-
Sub-task
-
Resolution: Unresolved
-
P4
-
None
-
None
-
None
If a certificate's crlDistributionPoints extension includes a crlIssuer field, then CRL used for revocation checking must contain an Issuing Distribution Point (IDP) extension failing which will lead to verification failure of CRL, further leading to a failure in TLS connection.
The check happens in the below code and is mandated by RFC https://datatracker.ietf.org/doc/html/rfc5280#section-6.3.3
https://github.com/openjdk/jdk/blob/master/src/java.base/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java#L352
`if (pointCrlIssuers != null) {
if (idpExt == null || !idpExt.isIndirectCRL()) {
return false;
}
....`
Logging such failure information would be useful for debugging any certificate validation failure.
The check happens in the below code and is mandated by RFC https://datatracker.ietf.org/doc/html/rfc5280#section-6.3.3
https://github.com/openjdk/jdk/blob/master/src/java.base/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java#L352
`if (pointCrlIssuers != null) {
if (idpExt == null || !idpExt.isIndirectCRL()) {
return false;
}
....`
Logging such failure information would be useful for debugging any certificate validation failure.