CRL verification problem

I figured out that using BC provider, the byte array from TBSCertList is
different from SUN provider. Does anyone know why?



--
Sent from: http://bouncy-castle.1462172.n4.nabble.com/Bouncy-Castle-Dev-f1462173.html

I can't actually decoded the CRL data, it appears to be truncated.

Usually this would mean the signature on the CRL is invalid - given that
it passes with 1.46 it's probably because the signature has not been
created on properly encoded DER data.

Regards,

David

On 4/12/19 5:27 am, Luiz Henrique wrote:

Sorry about that, it is really truncated. Here is the correct base64 for CRL:

MIISODCCECACAQEwDQYJKoZIhvcNAQENBQAwVDELMAkGA1UEBhMCQlIxEzARBgNVBAoTCklDUC1CcmFzaWwxFzAVBgNVBAsTDkFDIFByb2RlbWdlIEJSMRcwFQYDVQQDEw5BQyBQcm9kZW1nZSBNRxcNMTkxMjAzMTAyODA5WhcNMTkxMjAzMTYyODA5WjCCDuAwEgIBARcNMTgxMDA0MTM1MzM4WjASAgENFw0xODEwMTgxODI0MzJaMBICARUXDTE4MTAyNDE4NDcyNFowEgIBSRcNMTgxMTA3MTMyNTMxWjATAgIAshcNMTgxMTIxMTEwNTE1WjATAgIAxRcNMTgxMTIxMTIyNDA1WjATAgIA1hcNMTgxMTIyMTcyNzEwWjATAgIAphcNMTgxMTI3MTg1NTUxWjATAgIBJRcNMTgxMjAzMTIyNjU3WjATAgIBMhcNMTgxMjA0MjIwOTMyWjATAgIBmBcNMTgxMjE3MTU1OTE1WjATAgIBlxcNMTgxMjE3MTg0NjQ2WjATAgIBnhcNMTgxMjE4MTIwNzIzWjATAgIBkxcNMTgxMjE4MTUzODE0WjATAgIBnxcNMTgxMjE4MTU0OTMyWjATAgIBohcNMTgxMjE4MTY0MzM1WjATAgIBuhcNMTgxMjIwMTg0ODM1WjATAgIBuRcNMTgxMjIwMTg1NDA3WjATAgIByhcNMTgxMjI3MTEyNzAxWjATAgIBqRcNMTkwMTAyMTczNjA1WjATAgIB4xcNMTkwMTAzMTIzOTUxWjATAgIB6BcNMTkwMTAzMTcyMzE5WjATAgICLRcNMTkwMTE4MTcwNzEwWjATAgICMRcNMTkwMTIxMTA1OTA1WjATAgICORcNMTkwMTIxMTMyMjQxWjATAgICUBcNMTkwMTIyMTYzMjQyWjATAgICkBcNMTkwMTMwMTMwODE2WjATAgIClBcNMTkwMTMwMTMxMDQ4WjATAgICohcNMTkwMTMwMjE1MzAwWjATAgICoxcNMTkwMTMwMjIzNTIwWjATAgICpRcNMTkwMTMxMTEyMDA4WjATAgICvRcNMTkwMjAxMTEzMTMyWjATAgIC1xcNMTkwMjAxMjExMDA2WjATAgIC2BcNMTkwMjAxMjIyODMwWjATAgIC2RcNMTkwMjA0MTA0MTI3WjATAgIC7hcNMTkwMjA0MTQ1OTU5WjATAgIDMBcNMTkwMjA3MDk1MjI5WjATAgIDFxcNMTkwMjA3MTIzMzU1WjATAgIDNxcNMTkwMjA3MTY1NzU4WjATAgIDPxcNMTkwMjA4MTAyNDAzWjATAgIDVhcNMTkwMjA4MTcwOTAyWjATAgIDZBcNMTkwMjExMTExMjU4WjATAgIDaBcNMTkwMjExMTIxNjM4WjATAgIDchcNMTkwMjExMTcwMjE2WjATAgIBsRcNMTkwMjExMTczNjM5WjATAgIDdxcNMTkwMjEyMTAyODM3WjATAgICuhcNMTkwMjEyMTc0MTA5WjATAgIDkxcNMTkwMjEzMTAyMjEzWjATAgICrRcNMTkwMjEzMTIxMTE3WjATAgIDvRcNMTkwMjEzMjA0MTQ5WjATAgIDuxcNMTkwMjEzMjA0MjU5WjATAgIDvxcNMTkwMjE0MTA0MzI5WjATAgIDwBcNMTkwMjE0MTA0OTI4WjATAgIBOhcNMTkwMjE0MTMwNzQxWjASAgEvFw0xOTAyMTQxMzA5MDNaMBMCAgPFFw0xOTAyMTUxMzQ3MjhaMBMCAgO+Fw0xOTAyMTUxNDA1NDBaMBMCAgO8Fw0xOTAyMTUxNDI3MjVaMBMCAgQMFw0xOTAyMTkxMTMyNDlaMBMCAgQ9Fw0xOTAyMjAxMTMzNTlaMBMCAgPEFw0xOTAyMjAxNTQzMDlaMBMCAgK5Fw0xOTAyMjAxNjIzMDJaMBMCAgS+Fw0xOTAyMjUxMjE2MzNaMBMCAgS/Fw0xOTAyMjUxMjI4MjZaMBMCAgTAFw0xOTAyMjUxMzA1MTVaMBMCAgS5Fw0xOTAyMjUxNzU0MzVaMBMCAgTYFw0xOTAyMjYxMTEwMDFaMBMCAgMhFw0xOTAyMjYxODQ1MjZaMBMCAgUHFw0xOTAyMjYyMTEwMzdaMBMCAgUIFw0xOTAyMjcxMTQ0NTVaMBMCAgVGFw0xOTAyMjgxMTIyNTdaMBMCAgT7Fw0xOTAyMjgxMTUzMzVaMBMCAgVFFw0xOTAyMjgxMjQ5MDRaMBMCAgU+Fw0xOTAyMjgxMjUwMjNaMBMCAgTuFw0xOTAyMjgxNDQ4MDZaMBICAQsXDTE5MDIyODE4MzAxM1owEwICBZ8XDTE5MDMwNzEzMjYwNVowEwICBaQXDTE5MDMwNzEzNDcyM1owEwICBckXDTE5MDMwODEyMzIxM1owEwICBekXDTE5MDMwODE5NTMxNFowEwICBhUXDTE5MDMxMjE0MDMyMVowEwICBgYXDTE5MDMxMjE4MzAwMlowEwICBioXDTE5MDMxNDE1NTkwMFowEwICBmoXDTE5MDMxNTEyMDIyMFowEwICBpMXDTE5MDMxODE2NDkwOVowEwICBpoXDTE5MDMxODE3NTgyOVowEwICBqcXDTE5MDMxOTEzMjUxMVowEwICBuYXDTE5MDMyOTE2NTQyM1owEwICBx8XDTE5MDQwMjIyMDgxNlowEwICByEXDTE5MDQwMjIyMjE0N1owEwICByIXDTE5MDQwMjIyMjI1MFowEwICByMXDTE5MDQwMjIyMjUwN1owEwICBxwXDTE5MDQwMzEzMzMxMFowEgIBEBcNMTkwNDAzMTUwNzQ2WjATAgIHChcNMTkwNDAzMTcwODMxWjATAgIF6hcNMTkwNDA4MTYxOTQ2WjATAgIHKhcNMTkwNDA5MTMyOTE2WjATAgIGBRcNMTkwNDA5MTM1MzA1WjATAgIFfBcNMTkwNDA5MTM1NDMzWjATAgIBRRcNMTkwNDA5MTM1NjI1WjATAgID0xcNMTkwNDExMTczNDQ3WjATAgID2RcNMTkwNDExMTk0MjMzWjATAgIHRhcNMTkwNDExMjE1ODU3WjATAgIHRxcNMTkwNDExMjIxNTQxWjATAgIHSBcNMTkwNDEyMTE1MDIyWjATAgIHXxcNMTkwNDI2MTMzMzI1WjATAgIHehcNMTkwNDMwMTM0MjM3WjASAgErFw0xOTA0MzAxODI2NDVaMBMCAgeSFw0xOTA1MDcyMjMzMjVaMBMCAgeTFw0xOTA1MDcyMjUxMDZaMBMCAgeVFw0xOTA1MDgxMzE0NTFaMBMCAgaqFw0xOTA1MDgxNzIzMDBaMBMCAgb2Fw0xOTA1MDkxNzM4MDZaMBMCAgJJFw0xOTA1MTcxMTU4NTFaMBMCAgJMFw0xOTA1MTcxMzM4MjZaMBMCAgZvFw0xOTA1MTcxMzUwMDBaMBMCAgJLFw0xOTA1MTcxMzUwNTlaMBMCAgXKFw0xOTA1MjcxNzQxNDJaMBICASoXDTE5MDUyOTEyNDczOVowGQIIMC1rPqeyStMXDTE5MDYwMzExMzQzNlowGQIIM7DqZ5KdclcXDTE5MDYwNDEzMTk1OFowGQIILiOuz021A4gXDTE5MDYwNDE0NTY1OVowGQIIZYWCBGxu/rgXDTE5MDYwNDE1Mjk1MFowEwICAuUXDTE5MDYwNjE5MTk0NlowEwICBu8XDTE5MDYxMDE0MDA1MlowEwICBuUXDTE5MDYxMDE0MDE0MFowEwICBu0XDTE5MDYxMDE0MDIyNVowEwICBugXDTE5MDYxMDE0MDMwOVowEwICBusXDTE5MDYxMDE0MDM0OFowEwICBuwXDTE5MDYxMDE0MDQyM1owEwICBuoXDTE5MDYxMDE0MDUxNFowEwICBu4XDTE5MDYxMDE0MDYyNFowEwICBukXDTE5MDYxMDE0MDgwNVowEwICBucXDTE5MDYxMDE0MDg0OVowEwICAd8XDTE5MDYxMTEyMDgwN1owEwICAd4XDTE5MDYxMTEyMDkzMVowEwICBJ8XDTE5MDYxMTEzMzk0M1owEwICBAYXDTE5MDYxMTE3MDkzMFowGQIIeS7KE+JxjmMXDTE5MDYxMTE5MTMyNlowEwICA3sXDTE5MDYxMjE2NTIyOFowEwICA5EXDTE5MDYxNzE5MTYwNlowEwICBj4XDTE5MDYxODE2MTEyNlowEwICB38XDTE5MDYxOTE0MDEwOFowEwICBzEXDTE5MDYyNDEwNDY1MFowEwICBzIXDTE5MDYyNDEwNTE0MlowEwICA9sXDTE5MDYyNjEyMjk0NVowEwICAqAXDTE5MDYyNzEyMTQwMVowEwICBFoXDTE5MDYyNzEzMzI0NFowEwICBHkXDTE5MDYyNzEzMzMzMVowEwICAwEXDTE5MDYyNzE3MTQzMVowEwICBCgXDTE5MDYyNzE3NTYyMFowGQIID/fpjPybef0XDTE5MDYyNzIwNTczM1owGQIIJdh9qblNRagXDTE5MDYyNzIxNDg0NVowEwICAc4XDTE5MDYyODEzMjgyN1owEwICAuEXDTE5MDcwMjEyMDIwMFowEwICAqoXDTE5MDcwMjE4MDYzNlowEwICAqcXDTE5MDcwMjE4MzExOFowEwICBAkXDTE5MDcwNDE3MTY0NFowEgIBLhcNMTkwNzA2MDQyMTI5WjAZAghlTK8Z5ockoxcNMTkwNzA3MTQ1MzI3WjATAgIEmRcNMTkwNzA4MTMzMzAzWjAZAggRV8pKGEqFDhcNMTkwNzA5MTc0MjIxWjATAgIDrBcNMTkwNzE1MjAwOTIwWjAZAghvIyYosDmbwRcNMTkwNzE3MTQyOTMwWjATAgIExRcNMTkwNzE4MTI0ODM4WjATAgIB6xcNMTkwNzI5MTQwMDU1WjATAgIFAxcNMTkwODA3MTEzMzI1WjATAgIDqxcNMTkwODI3MTg0MzA5WjASAgESFw0xOTA5MDQxNDUzMTdaMBICAU4XDTE5MDkwOTE4MTUyNFowIQIQH4gnbFe6J7SgE8uXV2dCKBcNMTkwOTEwMTkxOTQ4WjATAgIGhxcNMTkwOTExMTIwMDQ5WjATAgIDYhcNMTkwOTI2MjA1ODQ3WjATAgIGjhcNMTkwOTI3MTY0MjEwWjAiAhEAgFf8Nzi1VHXX1K5hYFJXmRcNMTkxMTA1MTgzODIyWjAhAhBpAI3lWw/jgmMol97kG0XlFw0xOTExMDUxODUyNTFaMBMCAgMMFw0xOTExMjAxMjE3MzJaoIGzMIGwMAsGA1UdFAQEAgIWgTAiBgNVHSMBAQAEGDAWgBTt3CdtYXrn45x/fqKxU59wk3wCtjB9BggrBgEFBQcBAQEBAARuMGwwagYIKwYBBQUHMAKGXmh0dHA6Ly9pY3AtYnJhc2lsLmFjLnByb2RlbWdlLmdvdi5ici9yZXBvc2l0b3Jpby9jZXJ0aWZpY2Fkby9hY19wcm9kZW1nZV9tZy9hY19wcm9kZW1nZV9tZy5wN2MwDQYJKoZIhvcNAQENBQADggIBAIUXCbiOzY5CWd3wLH32Qg4P9ciZ8r5n4i3f9bXLnbQbdVhsFY2raCstOGOJUOci/WrzikKrjbNNJM3rW46CLFXvZ4Nalq1krzE7bk6mlyZ8O6vXtck4yu/owz+7+VALWSwWKcBFGFKzjgB2XkbQuRYqr/Hp4aqKGP76FZP5hLyIkI8nSxCdBWkhPYGnECaNCELcobYCdvo46850MGvXrbAgFZjJLvL/Ovj+/z0gtomYX/v8wZnvzUql2Rdi0NFQBkAsPdKw05TeB1/TzN8nB5UYZlfZH7Du8ukhJspJ7v7s8dpPJWzV1FIqUScfv2vZPzgyL5njJ6OD8s8fSS65BYOgbP9cJnVsSfyY/fbC8ZAmYRNDlFpjrAApNBMSONjNPoHQTYpIGYE+2shKaxoWQuq9YLvVzF/Z138+nDxh4CO2/EmXAzSkUNP+V0upi2el2DObKXxuSoVOdwA2w7BK/Q0anAGvO1u2XtXITqX4zTRmvAJJa0Ous57yMbICjPfS2fiaBxdmtKJMgM1RMwdUgWdF3bZAiYBnS3ZnF0jVJhltFZqeJ164Sz7NBVWx6IYpuwD8Xozpj+JycJNNh8YN/cg97wOzR6TD9Ba7HPwdgxKYmBzdG70jKoY/H+z03h3/UV2kBsqnnQxpXH6Y9JjpX22jFID6PA8e+7gk349lDyEa




