Impossibility to validate certificate path and revocation #1506
-
|
Dear BC team, I'm trying to use CertPathValidator of the CertPath API using BC providers to be able to validate a certificate chain of an end entity certificate which will be used to e-sign pdf's. Almost everything is working as expected. except a particular use case which I will try to explain the best I can. The certificate chain is the following: | end-entity cert | --> | Intermediate CA 2 cert | --> | Intermediate CA 1 cert | --> | Trust Anchor cert | In this scenario, only Intermedia CA 2 is managing the lifecycle of a CRL. This means that Intermedia CA 1 and Trust Anchor are not. The following schema illustrates the scenario (thanks my good paint skills :) ) When I use the CertPath API to validate this Certificate Path, I give as inputs:
When the CertPath is validated it ends with an exception: My question is: Is this a valid Scenario? I can't find any rule that says this scenario is invalid. I've read the RFC 5280 and also the real good book: Java Cryptography: Tools and Techniques by David Hook and Jon Eaves. Thanks for your time |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
Glad to hear the book has been helpful. Okay, so this is not invalid (perhaps a little incomplete, but not invalid). The CertPath API is designed around the idea that if revocation is enabled everyone down the chain will be able to revoke a certificate appearing in it, so the exception you are seeing is because higher up the chain the cert path API is unable to find a CRL. There's two options in this case. If you can provide an empty CRL for the trust anchor and the CA. I'm guessing the assumption was originally that this would never happen - I've seen people say that before... I've even said it myself... I'd recommend the empty CRL just in case this turns out not to be the case. The second option is to disable the automatic CRL checking and use purpose built PKIXCertPathChecker using the PKIXParameters.addCertPathChecker() method to add it in to the CertPathValidation. You can then use the checker you've specified for handling your specific revocation case (the need to only check the end entity). |
Beta Was this translation helpful? Give feedback.
Glad to hear the book has been helpful.
Okay, so this is not invalid (perhaps a little incomplete, but not invalid). The CertPath API is designed around the idea that if revocation is enabled everyone down the chain will be able to revoke a certificate appearing in it, so the exception you are seeing is because higher up the chain the cert path API is unable to find a CRL.
There's two options in this case.
If you can provide an empty CRL for the trust anchor and the CA. I'm guessing the assumption was originally that this would never happen - I've seen people say that before... I've even said it myself... I'd recommend the empty CRL just in case this turns out not to be the case.
The seco…