IZ67832: CUSTOMER CERTIFICATES' CRL DISTRIBUTION POINTS CONTAINS ONLY DN'S RATHER THAN URL'S
Closed as program error.
Component: IBM CERTPATH ========== Abstract: Customer certificates' CRL Distribution Points contains only DN's rather than URL's. Description: ============ The customer is generating their own certificates, and is, therefore, acting as their own certificate authority. The CRL Distribution Points within their certificates carry only a DN (directory name). Such DN's couldbe used only if CertPath were supplied with one or more matching LDAPCertStores. Unfortunately, CertPath does not currently contain logic to mate these DN's to any LDAPCertStores which may have been passed in. Other Details: ============== This problem affects Java 1.4.2, 5.0, and 6.0. The affected jar is ibmcertpathprovider.jar. The Austin CMVC defects are 109266 and 109276. The build level of ibmcertpathprovider.jar for Java 1.4.2 is 20100111_2. The build levels of ibmcertpathprovider.jar for Java 5.0 and 6.0 are 20100111. The associated Hursley CMVC defect is 160546.
Level 3 to update
CRLDistributionPoints typically carry either an LDAP URL or an HTTP URL. The CRLDistributionPoints within this customer's certificates carry only a DN (a.k.a. distinguished name or directory name). These DN's are the vehicle that the customer is relying upon to locate all CRLs. Unfortunately, the CertPath component is not utilizing this information, and is throwing a "revocation status could not be determined" exception for each certificate chain built/validated. At least two things are required for CertPath to be able to utilize this information: 1) The caller must supply CertPath with at least one LDAPCertStore. 2) Logic must be added to CertPath to use the supplied DN to search the supplied LDAPCertStore(s) for the CRL, and save the retrieved CRL(s) within its CRL cache. This logic does not yet exist. A fix has been applied to the method CRSChecker.setCRLCache( ) . The customer also had an LDAP object that contained both a certificateRevocationList attribute and an authorityRevocationList attribute. The authorityRevocationList attribute was to be used to determine the revocation status of the intermediate CA certificate within the certificate chain being validated. The CertPath.LDAPCertStoreImpl class was not requesting the authorityRevocationList' attribute from the LDAP server. This caused CertPath to report the revocation status of the intermediate CA certificate as "undetermined". A fix has been applied to the LDAPCertStoreImpl class to also request the authorityRevocationList attribute, if any.
Logic has been added to the CRSChecker.setCRLCache() method and to the LDAPCertStoreImpl.engineGetCRLs( ) method for this problem. The associated Hursley CMVC defects are 160546 and 160617. The associated Austin CMVC defects are 109266, 109276, and 109292. The fix is available in: 1.4.2 SR13 FP5 5.0 SR11 FP3 6.0 SR8 FP1 The Austin CMVC defects are 109266 and 109276. The associated Hursley CMVC defect is 160546.
Reported component name
TIV JAVA CERT P
Reported component ID
Last modified date
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fixed component name
TIV JAVA CERT P
Fixed component ID
Applicable component levels
More support for:
Tivoli Components - Java Security
Software version: 100
Reference #: IZ67832
Modified date: 26 April 2011