java - CRL 处理中比较 interim_reasons_mask 和reasons_mask 的原因

在 RFC5280在 6.3.3 中。 CRL处理部分有一个步骤:

Verify that interim_reasons_mask includes one or more reasons that are not included in the reasons_mask.

有人可以解释一下这项检查的意义是什么吗？当我尝试使用指向某个 URL 的分发点验证证书时，它在 DistributionPointFetcher:591 中失败。 ReasonMasks 设置为 9 true，所以我不明白如何可能通过此检查，因为它已初始化，因此从未更改。

更新

初始化原因掩码的代码:Link

传递原因掩码以在 DistributionPointFetcher 中进行处理的代码:Link

最佳答案

reasons_mask: This variable contains the set of revocation reasons supported by the CRLs and delta CRLs processed so far.

interim_reasons_mask: This contains the set of revocation reasons supported by the CRL or delta CRL currently being processed.

据我所知，此处理的目的是收集 CRL 以支持尽可能多的撤销原因。因此，只有在当前 CRL 支持任何以前的 CRL 不支持的撤销原因时，才需要将当前 CRL 添加到列表中。

如果您的 reasons_mask 包含所有 true，则之前的 CRL 已涵盖所有撤销原因，或者没有给出其支持的特定撤销原因，从而导致特殊值 all-reasons (all flags true) 被设置，这意味着不需要涵盖进一步的撤销原因，因此不需要进一步检查。

<小时/>

sun.security.provider.certpath.DistributionPointFetcher.java

...
// compute interim reasons mask
boolean[] interimReasonsMask = new boolean[9];
ReasonFlags reasons = null;
if (idpExt != null) {
    reasons = (ReasonFlags) idpExt.get(IssuingDistributionPointExtension.REASONS);
}

boolean[] pointReasonFlags = point.getReasonFlags();
if (reasons != null) {
    if (pointReasonFlags != null) {
        // set interim reasons mask to the intersection of
        // reasons in the DP and onlySomeReasons in the IDP
        boolean[] idpReasonFlags = reasons.getFlags();
        for (int i = 0; i < interimReasonsMask.length; i++) {
            interimReasonsMask[i] = (i < idpReasonFlags.length && idpReasonFlags[i])
                    && (i < pointReasonFlags.length && pointReasonFlags[i]);
        }
    } else {
        // set interim reasons mask to the value of
        // onlySomeReasons in the IDP (and clone it since we may
        // modify it)
        interimReasonsMask = reasons.getFlags().clone();
    }
} else if (idpExt == null || reasons == null) {
    if (pointReasonFlags != null) {
        // set interim reasons mask to the value of DP reasons
        interimReasonsMask = pointReasonFlags.clone();
    } else {
        // set interim reasons mask to the special value all-reasons
        Arrays.fill(interimReasonsMask, true);  // ### SEE HERE ###
    }
}

// verify that interim reasons mask includes one or more reasons
// not included in the reasons mask
boolean oneOrMore = false;
for (int i = 0; i < interimReasonsMask.length && !oneOrMore; i++) {
    if (interimReasonsMask[i] && !(i < reasonsMask.length && reasonsMask[i])) {
        oneOrMore = true;
    }
}
if (!oneOrMore) {
    return false;
}
...

关于java - CRL 处理中比较 interim_reasons_mask 和reasons_mask 的原因，我们在Stack Overflow上找到一个类似的问题： https://stackoverflow.com/questions/56794350/

java - CRL 处理中比较 interim_reasons_mask 和reasons_mask 的原因

上一篇：java - Hibernate:必须声明元素类型 "hibernate-configuration"。无迁移

下一篇：java - Maven 中提供的和运行时的传递范围