changeset 1251:c3c5cc0f2a3e

6720721: CRL check with circular depency support needed Summary: checking AKID of certificates and CRLs Reviewed-by: mullan, weijun
author xuelei
date Tue, 26 May 2009 16:43:22 +0800
parents d93b7df1e260
children 045aeb76b0ff
files src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java test/java/security/cert/CertPathValidator/indirectCRL/CircularCRLOneLevel.java test/java/security/cert/CertPathValidator/indirectCRL/CircularCRLOneLevelRevoked.java test/java/security/cert/CertPathValidator/indirectCRL/CircularCRLTwoLevel.java test/java/security/cert/CertPathValidator/indirectCRL/CircularCRLTwoLevelRevoked.java test/java/security/cert/CertPathValidator/indirectCRL/README test/java/security/cert/CertPathValidator/indirectCRL/generate.sh test/java/security/cert/CertPathValidator/indirectCRL/openssl.cnf
diffstat 8 files changed, 1691 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java	Tue May 26 16:19:18 2009 +0800
+++ b/src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java	Tue May 26 16:43:22 2009 +0800
@@ -339,6 +339,16 @@
                 debug.println("crl issuer does not equal cert issuer");
             }
             return false;
+        } else {
+            // in case of self-issued indirect CRL issuer.
+            byte[] certAKID = certImpl.getExtensionValue(
+                                PKIXExtensions.AuthorityKey_Id.toString());
+            byte[] crlAKID = crlImpl.getExtensionValue(
+                                PKIXExtensions.AuthorityKey_Id.toString());
+
+            if (!Arrays.equals(certAKID, crlAKID)) {
+                indirectCRL = true;
+            }
         }
 
         if (!indirectCRL && !signFlag) {
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/java/security/cert/CertPathValidator/indirectCRL/CircularCRLOneLevel.java	Tue May 26 16:43:22 2009 +0800
@@ -0,0 +1,193 @@
+/*
+ * Copyright 2009 Sun Microsystems, Inc.  All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+/**
+ * @test
+ *
+ * @bug 6720721
+ * @summary CRL check with circular depency support needed
+ * @author Xuelei Fan
+ */
+
+import java.io.*;
+import java.net.SocketException;
+import java.util.*;
+import java.security.Security;
+import java.security.cert.*;
+import java.security.cert.CertPathValidatorException.BasicReason;
+
+public class CircularCRLOneLevel {
+
+    static String selfSignedCertStr =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIICPjCCAaegAwIBAgIBADANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
+        "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzJaFw0zMDA0MDcwMjI0MzJa\n" +
+        "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" +
+        "AQUAA4GNADCBiQKBgQC4OTag24sTxL2tXTNuvpmUEtdxrYAZoFsslFQ60T+WD9wQ\n" +
+        "Jeiw87FSPsR2vxRuv0j8DNm2a4h7LNNIFcLurfNldbz5pvgZ7VqdbbUMPE9qP85n\n" +
+        "jgDl4woyRTSUeRI4A7O0CO6NpES21dtbdhroWQrEkHxpnrDPxsxrz5gf2m3gqwID\n" +
+        "AQABo4GJMIGGMB0GA1UdDgQWBBSCJd0hpl5PdAD9IZS+Hzng4lXLGzBHBgNVHSME\n" +
+        "QDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEwHzELMAkGA1UEBhMCVVMxEDAO\n" +
+        "BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQw\n" +
+        "DQYJKoZIhvcNAQEEBQADgYEAluy6HIjWcq009lTLmhp+Np6dxU78pInBK8RZkza0\n" +
+        "484qGaxFGD3UGyZkI5uWmsH2XuMbuox5khfIq6781gmkPBHXBIEtJN8eLusOHEye\n" +
+        "iE8h7WI+N3qa6Pj56WionMrioqC/3X+b06o147bbhx8U0vkYv/HyPaITOFfMXTdz\n" +
+        "Vjw=\n" +
+        "-----END CERTIFICATE-----";
+
+    static String subCaCertStr =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIICUDCCAbmgAwIBAgIBAzANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
+        "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzRaFw0yOTAxMTIwMjI0MzRa\n" +
+        "MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" +
+        "cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCiAJnAQW2ad3ZMKUhSJVZj\n" +
