DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=35932>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=35932 ------- Additional Comments From [EMAIL PROTECTED] 2006-05-06 17:33 ------- I am unfamiliar with OCSP. For now I could contribute a CRL checking mechanism based off of http://juliusdavies.ca/commons-ssl/. This would require Java 1.4. Take a look at some early draft work inside: CRLUtil.java: http://juliusdavies.ca/commons-ssl/src/java/org/apache/commons/ssl/CRLUtil.java Certificates.java: http://juliusdavies.ca/commons-ssl/src/java/org/apache/commons/ssl/Certificates.java For now I would do it like this. My first version would support CRL's that start with "http" or "https" only. I wouldn't support "file://" or "ldap://"; or any other schemes. 1. Use reflection to see if BouncyCastle is available, since it can get CRL's from every cert in the chain (Sun 1.4.x can only get the CRL from the first cert). cert.getExtensionValue("2.5.29.31") returns null with Sun 1.4.x for the subsequent certs in the chain. BouncyCastle also seems to be able to parse the "extensionValue" byte[] array, where with Sun the best I know is " new String( extensionValue ).indeOf( "http" ); 2. Download CRL (it's a URL) into an in-memory cache (24 hour?). 3. If SSLClient.setUseCRL() is set to "true", the X509TrustManagerWrapper will use the cached CRL inside checkServerTrusted(). 4. Meanwihle, if HTTPClient-4.0 could give consumers a way to retrieve the Certificate chain (maybe method.getCertificates()), they could make calls directly into Certificates.checkValidity() themselves. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