Can you test parser using BC provider and SUN provider? Because the
TBSCertList is different between these providers. The SUN provider looks
more complete.



--
Sent from: http://bouncy-castle.1462172.n4.nabble.com/Bouncy-Castle-Dev-f1462173.html

I realized that CRL Extensions is different between theses providers.

<http://bouncy-castle.1462172.n4.nabble.com/file/t375760/differences_tbs.jpg>

AIA and AuthorityKeyIdentifier has a boolean value when SUN provider is
used. In the original CRL, theses booleans are encoded in both extensions.
But, this boolean value is correct/valid? Because in the RFC 5280 i dont
find anything related to boolean in these extensions.



--
Sent from: http://bouncy-castle.1462172.n4.nabble.com/Bouncy-Castle-Dev-f1462173.html

Hi!

In RFC 5280, the syntax of Extension is defined as:
Extension  ::=  SEQUENCE  {
     extnID      OBJECT IDENTIFIER,
     critical    BOOLEAN DEFAULT FALSE,
     extnValue   OCTET STRING
                 -- contains the DER encoding of an ASN.1 value
                 -- corresponding to the extension type identified
                 -- by extnID
     }

That is, the boolean value encoded in SUN provider is the critical value. It
seems that BouncyCastle is ignoring this attribute of Extension (probably
because the value is the default value). But, doing that, the signature
verification fails cause the hash calculated does not inclued theses
booleans.

I think it is a critical problem, any CRL that contains the critical value
encoded in Extension will fail the cryptographic verification.




--
Sent from: http://bouncy-castle.1462172.n4.nabble.com/Bouncy-Castle-Dev-f1462173.html

I'd agree, it's a problem, the CRL has an invalid signature. To quote
section 5.1.1.3 of RFC 5280

"The signatureValue field contains a digital signature computed upon the
ASN.1 DER encoded tbsCertList."

This means that if the field value is the default value it is left out
of the encoding used to calculate the signature, so any extension with a
value of FALSE should not have that value encoded in it when the
signature is calculated.

Please ask whoever is generating these CRLs to do it properly. There are
real security implications if this is not done correctly.

Thanks,

David

On 6/12/19 1:29 am, luizurias wrote:

Hello, thanks for reply! Sorry for the delay to answer.

I understand what you mean, but consider this scenario:

This CRL contains DEFAULT values encoded in its structure. In the RFC,

"Implementers should note that the DER encoding of SET or SEQUENCE
components whose value is the DEFAULT omit the component from the
encoded certificate or CRL. For example, a BasicConstraints
extension whose cA value is FALSE would omit the cA boolean from the
encoded certificate."

This quote indicates to omit default values when encoding. But it doesn't
forbid the encode, right?

I mean, if a CRL encodes a DEFAULT value in tbsCertificate, shouldn't this
value be present in the hash calculation?

"The signatureValue field contains a digital signature computed upon the
ASN.1 DER encoded tbsCertList."

We understand this quote indicates to calculate signatureValue upon
tbsCertList, independent if the tbsCertList contains DEFAULT values or not.



--
Sent from: http://bouncy-castle.1462172.n4.nabble.com/Bouncy-Castle-Dev-f1462173.html

Yes, the CRL is allowed to contain the encoding of default values, but
no, if there are included they are not to be included in the hash
calculation.

Regards,

David

On 12/12/19 6:43 am, luizurias wrote:

Ok, i understand.

But i have found out that this behavior does not apply in certificates..

This certificate (below) encodes critical value (false) in
authorityKeyIdentifier, for example.
When i verify if CA issued this certificate, the verification returns true.
And, the tbsCertificate parsed by BC includes the critical value of false.

We think that both certificate and CRL should have the same behavior, since
the Extension structure is the same for both cases, no?

