I'm using Java implementation for revocation checking using CRL which is like the following code (I tailored the code to be short and clear)
TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX");
PKIXRevocationChecker rc = (PKIXRevocationChecker)cpb.getRevocationChecker();
rc.setOptions(EnumSet.of(
PKIXRevocationChecker.Option.PREFER_CRLS,
PKIXRevocationChecker.Option.ONLY_END_ENTITY,
PKIXRevocationChecker.Option.NO_FALLBACK,
PKIXRevocationChecker.Option.SOFT_FAIL));
PKIXBuilderParameters pkixParams =
new PKIXBuilderParameters(getTrustStore(), new X509CertSelector());
pkixParams.setRevocationEnabled(false);
pkixParams.addCertPathChecker(rc);
tmf.init(new CertPathTrustManagerParameters(pkixParams));
SSLContext contect = SSLContext.getInstance("TLSv1.2");
context.init(null, getTrustManagers(), null);
defaultFactory = context.getSocketFactory();
The above code is in the constructor of a custom SSLSocketFactory, and there is a custom TrustManager (returned by getTrustManagers()) which overrides checkServerTrusted() to perform a few certificate checks and executes default checkServerTrusted() at the end. Everything works fine except that I need that validation of CRL to be failed when it is signed by a CA that does not have the cRLsign key usage bit set, but it doesn't.
I know that this is a requirement by RFC3280, and somewhere on the web I read that Java implementation is compliant with the RFC and I even saw the methods in the Java base code to do that, But it seems it does not come into play when I run the application.
I did all the revocation checking with a custom code to achieve that but I think Java implementation is way more complete that my custom code and I strongly prefer to use Java implementation.
Any solution?
