, Dev Sub CA, and Dev Crl Server have all been added to the server's truststore. I have specified the issuer distribution point in the CRL, onlyContainsUserCerts=true, onlyContainsCACerts=false, indirectCRL=true, onlyContainsAttributeCerts=false The client cert specifies crlIssuer=Dev Crl Server. Thanks, Dave On Mon, Jun 27, 2011 at 10:05 PM, xuelei....@oracle.com < xuelei....@oracle.com> wrote: > Can you provide the code to reproduce the exception? Or is it possible > attach the CertPath building debugger log? > > Xuelei > > On Jun 28, 2011, at 11:59 AM, David Pomeroy <dfpome...@gmail.com> wrote: > > > Hello All, > > > > I am trying to get a servlet to download and check a CRL. The CRLDP is > in the client's certificate and the CRL is marked "indirect CRL" so that it > can be signed by a different key than the client cert issuer. The following > block of code is invoked but the DistributionPointFetcher can't seem to > build a valid path and a CRLException is thrown. My assumption was this > would work if I included the CRL signing certificate in my truststore. What > I find odd while stepping through this in a debugger is that the > "certStores" object contains only the client certificate which is to be > validated, so it makes sense that X509CertSelector doesn't find the right > cert in there. > > > > Has anyone got indirect CRLs validated before? I'd be interested in the > details of a test setup that works. I can provide more details of my test > setup if necessary. > > > > Thanks, David > > > > > > // Obtain and validate the certification path for the complete > > // CRL issuer (if indirect CRL). If a key usage extension is > present > > // in the CRL issuer's certificate, verify that the cRLSign bit > is set. > > if (indirectCRL) { > > X509CertSelector certSel = new X509CertSelector(); > > certSel.setSubject(crlIssuer.asX500Principal()); > > boolean[] crlSign = > {false,false,false,false,false,false,true}; > > certSel.setKeyUsage(crlSign); > > PKIXBuilderParameters params = null; > > try { > > params = new PKIXBuilderParameters > > (Collections.singleton(anchor), certSel); > > } catch (InvalidAlgorithmParameterException iape) { > > throw new CRLException(iape); > > } > > params.setCertStores(certStores); > > params.setSigProvider(provider); > > try { > > CertPathBuilder builder = > CertPathBuilder.getInstance("PKIX"); > > PKIXCertPathBuilderResult result = > > (PKIXCertPathBuilderResult) builder.build(params); > > prevKey = result.getPublicKey(); > > } catch (Exception e) { > > throw new CRLException(e); > > } > > } >
certpath: PKIXCertPathValidator.engineValidate()... certpath: PKIXCertPathValidator.engineValidate() reversing certpath... certpath: PKIXCertPathValidator.engineValidate() anchor.getTrustedCert() != null certpath: PKIXCertPathValidator.isWorthTrying() checking if this trusted cert is worth trying ... certpath: NO - don't try this trustedCert certpath: PKIXCertPathValidator.engineValidate() anchor.getTrustedCert() != null certpath: PKIXCertPathValidator.isWorthTrying() checking if this trusted cert is worth trying ... certpath: NO - don't try this trustedCert certpath: PKIXCertPathValidator.engineValidate() anchor.getTrustedCert() != null certpath: PKIXCertPathValidator.isWorthTrying() checking if this trusted cert is worth trying ... certpath: YES - try this trustedCert certpath: anchor.getTrustedCert().getSubjectX500Principal() = CN=Dev Sub CA certpath: -------------------------------------------------------------- certpath: Executing PKIX certification path validation algorithm. certpath: Checking cert1 ... certpath: Set of critical extensions: certpath: 2.5.29.15 certpath: 2.5.29.37 certpath: 2.5.29.19 certpath: -Using checker1 ... [sun.security.provider.certpath.AlgorithmChecker] certpath: -checker1 validation succeeded certpath: -Using checker2 ... [sun.security.provider.certpath.KeyChecker] certpath: -checker2 validation succeeded certpath: -Using checker3 ... [sun.security.provider.certpath.ConstraintsChecker] certpath: ---checking basic constraints... certpath: i = 1 certpath: maxPathLength = 1 certpath: after processing, maxPathLength = 1 certpath: basic constraints verified. certpath: ---checking name constraints... certpath: prevNC = null certpath: newNC = null certpath: mergedNC = null certpath: name constraints verified. certpath: -checker3 validation succeeded certpath: -Using checker4 ... [sun.security.provider.certpath.PolicyChecker] certpath: PolicyChecker.checkPolicy() ---checking certificate policies... certpath: PolicyChecker.checkPolicy() certIndex = 1 certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: explicitPolicy = 2 certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyMapping = 2 certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: inhibitAnyPolicy = 2 certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyTree = anyPolicy ROOT certpath: PolicyChecker.processPolicies() no policies present in cert certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: explicitPolicy = 2 certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyMapping = 2 certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: inhibitAnyPolicy = 2 certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyTree = null certpath: PolicyChecker.checkPolicy() certificate policies verified certpath: -checker4 validation succeeded certpath: -Using checker5 ... [sun.security.provider.certpath.BasicChecker] certpath: ---checking timestamp:Tue Jun 28 09:14:19 PDT 2011... certpath: timestamp verified. certpath: ---checking subject/issuer name chaining... certpath: subject/issuer name chaining verified. certpath: ---checking signature... certpath: signature verified. certpath: BasicChecker.updateState issuer: CN=Dev Sub CA; subject: CN=234159080345657; serial#: 1250 certpath: -checker5 validation succeeded certpath: -Using checker6 ... [sun.security.provider.certpath.CrlRevocationChecker] certpath: CrlRevocationChecker.verifyRevocationStatus() ---checking revocation status... certpath: DistributionPointFetcher.getCRLs: Checking CRLDPs for CN=234159080345657 certpath: Trying to fetch CRL from DP http://localhost/crl.crl certpath: CertStore URI:http://localhost/crl.crl certpath: Downloading new CRL... certpath: idpName: URIName: http://localhost/crl.crl certpath: pointName: URIName: http://localhost/crl.crl certpath: SunCertPathBuilder.engineBuild([ [ Trust Anchors: [[ Trusted CA cert: [ [ Version: V3 Subject: CN=Dev Sub CA Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 2048 bits modulus: 31696243932874256364335990637094427770482150137369453879629054046277594694178299662030613175940051336592870418113037419713357290194638536691606561721465520703526043819995453182453582996601875791731978172486235451952100860390268691062261564472533003331397217240833053175303404082306509973352439625645600600400408333148563265268164313890699450748266186324338577359913955542853478283626859231040995581139161097669581270909389409188385131437359048571882558660942248026022064839125345179031998211043815799677884832277271147572182551216847408958538553541983556420628304268943945349378863098906567967665152779703018233229929 public exponent: 65537 Validity: [From: Sat Jun 25 14:32:02 PDT 2011, To: Sat Aug 24 14:32:02 PDT 2030] Issuer: CN=Dev Root CA SerialNumber: [ 01f4] Certificate Extensions: 2 [1]: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ Key_CertSign Crl_Sign ] [2]: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:true PathLen:0 ] ] Algorithm: [SHA1withRSA] Signature: 0000: 18 8C C1 CA 2D F8 C4 3B AC F2 F4 29 87 70 E9 BE ....