CA certificate:
MIIGkjCCBHqgAwIBAgIBATANBgkqhkiG9w0BAQ0FADBxMQswCQYDVQQGEwJCUjET
MBEGA1UECgwKSUNQLUJyYXNpbDE0MDIGA1UECwwrQXV0b3JpZGFkZSBDZXJ0aWZp
Y2Fkb3JhIFJhaXogQnJhc2lsZWlyYSB2NTEXMBUGA1UEAwwOQUMgUHJvZGVtZ2Ug
QlIwHhcNMTgwODMxMTUyMDMzWhcNMjkwMzAxMTUyMDMzWjBUMQswCQYDVQQGEwJC
UjETMBEGA1UEChMKSUNQLUJyYXNpbDEXMBUGA1UECxMOQUMgUHJvZGVtZ2UgQlIx
FzAVBgNVBAMTDkFDIFByb2RlbWdlIE1HMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A
MIICCgKCAgEApWGLOCwpZr3PpyxVMR6x+os6/i3v2FOgEh8/8/bfUkv7qrIAfuy0
Bqre/F+ZVVAnySqXObEMpQAtovqgLBEzzv1dcPyd6FLjHCqyuPNzRQLACAtEZJ/U
A7pyKDiDspGwS0FyEYfMbxC7U0nuQnliJmANPJuc6SrAnnWBT7aimDI1ztxoJfCc
lLVPZI/gft5uKK06p3wnsJvTZDYivvr45Vmf9715e0lvaad70qdE9YJZjQS0QWES
I5iMwlTc+nx/Tpn7JmEwkNxS1K2n8EA6NxahnYQAjmNMrlnKkCd8nWi9WxE66ZSs
spVyf+lNJlSnLX9hgRpiA5VsRafHSP3/vWNQaDpyaax88PIBfHilBMfSErFIEywR
EcZnrv5egdGD8AO+EDLjW0m8pBrK2Qxak6NAM6ezMdpAwY2Uwp4z9fpuS3iIlFJS
OCgS2MMBD8J2kplc71kM8EH8Mz4N2ji1SCLoG3NcqPD+GMIxE4F70pnHeOmW24qc
sFVJCwDPaSZsoAA4fFH3m8PBpzLigvz9U0xURyr8n3jvI38KxS5Q+cH+SjGa5fQ6
6xn7BAhClheWeugbv/ljjciHzH5Qu4MbFdcGygBdiqRiMJOIWId8c/h5YZ0lmnAN
vBmkcI3/+NlvsXiubE8z6yiDo3PwR95SfqNQzkgrcykicL9OfVNqUgsCAwEAAaOC
AVAwggFMMB0GA1UdDgQWBBTt3CdtYXrn45x/fqKxU59wk3wCtjAPBgNVHRMBAf8E
BTADAQH/MA4GA1UdDwEB/wQEAwIBBjB8BgNVHSAEdTBzMHEGBWBMAQF+MGgwZgYI
KwYBBQUHAgEWWmh0dHA6Ly9pY3AtYnJhc2lsLmFjLnByb2RlbWdlLmdvdi5ici9y
ZXBvc2l0b3Jpby9kcGMvYWNfcHJvZGVtZ2VfbWcvZHBjX2FjX3Byb2RlbWdlX21n
LnBkZjBrBgNVHR8EZDBiMGCgXqBchlpodHRwOi8vaWNwLWJyYXNpbC5hYy5wcm9k
ZW1nZS5nb3YuYnIvcmVwb3NpdG9yaW8vbGNyL2FjX3Byb2RlbWdlX2JyL2xjcl9h
Y19wcm9kZW1nZV9ici5jcmwwHwYDVR0jBBgwFoAUyMgWTsRchBF6HLmDfFMdz27A
I8kwDQYJKoZIhvcNAQENBQADggIBAI7GDU0ySaT9DG+ovEd7xp4Qxw9RgypvP9qW
0dLn2KPXtrSYJLFIOB+dIVp6wcAdotMXFqmdcVc0i4zkQu3S0MzkFCMdXmGTGjf4
TbeUdUB9HGRZfyOP3FgfcX3foP3MFkI+acNAEqE7ntlngT6lowWA9B9CbGim1Ftg
Kwo8AmcI7089mFUOaYAxhqyfuWHZtLHqYW+R0vuhkObSMHjQU2EIBCC69QlmGHgL
Qa3PmNuQJWDvm8h+5XD3qqjnyg8h7PlBxPtOrpVip8a2zdz3fsBMV/cq8ssbwRvw
cEcfu6vpyp8kpSHhUgVLCk7f5xfD35qlFeN9YAP8/n0vS85sqYKxUPKmm/HQQ8AL
JRc32A5emksUw2snpJLeGvY/A8fC61YLq6KonLhVBt+nqHPPykD4BRa0qJw6Dq9t
HLefim22LQzRzbOFnRpFDYYJfkwNQen5f3xwUzzx4UJsruQLR53BE8ocpeiB9+iY
gmn4e+DcQKYM/HI0ha0zseX6xnDJeANg1JYbO4Jprb4cw26XkM+NDGkIC3FM4yJ/
EtufNwOykEiG9ELCpou+ay8nnNXM0MKzMLiKmPjllY8rN84k309jHACy0RAbrCMf
RXW3FZlBCKEfqpwOloJzBtDA10S6tplStVYjApy785Dr1B463CC1f+aow15/FirH
hUh4GtCy

