FULL PRODUCT VERSION :


A DESCRIPTION OF THE PROBLEM :
The problem arrives when I try to decode an indirect CRL with the class X509CRL of JDK 1.5.

Set entradasDeCRL = crl.getRevokedCertificates();
Iterator itEntradasDeCRL = entradasDeCRL.iterator();

When we review the standard X.509, the ASN.1 definition of CRL is:

CertificateList ::= SIGNED { SEQUENCE {
  version Version OPTIONAL,-- if present, version must be v2
  signature AlgorithmIdentifier,
  issuer Name,
  thisUpdate Time,
  nextUpdate Time OPTIONAL,
  revokedCertificates SEQUENCE OF SEQUENCE {
  serialNumber CertificateSerialNumber,
  revocationDate Time,
  crlEntryExtensions Extensions OPTIONAL } OPTIONAL,
  crlExtensions [0] Extensions OPTIONAL }}

Revoked certificates are defined as a "SEQUENCE OF". This is an ordered collection of zero or more elements. When use the JDK, we can see that JDK decodes it as a SET OF, and it does not respect the order of the collection.

If we use this implementation where the order is not "important", we can not use the CertificateIssuer extension to handle indirect CRLs correctly.




REPRODUCIBILITY :
This bug can be reproduced always.