-..;...).p.. 0010: BF 55 69 BC 50 17 37 7A 94 10 05 64 D9 58 5E 8F .Ui.P.7z...d.X^. 0020: 56 9C 38 F6 C8 E6 F9 08 DF 86 B0 E7 1A 4D 0A 8E V.8..........M.. 0030: 85 E6 BE F4 D4 90 CF B5 AD D4 49 77 DC FE 51 7C ..........Iw..Q. 0040: A8 07 AB 07 30 52 1A 91 4C 9F 65 67 BF 74 73 C1 ....0R..L.eg.ts. 0050: 8A E6 E7 64 19 40 1B 01 66 A1 F0 9D 15 FE F4 E5 ...d.@..f....... 0060: C3 79 50 53 FF 6D BD A3 06 46 5B 87 79 E5 DE BB .yPS.m...F[.y... 0070: 94 2B 1E 8B 4C DF A3 EA CD C0 D4 F9 41 3B CA BE .+..L.......A;.. 0080: 18 AC 8F 50 03 94 9A EF A1 6E 05 75 C4 E3 EC E8 ...P.....n.u.... 0090: 85 79 CE 6C 31 70 27 93 9E 51 16 67 A1 81 1B C7 .y.l1p'..Q.g.... 00A0: 3F DC FD E5 01 21 9C 21 44 71 7B A9 57 F8 57 79 ?....!.!Dq..W.Wy 00B0: 45 6F 37 5F F8 A4 DE CA 0A 06 7C C3 8B 94 22 67 Eo7_.........."g 00C0: 9A 93 8B D2 51 E6 3F 1F 09 24 A8 23 70 04 95 F7 ....Q.?..$.#p... 00D0: 48 42 F6 D2 D2 54 43 E9 0F C9 04 85 5E EA 46 31 HB...TC.....^.F1 00E0: 8A CF E8 F3 9C 76 D2 DE 9B ED F7 1C 15 C1 02 05 .....v.......... 00F0: D7 ED 18 6B 74 CC 80 9D 2F 3D BF EC 24 20 00 E6 ...kt.../=..$ .. ] ] Initial Policy OIDs: any Validity Date: null Signature Provider: null Default Revocation Enabled: true Explicit Policy Required: false Policy Mapping Inhibited: false Any Policy Inhibited: false Policy Qualifiers Rejected: true Target Cert Constraints: X509CertSelector: [ Subject: CN=Dev CRL Server, matchAllSubjectAltNames flag: true Key Usage: KeyUsage [ Crl_Sign ] ] Certification Path Checkers: [[]] CertStores: [[java.security.cert.CertStore@e4b3b8]] ] Maximum Path Length: 5 ] ) certpath: SunCertPathBuilder.buildForward()... certpath: SunCertPathBuilder.depthFirstSearchForward(CN=Dev CRL Server, State [ issuerDN of last cert: null traversedCACerts: 0 init: true keyParamsNeeded: false subjectNamesTraversed: []] ) certpath: ForwardBuilder.getMatchingCerts()... certpath: ForwardBuilder.getMatchingEECerts()... certpath: X509CertSelector.match(SN: 4e2 Issuer: CN=Dev Sub CA Subject: CN=234159080345657) certpath: X509CertSelector.match: subject DNs don't match certpath: ForwardBuilder.getMatchingCACerts()... certpath: ForwardBuilder.getMatchingCACerts(): ca is target certpath: X509CertSelector.match(SN: 1f4 Issuer: CN=Dev Root CA Subject: CN=Dev Sub CA) certpath: X509CertSelector.match: subject DNs don't match certpath: X509CertSelector.match(SN: 4e2 Issuer: CN=Dev Sub CA Subject: CN=234159080345657) certpath: X509CertSelector.match: subject DNs don't match certpath: ForwardBuilder.getMatchingCACerts: found 0 CA certs certpath: SunCertPathBuilder.depthFirstSearchForward(): certs.size=0 certpath: SunCertPathBuilder.engineBuild: 2nd pass certpath: SunCertPathBuilder.buildForward()... certpath: SunCertPathBuilder.depthFirstSearchForward(CN=Dev CRL Server State [ issuerDN of last cert: null traversedCACerts: 0 init: true keyParamsNeeded: false subjectNamesTraversed: []] ) certpath: ForwardBuilder.getMatchingCerts()... certpath: ForwardBuilder.getMatchingEECerts()... certpath: X509CertSelector.match(SN: 4e2 Issuer: CN=Dev Sub CA Subject: CN=234159080345657) certpath: X509CertSelector.match: subject DNs don't match certpath: ForwardBuilder.getMatchingCACerts()... certpath: ForwardBuilder.getMatchingCACerts(): ca is target certpath: X509CertSelector.match(SN: 1f4 Issuer: CN=Dev Root CA Subject: CN=Dev Sub CA) certpath: X509CertSelector.match: subject DNs don't match certpath: X509CertSelector.match(SN: 4e2 Issuer: CN=Dev Sub CA Subject: CN=234159080345657) certpath: X509CertSelector.match: subject DNs don't match certpath: ForwardBuilder.getMatchingCACerts: found 0 CA certs certpath: SunCertPathBuilder.depthFirstSearchForward(): certs.size=0 certpath: Exception verifying CRL: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target