+        "8pBqxTcHSTwAVguQkDglsN/OIwUpvR5Jgp3lpRWUEt6idEp0FZzORpvtjt3pr5MG\n" +
+        "Eg2CDptekC5BSPS+fIAIKlncB3HwOiFFhH6b3wTydDCdEd2fvsi4QMOSVrIYMeA8\n" +
+        "P/mCz6kRhfUQPE0CMmOUewIDAQABo4GJMIGGMB0GA1UdDgQWBBT0/nNP8WpyxmYr\n" +
+        "IBp4tN8y08jw2jBHBgNVHSMEQDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEw\n" +
+        "HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw\n" +
+        "AwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEEBQADgYEAS9PzI6B39R/U9fRj\n" +
+        "UExzN1FXNP5awnAPtiv34kSCL6n6MryqkfG+8aaAOdZsSjmTylNFaF7cW/Xp1VBF\n" +
+        "hq0bg/SbEAbK7+UwL8GSC3crhULHLbh+1iFdVTEwxCw5YmB8ji3BaZ/WKW/PkjCZ\n" +
+        "7cXP6VDeZMG6oRQ4hbOcixoFPXo=\n" +
+        "-----END CERTIFICATE-----";
+
+    static String targetCertStr = subCaCertStr;
+
+    static String crlIssuerCertStr =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIICKzCCAZSgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
+        "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzNaFw0yOTAxMTIwMjI0MzNa\n" +
+        "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" +
+        "AQUAA4GNADCBiQKBgQDMJeBMBybHykI/YpwUJ4O9euqDSLb1kpWpceBS8TVqvgBC\n" +
+        "SgUJWtFZL0i6bdvF6mMdlbuBkGzhXqHiVAi96/zRLbUC9F8SMEJ6MuD+YhQ0ZFTQ\n" +
+        "atKy8zf8O9XzztelLJ26Gqb7QPV133WY3haAqHtCXOhEKkCN16NOYNC37DTaJwID\n" +
+        "AQABo3cwdTAdBgNVHQ4EFgQULXSWzXzUOIpOJpzbSCpW42IJUugwRwYDVR0jBEAw\n" +
+        "PoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8xCzAJBgNVBAYTAlVTMRAwDgYD\n" +
+        "VQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjANBgkqhkiG9w0BAQQFAAOBgQAY\n" +
+        "eMnf5AHSNlyUlzXk8o2S0h4gCuvKX6C3kFfKuZcWvFAbx4yQOWLS2s15/nzR4+AP\n" +
+        "FGX3lgJjROyAh7fGedTQK+NFWwkM2ag1g3hXktnlnT1qHohi0w31nVBJxXEDO/Ck\n" +
+        "uJTpJGt8XxxbFaw5v7cHy7XuTAeU/sekvjEiNHW00Q==\n" +
+        "-----END CERTIFICATE-----";
+
+    static String crlStr =
+        "-----BEGIN X509 CRL-----\n" +
+        "MIIBGzCBhQIBATANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQMA4GA1UE\n" +
+        "ChMHRXhhbXBsZRcNMDkwNDI3MDIzODA0WhcNMjgwNjI2MDIzODA0WjAiMCACAQUX\n" +
+        "DTA5MDQyNzAyMzgwMFowDDAKBgNVHRUEAwoBBKAOMAwwCgYDVR0UBAMCAQIwDQYJ\n" +
+        "KoZIhvcNAQEEBQADgYEAoarfzXEtw3ZDi4f9U8eSvRIipHSyxOrJC7HR/hM5VhmY\n" +
+        "CErChny6x9lBVg9s57tfD/P9PSzBLusCcHwHMAbMOEcTltVVKUWZnnbumpywlYyg\n" +
+        "oKLrE9+yCOkYUOpiRlz43/3vkEL5hjIKMcDSZnPKBZi1h16Yj2hPe9GMibNip54=\n" +
+        "-----END X509 CRL-----";
+
+    private static CertPath generateCertificatePath()
+            throws CertificateException {
+        // generate certificate from cert strings
+        CertificateFactory cf = CertificateFactory.getInstance("X.509");
+
+        ByteArrayInputStream is;
+
+        is = new ByteArrayInputStream(targetCertStr.getBytes());
+        Certificate targetCert = cf.generateCertificate(is);
+
+        is = new ByteArrayInputStream(selfSignedCertStr.getBytes());
+        Certificate selfSignedCert = cf.generateCertificate(is);
+
+        // generate certification path
+        List<Certificate> list = Arrays.asList(new Certificate[] {
+                        targetCert, selfSignedCert});
+
+        return cf.generateCertPath(list);
+    }
+
+    private static Set<TrustAnchor> generateTrustAnchors()
+            throws CertificateException {
+        // generate certificate from cert string
+        CertificateFactory cf = CertificateFactory.getInstance("X.509");
+
+        ByteArrayInputStream is =
+                    new ByteArrayInputStream(selfSignedCertStr.getBytes());
+        Certificate selfSignedCert = cf.generateCertificate(is);
+
+        // generate a trust anchor
+        TrustAnchor anchor =
+            new TrustAnchor((X509Certificate)selfSignedCert, null);
+
+        return Collections.singleton(anchor);
+    }
+
