JDK-6521485 : X509CRL.getRevokedCertificates does not preserve order of revoked certificates
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 5.0
  • Priority: P4
  • Status: Closed
  • Resolution: Duplicate
  • OS: windows_xp
  • CPU: x86
  • Submitted: 2007-02-05
  • Updated: 2018-08-21
  • Resolved: 2018-08-21
Related Reports
Duplicate :  
JDK-4941974 - new X509CRL.getRevokedCerts() should return an ordered List (and not a Set)
Description
FULL PRODUCT VERSION :


A DESCRIPTION OF THE PROBLEM :
The problem arrives when I try to decode an indirect CRL with the class X509CRL of JDK 1.5.

Set entradasDeCRL = crl.getRevokedCertificates();
Iterator itEntradasDeCRL = entradasDeCRL.iterator();

When we review the standard X.509, the ASN.1 definition of CRL is:

CertificateList ::= SIGNED { SEQUENCE {
  version Version OPTIONAL,-- if present, version must be v2
  signature AlgorithmIdentifier,
  issuer Name,
  thisUpdate Time,
  nextUpdate Time OPTIONAL,
  revokedCertificates SEQUENCE OF SEQUENCE {
  serialNumber CertificateSerialNumber,
  revocationDate Time,
  crlEntryExtensions Extensions OPTIONAL } OPTIONAL,
  crlExtensions [0] Extensions OPTIONAL }}

Revoked certificates are defined as a "SEQUENCE OF". This is an ordered collection of zero or more elements. When use the JDK, we can see that JDK decodes it as a SET OF, and it does not respect the order of the collection.

If we use this implementation where the order is not "important", we can not use the CertificateIssuer extension to handle indirect CRLs correctly.




REPRODUCIBILITY :
This bug can be reproduced always.
Comments
The concerns in this issue are very similar to those reported in JDK-4941974 about indirect CRLs which was closed and addressed by adding the getRevokedCertificate(X509Certificate) method. So I am closing this as a duplicate. A method that returns a List<X509CRLEntry> may still have some value, but seems very low priority unless we have more evidence this is still an issue in practice.
21-08-2018
This is really an enhancement request. A new API method would need to be added to X509CRL that returns a List<X509CRLEntry> instead of a Set<X509CRLEntry>.
21-08-2018
EVALUATION This is a bug that can prevent the correct processing of Indirect CRLs because the order of CRL entries is significant.
06-02-2007