java.security.cert.CRLException: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.DistributionPointFetcher.verifyCRL(DistributionPointFetcher.java:540) at sun.security.provider.certpath.DistributionPointFetcher.getCRLs(DistributionPointFetcher.java:195) at sun.security.provider.certpath.DistributionPointFetcher.getCRLs(DistributionPointFetcher.java:121) at sun.security.provider.certpath.CrlRevocationChecker.verifyRevocationStatus(CrlRevocationChecker.java:309) at sun.security.provider.certpath.CrlRevocationChecker.verifyRevocationStatus(CrlRevocationChecker.java:248) at sun.security.provider.certpath.CrlRevocationChecker.check(CrlRevocationChecker.java:189) at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:131) at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:325) at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:187) at java.security.cert.CertPathValidator.validate(CertPathValidator.java:267) at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:283) at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:271) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:191) at sun.security.validator.Validator.validate(Validator.java:235) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:147) at sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:188) at sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:258) at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1414) at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:179) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:610) at sun.security.ssl.Handshaker$1.run(Handshaker.java:550) at sun.security.ssl.Handshaker$1.run(Handshaker.java:548) at java.security.AccessController.doPrivileged(Native Method) at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:969) ************ at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603) at java.lang.Thread.run(Thread.java:636) Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:197) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:255) at sun.security.provider.certpath.DistributionPointFetcher.verifyCRL(DistributionPointFetcher.java:536) ... 43 more certpath: Returning 0 CRLs certpath: CrlRevocationChecker.verifyRevocationStatus() crls.size() = 0 certpath: CrlRevocationChecker.verifyRevocationStatus() approved crls.size() = 0 certpath: CrlRevocationChecker.verifyWithSeparateSigningKey() ---checking revocation status... certpath: CrlRevocationChecker.buildToNewKey() starting work certpath: CrlRevocationChecker.buildToNewKey() about to try build ... certpath: SunCertPathBuilder.engineBuild([ [ Trust Anchors: [[ Trusted CA cert: [ [ Version: V3 Subject: CN=Dev Sub CA Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 2048 bits modulus: 31696243932874256364335990637094427770482150137369453879629054046277594694178299662030613175940051336592870418113037419713357290194638536691606561721465520703526043819995453182453582996601875791731978172486235451952100860390268691062261564472533003331397217240833053175303404082306509973352439625645600600400408333148563265268164313890699450748266186324338577359913955542853478283626859231040995581139161097669581270909389409188385131437359048571882558660942248026022064839125345179031998211043815799677884832277271147572182551216847408958538553541983556420628304268943945349378863098906567967665152779703018233229929 public exponent: 65537 Validity: [From: Sat Jun 25 14:32:02 PDT 2011, To: Sat Aug 24 14:32:02 PDT 2030] Issuer: CN=Dev Root CA SerialNumber: [ 01f4] Certificate Extensions: 2 [1]: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ Key_CertSign Crl_Sign ] [2]: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:true PathLen:0 ] ] Algorithm: [SHA1withRSA] Signature: 0000: 18 8C C1 CA 2D F8 C4 3B AC F2 F4 29 87 70 E9 BE ....