Building and Validating a CertPath without a CRL

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Building and Validating a CertPath without a CRL

Erik Tews
Hi

I would like to build a CertPath without having a CRL from the CA.

There is a little problem in PKIXCertPathValidatorSpi line 781:

boolean tmpTest;

A boolean is false in java, unless assigned true.

The only line (872) where this could be set to true is never reached if
revocation is not enabled.

So, the test in line 999 is always true:

if (!tmpTest)
{
    throw new CertPathValidatorException("no valid CRL found", null,
certPath, index );
}

And I always get such an exception.

Is it possible/legal to do a PathValidation without having a up2date
CRL?

What is the best/fastest way to run a modified bc-provider, which is not
signed by sun?


Reply | Threaded
Open this post in threaded view
|

Re: Building and Validating a CertPath without a CRL

David Hook-4

Call PKIXParameters.setRevocationEnabled(false) before trying to
validate the CertPath. In this case line 999 will never be tested.

If PKIXParameters.isRevocationEnabled() returns true then you must have
a valid CRL to validate the CertPath - this is what both the setting and
testing of the tmpTest value is about.

Regards,

David

PS. Sun don't sign the provider. We do.

On Sun, 2005-08-21 at 06:32 +0200, Erik Tews wrote:

> Hi
>
> I would like to build a CertPath without having a CRL from the CA.
>
> There is a little problem in PKIXCertPathValidatorSpi line 781:
>
> boolean tmpTest;
>
> A boolean is false in java, unless assigned true.
>
> The only line (872) where this could be set to true is never reached if
> revocation is not enabled.
>
> So, the test in line 999 is always true:
>
> if (!tmpTest)
> {
>     throw new CertPathValidatorException("no valid CRL found", null,
> certPath, index );
> }
>
> And I always get such an exception.
>
> Is it possible/legal to do a PathValidation without having a up2date
> CRL?
>
> What is the best/fastest way to run a modified bc-provider, which is not
> signed by sun?
>
>


Reply | Threaded
Open this post in threaded view
|

Re: Building and Validating a CertPath without a CRL

Erik Tews
Am Sonntag, den 21.08.2005, 21:44 +1000 schrieb David Hook:
> Call PKIXParameters.setRevocationEnabled(false) before trying to
> validate the CertPath. In this case line 999 will never be tested.
>
> If PKIXParameters.isRevocationEnabled() returns true then you must have
> a valid CRL to validate the CertPath - this is what both the setting and
> testing of the tmpTest value is about.

Thanks.

Is there a way to make crl-validation optional? I am looking for
something like:

If there is a valid crl in the certstore, which revokes a cert in the
path, validation should fail, otherwise it should succeed, even if there
is no crl in the certstore for the ca.

Or are there strong reasons not to do this?


Reply | Threaded
Open this post in threaded view
|

Re: Building and Validating a CertPath without a CRL

David Hook-4

You'd need to set this up outside the path validator.

The PKIX profile doesn't allow for this, this may seem a bit annoying
but if you think about it further it makes sense, the idea is that at
the end of the path validation process you should be able to make a
value judgement that is free of ambiguity about the status of the
CertPath and how it was validated. A CA which will revoke certificates
should make an empty list available if they haven't revoked any - this
isn't an area to be vague about - if there is a chance the cert may have
been revoked there should have a valid CRL, if there isn't one and the
cert might be revoked it means there is a problem.

Regards,

David.

On Sun, 2005-08-21 at 14:19 +0200, Erik Tews wrote:

> Am Sonntag, den 21.08.2005, 21:44 +1000 schrieb David Hook:
> > Call PKIXParameters.setRevocationEnabled(false) before trying to
> > validate the CertPath. In this case line 999 will never be tested.
> >
> > If PKIXParameters.isRevocationEnabled() returns true then you must have
> > a valid CRL to validate the CertPath - this is what both the setting and
> > testing of the tmpTest value is about.
>
> Thanks.
>
> Is there a way to make crl-validation optional? I am looking for
> something like:
>
> If there is a valid crl in the certstore, which revokes a cert in the
> path, validation should fail, otherwise it should succeed, even if there
> is no crl in the certstore for the ca.
>
> Or are there strong reasons not to do this?
>
>