Xuelei Fan wrote:
In line 318, if "idpExt == null" is true, "false" will return. I don't
find any spec support such logic, it might be a bug here. I think the
codes should looks like:
318 if (idpExt != null &&
319 ((Boolean) idpExt.get
320
(IssuingDistributionPointExtension.INDIRECT_CRL)).equals
321 (Boolean.FALSE)) {
322 return false;
Any comments?
RFC 5280 (Section 6.3.3 (b) (1)) says:
If the DP includes cRLIssuer, then verify that the issuer
field in the complete CRL matches cRLIssuer in the DP and
that the complete CRL contains an issuing distribution
point extension with the indirectCRL boolean asserted.
Otherwise, verify that the CRL issuer matches the
certificate issuer.
I think the original code is correct. In this case, the DP includes cRLIssuer,
but the complete CRL doesn't contain an issuing distribution extension, thus it
should fail, right?
--Sean
