Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-6720721

CRL check with circular depency support needed

    XMLWordPrintable

    Details

    • Type: Enhancement
    • Status: Resolved
    • Priority: P3
    • Resolution: Fixed
    • Affects Version/s: 6
    • Fix Version/s: 7
    • Component/s: security-libs
    • Labels:
    • Subcomponent:
    • Resolved In Build:
      b62
    • CPU:
      x86
    • OS:
      windows_xp

      Description

      A DESCRIPTION OF THE REQUEST :
      Background:
      I'm working with the french PKI for the healthcare world.
      By law, each french medical system holding personal medical data must strongly authenticate it's users with certificate emitted by this PKI.
      This PKI has 3 trust anchors each having a least one intermediate authority.
      Every authority in the PKI is using separate signing keys to sign CRLs
      Web sites (french only ... sorry)
        Public web : http://www.gip-cps.fr/
      developper web : https://editeurs.gip-cps.fr/
      list of root certificate + CRL signers : https://editeurs.gip-cps.fr/index.php?page=x509_cps2ter
      Web directory (every certificates + CRL) : http://annuaire.gip-cps.fr

      Problem :
      As mentionned earlier the PKI is using separate signing keys ... even at the top level. This means that top level CRLs are signed by a certificate which was emitted by the top level autority itself, which means that the revocation status of the CRL signer is in the CRL it signed ...
      As RFC 3280 is unclear on this particular point JDK devloppers explicitly (comment in the code) decided to refuse to validate such cert path...


      JUSTIFICATION :
      As mentionned in the Background developpers MUST use certificates emitted by this authority when developing applications for the health care world.
      The current trustanchors are set to expire in ... 2015, and from the informations I have they'll still use SSK in their next PKI structure.
      The difficulty here is that PKIXParameters.setRevocationEnabled(boolean) is using package protected core Class CrlRevocationChecker, which uses other package protected core Classes and methods ...
      CrlRevocationChecker is very interesting because it's RFC 3280 compliant and developing our own CRL validation solutions will be less secure than using build in core classes (which offer CRL DP, OCSP support, ...).

      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      Certificate validation
      ACTUAL -
      validation refused due to circular dependency

      ---------- BEGIN SOURCE ----------
      I put here a "Sample" which is far from beeing complete as you need to download trust anchors, intermediate authorities, CRL signers, CRLs and an user certificate to validate but you'll understand the idea

             X509Certificate userCert = ...
             CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX");
              X509CertSelector certSel = new X509CertSelector();
              certSel.setCertificate(userCert);
              Set<TrustAnchor> TA = ...
              PKIXBuilderParameters params = new PKIXBuilderParameters(TA ,certSel);
              params.addCertStore([...]);
              params.setMaxPathLength(10);
              params.setRevocationEnabled(true);
              CertPathBuilderResult cpbr = cpb.build(params);
              CertPathValidator cpv = CertPathValidator.getInstance("PKIX");
              PKIXCertPathValidatorResult cpvr = (PKIXCertPathValidatorResult) cpv.validate(cpbr.getCertPath(), params);
      ---------- END SOURCE ----------

      CUSTOMER SUBMITTED WORKAROUND :
      create a custom CRL certpath checker or find some other implementation ...

        Attachments

          Activity

            People

            Assignee:
            xuelei Xue-Lei Fan
            Reporter:
            ndcosta Nelson Dcosta (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Imported:
              Indexed: