Milan Tomic wrote:
Sean,
Thank you very much. It works fine now. :)
However, I'm attaching two certificates. ValidateCertPath.java
prints trusted anchor in this case. I don't know why.
I've tried to use Cert Path API for downloading CRLs and it seems it
only supports LDAP, but not HTTP protocol. Is it true? Do you maybe have
one code example? Do I have to manually parse CRL distribution points
field from certificate or Cert Path API do it itself?
We provide limited support for CRL distribution points and downloading
CRLs via HTTP as of J2SE 1.4.2. You need to set the system property
com.sun.security.enableCRLDP to true. See the end of
http://java.sun.com/j2se/1.4.2/docs/guide/security/certpath/CertPathProgGuide.html#AppB
for more information.
What is validated during chain validation? I couldn't find a list.
Possible options are: cert time validity, cert chain signature, CRL...
The Sun CertPathValidator implementation is compliant with PKIX, RFC 3280:
So all of the above are checked and more. See section 6 of
http://www.ietf.org/rfc/rfc3280.txt
Is every cert in the chain validated? How about trust anchor?
Trust anchors are not validated, per PKIX. All other certs in the chain
are.
--Sean
