在 CRL 处理中比较 interim_reasons_mask 和 reasons_mask 的原因
Reason for comparing interim_reasons_mask and reasons_mask in CRL Processing
在 6.3.3 中的RFC5280。 CRL处理部分有一个步骤:
Verify that interim_reasons_mask includes one or more reasons
that are not included in the reasons_mask.
谁能解释一下这项检查的意义所在。当我尝试验证分发点指向某些 URL 的证书时,它在 DistributionPointFetcher:591 中失败。 reasonsMasks 设置为 9 true's 所以我不知道怎么可能通过这个检查因为它已经初始化它从未改变过。
更新
初始化原因掩码的代码:Link
在 DistributionPointFetcher 中传递原因掩码以进行处理的代码:Link
reasons_mask: This variable contains the set of revocation reasons supported by the CRLs and delta CRLs processed so far.
interim_reasons_mask: This contains the set of revocation reasons supported by the CRL or delta CRL currently being processed.
据我所知,此处理的目的是收集 CRL 以支持尽可能多的撤销原因。因此,如果当前 CRL 支持任何先前 CRL 不支持的任何撤销原因,它只会将当前 CRL 添加到列表中。
如果您的 reasons_mask 包含所有 true 那么之前的 CRL 已经涵盖了所有撤销原因,或者没有给出它支持的特定撤销原因导致特殊值 all-reasons (所有标志为真)将被设置,这意味着不需要涵盖进一步的撤销原因,因此它不会进一步检查。
sun.security.provider.certpath.DistributionPointFetcher.java
...
// compute interim reasons mask
boolean[] interimReasonsMask = new boolean[9];
ReasonFlags reasons = null;
if (idpExt != null) {
reasons = (ReasonFlags) idpExt.get(IssuingDistributionPointExtension.REASONS);
}
boolean[] pointReasonFlags = point.getReasonFlags();
if (reasons != null) {
if (pointReasonFlags != null) {
// set interim reasons mask to the intersection of
// reasons in the DP and onlySomeReasons in the IDP
boolean[] idpReasonFlags = reasons.getFlags();
for (int i = 0; i < interimReasonsMask.length; i++) {
interimReasonsMask[i] = (i < idpReasonFlags.length && idpReasonFlags[i])
&& (i < pointReasonFlags.length && pointReasonFlags[i]);
}
} else {
// set interim reasons mask to the value of
// onlySomeReasons in the IDP (and clone it since we may
// modify it)
interimReasonsMask = reasons.getFlags().clone();
}
} else if (idpExt == null || reasons == null) {
if (pointReasonFlags != null) {
// set interim reasons mask to the value of DP reasons
interimReasonsMask = pointReasonFlags.clone();
} else {
// set interim reasons mask to the special value all-reasons
Arrays.fill(interimReasonsMask, true); // ### SEE HERE ###
}
}
// verify that interim reasons mask includes one or more reasons
// not included in the reasons mask
boolean oneOrMore = false;
for (int i = 0; i < interimReasonsMask.length && !oneOrMore; i++) {
if (interimReasonsMask[i] && !(i < reasonsMask.length && reasonsMask[i])) {
oneOrMore = true;
}
}
if (!oneOrMore) {
return false;
}
...
在 6.3.3 中的RFC5280。 CRL处理部分有一个步骤:
Verify that interim_reasons_mask includes one or more reasons that are not included in the reasons_mask.
谁能解释一下这项检查的意义所在。当我尝试验证分发点指向某些 URL 的证书时,它在 DistributionPointFetcher:591 中失败。 reasonsMasks 设置为 9 true's 所以我不知道怎么可能通过这个检查因为它已经初始化它从未改变过。
更新
初始化原因掩码的代码:Link
在 DistributionPointFetcher 中传递原因掩码以进行处理的代码:Link
reasons_mask: This variable contains the set of revocation reasons supported by the CRLs and delta CRLs processed so far.
interim_reasons_mask: This contains the set of revocation reasons supported by the CRL or delta CRL currently being processed.
据我所知,此处理的目的是收集 CRL 以支持尽可能多的撤销原因。因此,如果当前 CRL 支持任何先前 CRL 不支持的任何撤销原因,它只会将当前 CRL 添加到列表中。
如果您的 reasons_mask 包含所有 true 那么之前的 CRL 已经涵盖了所有撤销原因,或者没有给出它支持的特定撤销原因导致特殊值 all-reasons (所有标志为真)将被设置,这意味着不需要涵盖进一步的撤销原因,因此它不会进一步检查。
sun.security.provider.certpath.DistributionPointFetcher.java
...
// compute interim reasons mask
boolean[] interimReasonsMask = new boolean[9];
ReasonFlags reasons = null;
if (idpExt != null) {
reasons = (ReasonFlags) idpExt.get(IssuingDistributionPointExtension.REASONS);
}
boolean[] pointReasonFlags = point.getReasonFlags();
if (reasons != null) {
if (pointReasonFlags != null) {
// set interim reasons mask to the intersection of
// reasons in the DP and onlySomeReasons in the IDP
boolean[] idpReasonFlags = reasons.getFlags();
for (int i = 0; i < interimReasonsMask.length; i++) {
interimReasonsMask[i] = (i < idpReasonFlags.length && idpReasonFlags[i])
&& (i < pointReasonFlags.length && pointReasonFlags[i]);
}
} else {
// set interim reasons mask to the value of
// onlySomeReasons in the IDP (and clone it since we may
// modify it)
interimReasonsMask = reasons.getFlags().clone();
}
} else if (idpExt == null || reasons == null) {
if (pointReasonFlags != null) {
// set interim reasons mask to the value of DP reasons
interimReasonsMask = pointReasonFlags.clone();
} else {
// set interim reasons mask to the special value all-reasons
Arrays.fill(interimReasonsMask, true); // ### SEE HERE ###
}
}
// verify that interim reasons mask includes one or more reasons
// not included in the reasons mask
boolean oneOrMore = false;
for (int i = 0; i < interimReasonsMask.length && !oneOrMore; i++) {
if (interimReasonsMask[i] && !(i < reasonsMask.length && reasonsMask[i])) {
oneOrMore = true;
}
}
if (!oneOrMore) {
return false;
}
...