hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 35932] - document/support OCSP and CRL checking via certificate CDPs (Certificate Revocation)
Date Sat, 06 May 2006 17:33:22 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=35932>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=35932





------- Additional Comments From juliusdavies@hotmail.com  2006-05-06 17:33 -------
I am unfamiliar with OCSP.  For now I could contribute a CRL checking mechanism
based off of http://juliusdavies.ca/commons-ssl/.  This would require Java 1.4.

Take a look at some early draft work inside:

CRLUtil.java:
http://juliusdavies.ca/commons-ssl/src/java/org/apache/commons/ssl/CRLUtil.java

Certificates.java:
http://juliusdavies.ca/commons-ssl/src/java/org/apache/commons/ssl/Certificates.java


For now I would do it like this.  My first version would support CRL's that
start with "http" or "https" only.  I wouldn't support "file://" or "ldap://" or
any other schemes.

1.  Use reflection to see if BouncyCastle is available, since it can get CRL's
from every cert in the chain (Sun 1.4.x can only get the CRL from the first
cert).   cert.getExtensionValue("2.5.29.31") returns null with Sun 1.4.x for the
subsequent certs in the chain.

BouncyCastle also seems to be able to parse the "extensionValue" byte[] array,
where with Sun the best I know is " new String( extensionValue ).indeOf( "http" );

2.  Download CRL (it's a URL) into an in-memory cache (24 hour?).

3.  If SSLClient.setUseCRL() is set to "true", the X509TrustManagerWrapper will
use the cached CRL inside checkServerTrusted().

4.  Meanwihle, if HTTPClient-4.0 could give consumers a way to retrieve the
Certificate chain (maybe method.getCertificates()), they could make calls
directly into Certificates.checkValidity() themselves.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-dev-help@jakarta.apache.org


Mime
View raw message