Re: CRL import error: Issuer's V2 Certificate Revocation List has an unknown critical extension.

Wed, 23 Mar 2011 12:09:11 -0700 

To establish context on the question: are you aware of the following in 
RFC3280?:

The X.509 v2 CRL format also allows communities to define private extensions to 
carry information unique to those communities.  Each extension in a CRL may be 
designated as critical or non-critical.  A CRL validation MUST fail if it 
encounters a critical extension which it does not know how to process.  
However, an unrecognized non-critical extension may be ignored.  The following 
subsections present those extensions used within Internet CRLs.  Communities 
may elect to include extensions in CRLs which are not defined in this 
specification.  However, caution should be exercised in adopting any critical 
extensions in CRLs which might be used in a general context.

Identical language is contained in RFC5280. So the next question is whether 
you've dumped the contents of the CRL and worked out what extensions are 
critical and which of those are not specified to be so in the relevant RFCs, 
minimally including those just cited.

On 23 Mar 2011, at 16:04, Mangesh Divekar (Sunbridge) wrote:

> Hello,
> 
> 
> 
>  We are using JSS in our application. We are working with CRL to do
> verification of certificates. the below mention code : 
> 
> 
> 
>                                CryptoManager.initialize("e:\\jss");
> 
>                                CryptoManager cm =
> CryptoManager.getInstance();
> 
>                                cm.importCRL(val,null);
> 
> 
> 
>                where val is a byte array got from CRL. 
> 
> 
> 
>                This code is throwing exception like : 
> 
> 
> 
>                 org.mozilla.jss.CRLImportException: Failed to import
> Revocation List: (-8043) Issuer's V2 Certificate Revocation List has an
> unknown critical extension.
> 
>                at org.mozilla.jss.CryptoManager.importCRLNative(Native
> Method)
> 
>                        at
> org.mozilla.jss.CryptoManager.importCRL(CryptoManager.java:1115)
> 
>                        at
> jss.sample.cert.CRLDownLoader.main(CRLDownLoader.java:114)
> 
> 
> 
> Please advice.
> 
> 
> 
> 
> 
> _____________________________________________
> Mangesh Divekar
> Sunbridge Software Services
> 6 Gayatri Apart, Amchi Colony, Bavdhan, Pune (India)
> T: 91 20 22953290
> F: 91 20 22953291
> M: 91 9890722090
> W:  <http://www.sunbridgeindia.com> www.sunbridgeindia.com
> Business Process Automation | Application Development |Testing Services |
> Application Packaging | 
> ____________________________________________
> 
> 
> 
> DynamicsS(rgb)
> 
> 
> 
> -- 
> dev-tech-crypto mailing list
> dev-tech-crypto@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto

Attachment: PGP.sig
Description: This is a digitally signed message part

-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to