Hi Bruno,
Bruno Harbulot wrote:
Hi Xuelei,
Thanks for looking into this.
I agree with you, everything that's required is already in the JavaSE
API. I find, however, that using these classes requires a careful
reading of the JSSE ref. guide and the Certification path ref. guide,
both of which are rather long and non-trivial (at least to me). I
suspect many developers don't have time to get into such a depth of
details.
One of the use-cases that was the motivation for PKIXSSLContextFactory
in jSSLutils was to be able to add CRLs quite easily. Thus, you get
something like this:
PKIXSSLContextFactory sslContextFactory =
new PKIXSSLContextFactory(keyStore, "keypassword", trustStore);
sslContextFactory.addCrl("http://ca.example.org/root-crl";);
sslContextFactory.addCrl("http://ca.example.org/intermediate-crl";);
SSLContext sslContext = sslContextFactory.buildSSLContext();
It's true that it's not possible to cover all cases, but I would guess
that there is small set of cases that are more frequent (such as adding
CRLs explicitly).
Do you find that there are still many use cases that require you to manually add
CRLs? Most CAs that I know of now include the information to obtain CRLs in the
certificate itself, in the CRL Distribution Point Extension.
We support this extension in our PKIX CertPath implementation. The
implementation will automatically download these CRLs and cache them in memory
for a short time. However, you must enable the system property
com.sun.security.enableCRLDP to the value true. We should probably change it to
be enabled by default because I don't think many users know about this property
and it is somewhat buried in the CertPath docs in one of the appendices.
--Sean
