Thanks for the feedback, I will look into the log If I can get some time tomorrow.
Thanks, Xuelei On 6/29/2011 12:57 AM, David Pomeroy wrote: > Hi Xuelei, > > Attached is the certpath debug output. > > Here is some more info about my test setup. > > Dev Root CA issued Dev Sub CA > Dev Sub CA issued client cert > Dev Root CA issued Dev Crl Server cert > Crl is issued by Dev Crl Server, URL is http://localhost/crl.crl > Dev Root CA, Dev Sub CA, and Dev Crl Server have all been added to the > server's truststore. > > I have specified the issuer distribution point in the CRL, > onlyContainsUserCerts=true, onlyContainsCACerts=false, indirectCRL=true, > onlyContainsAttributeCerts=false > > The client cert specifies crlIssuer=Dev Crl Server. > > Thanks, Dave > > > On Mon, Jun 27, 2011 at 10:05 PM, xuelei....@oracle.com > <xuelei....@oracle.com <mailto:xuelei....@oracle.com>> wrote: > > Can you provide the code to reproduce the exception? Or is it > possible attach the CertPath building debugger log? > > Xuelei > > On Jun 28, 2011, at 11:59 AM, David Pomeroy <dfpome...@gmail.com > <mailto:dfpome...@gmail.com>> wrote: > > > Hello All, > > > > I am trying to get a servlet to download and check a CRL. The > CRLDP is in the client's certificate and the CRL is marked "indirect > CRL" so that it can be signed by a different key than the client > cert issuer. The following block of code is invoked but the > DistributionPointFetcher can't seem to build a valid path and a > CRLException is thrown. My assumption was this would work if I > included the CRL signing certificate in my truststore. What I find > odd while stepping through this in a debugger is that the > "certStores" object contains only the client certificate which is to > be validated, so it makes sense that X509CertSelector doesn't find > the right cert in there. > > > > Has anyone got indirect CRLs validated before? I'd be interested > in the details of a test setup that works. I can provide more > details of my test setup if necessary. > > > > Thanks, David > > > > > > // Obtain and validate the certification path for the complete > > // CRL issuer (if indirect CRL). If a key usage extension > is present > > // in the CRL issuer's certificate, verify that the > cRLSign bit is set. > > if (indirectCRL) { > > X509CertSelector certSel = new X509CertSelector(); > > certSel.setSubject(crlIssuer.asX500Principal()); > > boolean[] crlSign = > {false,false,false,false,false,false,true}; > > certSel.setKeyUsage(crlSign); > > PKIXBuilderParameters params = null; > > try { > > params = new PKIXBuilderParameters > > (Collections.singleton(anchor), certSel); > > } catch (InvalidAlgorithmParameterException iape) { > > throw new CRLException(iape); > > } > > params.setCertStores(certStores); > > params.setSigProvider(provider); > > try { > > CertPathBuilder builder = > CertPathBuilder.getInstance("PKIX"); > > PKIXCertPathBuilderResult result = > > (PKIXCertPathBuilderResult) builder.build(params); > > prevKey = result.getPublicKey(); > > } catch (Exception e) { > > throw new CRLException(e); > > } > > } > >