User certificate:
MIIHdDCCBVygAwIBAgICBaowDQYJKoZIhvcNAQELBQAwVDELMAkGA1UEBhMCQlIx
EzARBgNVBAoTCklDUC1CcmFzaWwxFzAVBgNVBAsTDkFDIFByb2RlbWdlIEJSMRcw
FQYDVQQDEw5BQyBQcm9kZW1nZSBNRzAeFw0xOTAzMDcxNDIxNTVaFw0yMjAzMDYx
NDIxNTVaMIGNMQswCQYDVQQGEwJCUjETMBEGA1UEChMKSUNQLUJyYXNpbDEjMCEG
A1UECxMaQXV0ZW50aWNhZG8gcG9yIEFSIENFTEVQQVIxGzAZBgNVBAsTEkFzc2lu
YXR1cmEgVGlwbyBBMzEnMCUGA1UEAxMeRkVMSVBFIEpPU0UgVklESUdBTCBET1Mg
U0FOVE9TMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqnvgAEdySlCw
N3OQkrRKn5AdfkjY9Jce8RJncQRv88w1oDyLC50dhNuxipLI39prpPRyl53O2SSx
lWa6RhEsPcCxxTIjUomxjActrb9N9jlDFNJkH2fGzkW2XkHroCFyX0sw01rtehbP
5LrV9q3CZAwWNA5qLDhsChiKcy6eVvRN7zDBRNUUs8L2iq7FCmnvFHV874HPCIZk
c+0/e9Bv5YfE/2XAHgga21we2BDT4P3YU3bfB/gWL6d1LO5wA5qwcXybV2n+ZPj8
RVUDiAvieYUrnkjWhc7rAtHC3K24Aki7A//rB+JUxqmeNatCmgxZ4ms/wgj4QVbe
pT2oh+gm5QIDAQABo4IDFDCCAxAwgbAGA1UdEQSBqDCBpaA+BgVgTAEDAaA1BDMw
NzA5MTk1MTI3MTcwNzY0NzY4MDAwMDAwMDAwMDAwMDAwMDAwMTg0MDI4MzFTRVNQ
UFKgFwYFYEwBAwagDgQMMDAwMDAwMDAwMDAwoB4GBWBMAQMFoBUEEzAwMDAwMDAw
MDAwMDAwMDAwMDCBKmZlbGlwZS52aWRpZ2FsQHBhcmFuYXByZXZpZGVuY2lhLnBy
Lmdvdi5icjAOBgNVHQ8BAf8EBAMCBeAwgYAGA1UdIAEBAAR2MHQwcgYGYEwBAgNa
MGgwZgYIKwYBBQUHAgEWWmh0dHA6Ly9pY3AtYnJhc2lsLmFjLnByb2RlbWdlLmdv
di5ici9yZXBvc2l0b3Jpby9kcGMvYWNfcHJvZGVtZ2VfbWcvZHBjX2FjX3Byb2Rl
bWdlX21nLnBkZjAiBgNVHSMBAQAEGDAWgBTt3CdtYXrn45x/fqKxU59wk3wCtjCB
0gYDVR0fAQEABIHHMIHEMGCgXqBchlpodHRwOi8vaWNwLWJyYXNpbC5hYy5wcm9k
ZW1nZS5nb3YuYnIvcmVwb3NpdG9yaW8vbGNyL2FjX3Byb2RlbWdlX21nL2xjcl9h
Y19wcm9kZW1nZV9tZy5jcmwwYKBeoFyGWmh0dHA6Ly9pY3AtYnJhc2lsMi5hY3By
b2RlbWdlLmNvbS5ici9yZXBvc2l0b3Jpby9sY3IvYWNfcHJvZGVtZ2VfbWcvbGNy
X2FjX3Byb2RlbWdlX21nLmNybDAgBgNVHSUBAQAEFjAUBggrBgEFBQcDAgYIKwYB
BQUHAwQwIAYDVR0OAQEABBYEFPjoyfFyW+obqvKFB/MhAj6Hq0efMH0GCCsGAQUF
