在 RFC5280在 6.3.3 中。 CRL处理部分有一个步骤:
Verify that interim_reasons_mask includes one or more reasons that are not included in the reasons_mask.
有人可以解释一下这项检查的意义是什么吗?当我尝试使用指向某个 URL 的分发点验证证书时,它在 DistributionPointFetcher:591 中失败。 ReasonMasks 设置为 9 true,所以我不明白如何可能通过此检查,因为它已初始化,因此从未更改。
更新
初始化原因掩码的代码:Link
传递原因掩码以在 DistributionPointFetcher 中进行处理的代码:Link
最佳答案
reasons_mask: This variable contains the set of revocation reasons supported by the CRLs and delta CRLs processed so far.
interim_reasons_mask: This contains the set of revocation reasons supported by the CRL or delta CRL currently being processed.
据我所知,此处理的目的是收集 CRL 以支持尽可能多的撤销原因。因此,只有在当前 CRL 支持任何以前的 CRL 不支持的撤销原因时,才需要将当前 CRL 添加到列表中。
如果您的 reasons_mask
包含所有 true
,则之前的 CRL 已涵盖所有撤销原因,或者没有给出其支持的特定撤销原因,从而导致特殊值 all-reasons
(all flags true) 被设置,这意味着不需要涵盖进一步的撤销原因,因此不需要进一步检查。
sun.security.provider.certpath.DistributionPointFetcher.java
...
// compute interim reasons mask
boolean[] interimReasonsMask = new boolean[9];
ReasonFlags reasons = null;
if (idpExt != null) {
reasons = (ReasonFlags) idpExt.get(IssuingDistributionPointExtension.REASONS);
}
boolean[] pointReasonFlags = point.getReasonFlags();
if (reasons != null) {
if (pointReasonFlags != null) {
// set interim reasons mask to the intersection of
// reasons in the DP and onlySomeReasons in the IDP
boolean[] idpReasonFlags = reasons.getFlags();
for (int i = 0; i < interimReasonsMask.length; i++) {
interimReasonsMask[i] = (i < idpReasonFlags.length && idpReasonFlags[i])
&& (i < pointReasonFlags.length && pointReasonFlags[i]);
}
} else {
// set interim reasons mask to the value of
// onlySomeReasons in the IDP (and clone it since we may
// modify it)
interimReasonsMask = reasons.getFlags().clone();
}
} else if (idpExt == null || reasons == null) {
if (pointReasonFlags != null) {
// set interim reasons mask to the value of DP reasons
interimReasonsMask = pointReasonFlags.clone();
} else {
// set interim reasons mask to the special value all-reasons
Arrays.fill(interimReasonsMask, true); // ### SEE HERE ###
}
}
// verify that interim reasons mask includes one or more reasons
// not included in the reasons mask
boolean oneOrMore = false;
for (int i = 0; i < interimReasonsMask.length && !oneOrMore; i++) {
if (interimReasonsMask[i] && !(i < reasonsMask.length && reasonsMask[i])) {
oneOrMore = true;
}
}
if (!oneOrMore) {
return false;
}
...
关于java - CRL 处理中比较 interim_reasons_mask 和reasons_mask 的原因,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/56794350/