-..;...).p.. 0010: BF 55 69 BC 50 17 37 7A 94 10 05 64 D9 58 5E 8F .Ui.P.7z...d.X^. 0020: 56 9C 38 F6 C8 E6 F9 08 DF 86 B0 E7 1A 4D 0A 8E V.8..........M.. 0030: 85 E6 BE F4 D4 90 CF B5 AD D4 49 77 DC FE 51 7C ..........Iw..Q. 0040: A8 07 AB 07 30 52 1A 91 4C 9F 65 67 BF 74 73 C1 ....0R..L.eg.ts. 0050: 8A E6 E7 64 19 40 1B 01 66 A1 F0 9D 15 FE F4 E5 ...d.@..f....... 0060: C3 79 50 53 FF 6D BD A3 06 46 5B 87 79 E5 DE BB .yPS.m...F[.y... 0070: 94 2B 1E 8B 4C DF A3 EA CD C0 D4 F9 41 3B CA BE .+..L.......A;.. 0080: 18 AC 8F 50 03 94 9A EF A1 6E 05 75 C4 E3 EC E8 ...P.....n.u.... 0090: 85 79 CE 6C 31 70 27 93 9E 51 16 67 A1 81 1B C7 .y.l1p'..Q.g.... 00A0: 3F DC FD E5 01 21 9C 21 44 71 7B A9 57 F8 57 79 ?....!.!Dq..W.Wy 00B0: 45 6F 37 5F F8 A4 DE CA 0A 06 7C C3 8B 94 22 67 Eo7_.........."g 00C0: 9A 93 8B D2 51 E6 3F 1F 09 24 A8 23 70 04 95 F7 ....Q.?..$.#p... 00D0: 48 42 F6 D2 D2 54 43 E9 0F C9 04 85 5E EA 46 31 HB...TC.....^.F1 00E0: 8A CF E8 F3 9C 76 D2 DE 9B ED F7 1C 15 C1 02 05 .....v.......... 00F0: D7 ED 18 6B 74 CC 80 9D 2F 3D BF EC 24 20 00 E6 ...kt.../=..$ .. ] ] Initial Policy OIDs: any Validity Date: null Signature Provider: null Default Revocation Enabled: false Explicit Policy Required: false Policy Mapping Inhibited: false Any Policy Inhibited: false Policy Qualifiers Rejected: true Target Cert Constraints: RejectCertSelector: [ X509CertSelector: [ Subject: CN=Dev Sub CA, matchAllSubjectAltNames flag: true Key Usage: KeyUsage [ Crl_Sign ] ][Sun RSA public key, 2048 bits modulus: 31696243932874256364335990637094427770482150137369453879629054046277594694178299662030613175940051336592870418113037419713357290194638536691606561721465520703526043819995453182453582996601875791731978172486235451952100860390268691062261564472533003331397217240833053175303404082306509973352439625645600600400408333148563265268164313890699450748266186324338577359913955542853478283626859231040995581139161097669581270909389409188385131437359048571882558660942248026022064839125345179031998211043815799677884832277271147572182551216847408958538553541983556420628304268943945349378863098906567967665152779703018233229929 public exponent: 65537]] Certification Path Checkers: [[]] CertStores: [[]] ] Maximum Path Length: 5 ] ) certpath: SunCertPathBuilder.buildForward()... certpath: SunCertPathBuilder.depthFirstSearchForward(CN=Dev Sub CA State [ issuerDN of last cert: null traversedCACerts: 0 init: true keyParamsNeeded: false subjectNamesTraversed: []] ) certpath: ForwardBuilder.getMatchingCerts()... certpath: ForwardBuilder.getMatchingEECerts()... certpath: ForwardBuilder.getMatchingCACerts()... certpath: ForwardBuilder.getMatchingCACerts(): ca is target certpath: X509CertSelector.match(SN: 1f4 Issuer: CN=Dev Root CA Subject: CN=Dev Sub CA) certpath: X509CertSelector.match returning: true certpath: RejectCertSelector.match: bad key certpath: ForwardBuilder.getMatchingCACerts: found 0 CA certs certpath: SunCertPathBuilder.depthFirstSearchForward(): certs.size=0 certpath: SunCertPathBuilder.engineBuild: 2nd pass certpath: SunCertPathBuilder.buildForward()... certpath: SunCertPathBuilder.depthFirstSearchForward(CN=Dev Sub CA State [ issuerDN of last cert: null traversedCACerts: 0 init: true keyParamsNeeded: false subjectNamesTraversed: []] ) certpath: ForwardBuilder.getMatchingCerts()... certpath: ForwardBuilder.getMatchingEECerts()... certpath: ForwardBuilder.getMatchingCACerts()... certpath: ForwardBuilder.getMatchingCACerts(): ca is target certpath: X509CertSelector.match(SN: 1f4 Issuer: CN=Dev Root CA Subject: CN=Dev Sub CA) certpath: X509CertSelector.match returning: true certpath: RejectCertSelector.match: bad key certpath: ForwardBuilder.getMatchingCACerts: found 0 CA certs certpath: SunCertPathBuilder.depthFirstSearchForward(): certs.size=0
