JDK-4941974 : new X509CRL.getRevokedCerts() should return an ordered List (and not a Set)
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 1.4.2
  • Priority: P4
  • Status: Closed
  • Resolution: Duplicate
  • OS: windows_2000
  • CPU: x86
  • Submitted: 2003-10-22
  • Updated: 2018-08-21
  • Resolved: 2003-10-23
Related Reports
Duplicate :  
JDK-4874770 - API support for indirect CRLs
Duplicate :  
JDK-6521485 - X509CRL.getRevokedCertificates does not preserve order of revoked certificates
Description

Name: rmT116609			Date: 10/22/2003


A DESCRIPTION OF THE REQUEST :
At the moment, the X509CRL interface and hence the Sun implementation, only defines the method "Set getRevokedCertificates()".  Set is by definition unordered.  This is fine if the CRL is a direct CRL.

JUSTIFICATION :
However, if the CRL is an indirect CRL, it is imperative that the revoked certificates are ordered to allow proper processing.  By indirect CRLs, the certificate issuer of the revoked certificate is dependent on the previous revoked certificate entry.  See RFC 5.3.4  Certificate Issuer for a complete description of this.
Thus I request a new method "List getRevokedCerts()" to be defined or at least a "X509CRLEntry getRevokedCertificate(X509Certificate)" that follows RFC 3280 and properly handles indirect Crls.
At the moment, all indirect Crls must be locally parsed (ie use another Provider or ASN1 parser) in order to perform proper revocation checks.
(Incident Review ID: 215465) 
======================================================================
Comments
EVALUATION The submitter is correct that the APIs in 1.4.x are not sufficient to implement indirect CRLs. This has been addressed in Tiger by 4874770. That RFE added the getRevokedCertificate(X509Certificate) method suggested here as one of the possible solutions. We feel that this is the best way to fix this since it allows fast lookups to determine if a given certificate has been revoked. Also note that there are Set implementations that preserve insertion order (i.e. LinkedHashSet), which is what the Sun X509CRL implementation returns getRevokedCertificates() in Tiger. Since the functionality requested by the submitter has been added by 4874770, I am closing as a dup. ###@###.### 2003-10-23
23-10-2003