BwEBAQEABG4wbDBqBggrBgEFBQcwAoZeaHR0cDovL2ljcC1icmFzaWwuYWMucHJv
ZGVtZ2UuZ292LmJyL3JlcG9zaXRvcmlvL2NlcnRpZmljYWRvL2FjX3Byb2RlbWdl
X21nL2FjX3Byb2RlbWdlX21nLnA3YzAMBgNVHRMBAQAEAjAAMA0GCSqGSIb3DQEB
CwUAA4ICAQAepVXrOthti6StNxgS8nK73bpdlSrt7cmF/YbPek6kNzxKsmVk5jnR
F9unE33LQBTeG1yk+4wZKcsdig1c5ACvt4x26Luj8xxX1qnMYE6qolvaXfUNm41t
A88FzxqyO0OjOtXVbYuP40AW/yTCKhEATvqW70cC9FiTsX1On/sdN86K9YdUOWph
9HE9aPFK2OnvT8FUpr9obQNkZuoCQc+STBWRgFSn39GFivzDEErpgkWtCnrN9pWV
QXVw9sV4y09g0vWonihyBvWCzvT0V1/w5ng0jeFPW0dfPm/P6UPA0eGYtW4tNjlh
HMWMLxDbq9uhEJRKlq4diaLScpHbXAuJygCH3cz3Ou/0LDxIoixqaWrhoCmKgxEX
yRC34vxl/M66DfzPCpS2r4XDYDGoIIax18gsilCDeErsfF/BL6x+9EzeIaIaNf1I
uxPfzLkI2y7hjW7AwruaUCDZuT7YpMhM5zrby3b+bN4TKy2id6L8oreqMZ4UJ2OE
uwiSBFelTvmvLRDqX1DViFTwK0qCaXnQDcSdPQk7J4zBEdOBCJstoKvGyk0sDVez
KEJ6NH7rxgkJwVz51UloJW2Kxl2/gpRRUUqCD1v01tF1Ewv0VS2MEpINKvUK7DBv
hXU8BE5MUMzB2ieT0DSw0XoffaMWYx1pJNxmhIU8m63ndgDw7ZfOgw==




--
Sent from: http://bouncy-castle.1462172.n4.nabble.com/Bouncy-Castle-Dev-f1462173.html

You're correct that the same should apply for CRLs as Certificates,
however we went with Sun's opinion on this one as the number CA's that
seemed incapable of releasing correct certificates seemed overwhelming.

Please ask the CA in question to correct their certificates. Given what
has happened elsewhere it seems inevitable that one day this "feature"
will need to be removed, and if it is in response to someone discovering
an exploit it will happen really fast. All they need to do is not issue
BOOLEAN true.

Actually, thinking about it, we should probably add a system property
for this now, but at any rate, if we were to fix this, the client
certificate would no longer verify.

Regards,

David

On 14/12/19 3:16 am, luizurias wrote: