1

How to set default CRL path in java. As now for certificates not containing CRL distribution point I get this:

PKIX path validation failed: java.security.cert.CertPathValidatorException: Could not determine revocation status

I've tried the combinations of com.sun.security.enableCRLDP and com.sun.net.ssl.checkRevocation with certificates containing CRLDP and not containing it. The conclusion is that when you set the above mentioned properties but you have certificate which doesn't contain CRLDP you get an exception, that' s not the behavior I want for my current system.

mdavid
  • 563
  • 6
  • 20
  • obviously, you have to specify CRL DP in all certificates (except root CA certificate). I wrote a blog post on designing CDP/AIA extensions in Internet-enabled PKI. Although, the article is dedicated to Microsoft ADCS, it is suitable for any software you are using to develop PKI: https://www.sysadmins.lv/blog-en/designing-crl-distribution-points-and-authority-information-access-locations.aspx – Crypt32 Dec 08 '16 at 15:48
  • But there should be a way to specify default path – mdavid Dec 08 '16 at 15:55

1 Answers1

0

I guess I found a way to specify a local CRL file and it seems to do the trick.

        // initialize a new TMF with our keyStore
        TrustManagerFactory tmf = TrustManagerFactory.getInstance("PKIX", "SunJSSE");

        CertPathParameters pkixParams = new PKIXBuilderParameters(keyStore, new X509CertSelector());

        // Activate certificate revocation checking
        ((PKIXBuilderParameters) pkixParams).setRevocationEnabled(true);

        List<CertStore> certStores = new ArrayList<>(1);

        Collection<CRL> crls = new HashSet<>(1);
        crls.add(CertificateFactory.getInstance("X.509").generateCRL( new java.io.FileInputStream("your_local_file.crl")));

        certStores.add(CertStore.getInstance("Collection", new CollectionCertStoreParameters(crls)));
        ((PKIXBuilderParameters) pkixParams).setCertStores(certStores);

        System.setProperty("com.sun.security.enableCRLDP", "true");
        tmf.init(new CertPathTrustManagerParameters(pkixParams));

        // acquire X509 trust manager from factory
        TrustManager tms[] = tmf.getTrustManagers();
        for (TrustManager tm : tms) {
            if (tm instanceof X509TrustManager) {
                trustManager = (X509TrustManager) tm;
                break;
            }
        }

In this case if the certificate doesn't contain CRL distribution point it won't throw an exception and will try to determine revocation status from the file I've given. But still if the specified local CRL file's content is not in a proper format it won't skip and you'll get an exception even if your certificate contains CRL distribution point as an alternative.

Anyway looking forward to more elegant answers if any.

mdavid
  • 563
  • 6
  • 20
  • I believe you have a mechanism to update your_local_file.crl. Does this approach take care of reloading your_local_file.crl when you replace existing CRL file with new one and already loaded CRL gets expired? – ramtech Sep 22 '17 at 14:42