+    private static CertStore generateCertificateStore() throws Exception {
+        // generate CRL from CRL string
+        CertificateFactory cf = CertificateFactory.getInstance("X.509");
+
+        ByteArrayInputStream is =
+                    new ByteArrayInputStream(crlStr.getBytes());
+
+        // generate a cert store
+        Collection crls = cf.generateCRLs(is);
+
+        is = new ByteArrayInputStream(crlIssuerCertStr.getBytes());
+        Collection certs = cf.generateCertificates(is);
+
+        Collection entries = new HashSet();
+        entries.addAll(crls);
+        entries.addAll(certs);
+
+        return CertStore.getInstance("Collection",
+                            new CollectionCertStoreParameters(entries));
+    }
+
+    public static void main(String args[]) throws Exception {
+        CertPath path = generateCertificatePath();
+        Set<TrustAnchor> anchors = generateTrustAnchors();
+        CertStore crls = generateCertificateStore();
+
+        PKIXParameters params = new PKIXParameters(anchors);
+
+        // add the CRL store
+        params.addCertStore(crls);
+
+        // Activate certificate revocation checking
+        params.setRevocationEnabled(true);
+
+        // set the validation time
+        params.setDate(new Date(109, 5, 1));   // 2009-05-01
+
+        // disable OCSP checker
+        Security.setProperty("ocsp.enable", "false");
+
+        // enable CRL checker
+        System.setProperty("com.sun.security.enableCRLDP", "true");
+
+        CertPathValidator validator = CertPathValidator.getInstance("PKIX");
+
+        try {
+            validator.validate(path, params);
+        } catch (CertPathValidatorException cpve) {
+            if (cpve.getReason() != BasicReason.REVOKED) {
+                throw new Exception(
+                    "unexpect exception, should be a REVOKED CPVE", cpve);
+            }
+        }
+    }
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/java/security/cert/CertPathValidator/indirectCRL/CircularCRLOneLevelRevoked.java	Tue May 26 16:43:22 2009 +0800
@@ -0,0 +1,196 @@
+/*
+ * Copyright 2009 Sun Microsystems, Inc.  All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+/**
+ * @test
+ *
+ * @bug 6720721
+ * @summary CRL check with circular depency support needed
+ * @author Xuelei Fan
+ */
+
+import java.io.*;
+import java.net.SocketException;
+import java.util.*;
+import java.security.Security;
+import java.security.cert.*;
+import java.security.cert.CertPathValidatorException.BasicReason;
+
+public class CircularCRLOneLevelRevoked {
+
+    static String selfSignedCertStr =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIICPjCCAaegAwIBAgIBADANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
+        "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzJaFw0zMDA0MDcwMjI0MzJa\n" +
+        "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" +
+        "AQUAA4GNADCBiQKBgQC4OTag24sTxL2tXTNuvpmUEtdxrYAZoFsslFQ60T+WD9wQ\n" +
+        "Jeiw87FSPsR2vxRuv0j8DNm2a4h7LNNIFcLurfNldbz5pvgZ7VqdbbUMPE9qP85n\n" +
+        "jgDl4woyRTSUeRI4A7O0CO6NpES21dtbdhroWQrEkHxpnrDPxsxrz5gf2m3gqwID\n" +
+        "AQABo4GJMIGGMB0GA1UdDgQWBBSCJd0hpl5PdAD9IZS+Hzng4lXLGzBHBgNVHSME\n" +
+        "QDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEwHzELMAkGA1UEBhMCVVMxEDAO\n" +
+        "BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQw\n" +
+        "DQYJKoZIhvcNAQEEBQADgYEAluy6HIjWcq009lTLmhp+Np6dxU78pInBK8RZkza0\n" +
+        "484qGaxFGD3UGyZkI5uWmsH2XuMbuox5khfIq6781gmkPBHXBIEtJN8eLusOHEye\n" +
+        "iE8h7WI+N3qa6Pj56WionMrioqC/3X+b06o147bbhx8U0vkYv/HyPaITOFfMXTdz\n" +
+        "Vjw=\n" +
+        "-----END CERTIFICATE-----";
+
+    static String dumCaCertStr =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIICUDCCAbmgAwIBAgIBBTANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
+        "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzVaFw0yOTAxMTIwMjI0MzVa\n" +
+        "MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" +
+        "cy1EMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDAwfZ3wIYzdCkiFIKjrUKc\n" +
+        "0B32HaRkUeVJthadinLmoAVruCi3GRkLZUIPXDD9b7dFBbdeT1+8qDHV5wu/ES8W\n" +
+        "bgfirO8ng8h2hRuJbZgtfljNnVc3fptjxo7x73aP++w2oIcmjzVwaV08sgahoaY4\n" +
+        "f249t4EXbvjJQ8kuj1I8qQIDAQABo4GJMIGGMB0GA1UdDgQWBBR3fwdjpP4WiuyL\n" +
+        "/MDVrXUORrarXDBHBgNVHSMEQDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEw\n" +
+        "HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw\n" +
+        "AwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEEBQADgYEAp/2sXI/XLtXu+X05\n" +
+        "EISyBPQqdE3kgN3dmXOuoK9J7Io8jhgetdbr9S1WTSGBonaXZgc52FNsaaDU+VIp\n" +
+        "TGTYU5SFloUyOu/e095eAf9Q867pAPcE5zArfKpXEBLbJwhLFwrsKPk/WZM7Yaxs\n" +
+        "mihnXyZWWTA1sPZlVJu7/abJ2v0=\n" +
+        "-----END CERTIFICATE-----";
+
+    // a revoked certificate
+    static String targetCertStr = dumCaCertStr;
+
+    static String crlIssuerCertStr =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIICKzCCAZSgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
+        "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzNaFw0yOTAxMTIwMjI0MzNa\n" +
+        "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" +
+        "AQUAA4GNADCBiQKBgQDMJeBMBybHykI/YpwUJ4O9euqDSLb1kpWpceBS8TVqvgBC\n" +
+        "SgUJWtFZL0i6bdvF6mMdlbuBkGzhXqHiVAi96/zRLbUC9F8SMEJ6MuD+YhQ0ZFTQ\n" +
+        "atKy8zf8O9XzztelLJ26Gqb7QPV133WY3haAqHtCXOhEKkCN16NOYNC37DTaJwID\n" +
+        "AQABo3cwdTAdBgNVHQ4EFgQULXSWzXzUOIpOJpzbSCpW42IJUugwRwYDVR0jBEAw\n" +
+        "PoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8xCzAJBgNVBAYTAlVTMRAwDgYD\n" +
+        "VQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjANBgkqhkiG9w0BAQQFAAOBgQAY\n" +
+        "eMnf5AHSNlyUlzXk8o2S0h4gCuvKX6C3kFfKuZcWvFAbx4yQOWLS2s15/nzR4+AP\n" +
+        "FGX3lgJjROyAh7fGedTQK+NFWwkM2ag1g3hXktnlnT1qHohi0w31nVBJxXEDO/Ck\n" +
+        "uJTpJGt8XxxbFaw5v7cHy7XuTAeU/sekvjEiNHW00Q==\n" +
+        "-----END CERTIFICATE-----";
+
+    static String crlStr =
+        "-----BEGIN X509 CRL-----\n" +
+        "MIIBGzCBhQIBATANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQMA4GA1UE\n" +
+        "ChMHRXhhbXBsZRcNMDkwNDI3MDIzODA0WhcNMjgwNjI2MDIzODA0WjAiMCACAQUX\n" +
+        "DTA5MDQyNzAyMzgwMFowDDAKBgNVHRUEAwoBBKAOMAwwCgYDVR0UBAMCAQIwDQYJ\n" +
+        "KoZIhvcNAQEEBQADgYEAoarfzXEtw3ZDi4f9U8eSvRIipHSyxOrJC7HR/hM5VhmY\n" +
+        "CErChny6x9lBVg9s57tfD/P9PSzBLusCcHwHMAbMOEcTltVVKUWZnnbumpywlYyg\n" +
+        "oKLrE9+yCOkYUOpiRlz43/3vkEL5hjIKMcDSZnPKBZi1h16Yj2hPe9GMibNip54=\n" +
+        "-----END X509 CRL-----";
+
+    private static CertPath generateCertificatePath()
+            throws CertificateException {
+        // generate certificate from cert strings
+        CertificateFactory cf = CertificateFactory.getInstance("X.509");
+
+        ByteArrayInputStream is;
+
+        is = new ByteArrayInputStream(targetCertStr.getBytes());
+        Certificate targetCert = cf.generateCertificate(is);
+
+        is = new ByteArrayInputStream(selfSignedCertStr.getBytes());
+        Certificate selfSignedCert = cf.generateCertificate(is);
+
+        // generate certification path
+        List<Certificate> list = Arrays.asList(new Certificate[] {
+                        targetCert, selfSignedCert});
+
+        return cf.generateCertPath(list);
+    }
+
+    private static Set<TrustAnchor> generateTrustAnchors()
+            throws CertificateException {
+        // generate certificate from cert string
+        CertificateFactory cf = CertificateFactory.getInstance("X.509");
+
+        ByteArrayInputStream is =
+                    new ByteArrayInputStream(selfSignedCertStr.getBytes());
+        Certificate selfSignedCert = cf.generateCertificate(is);
+
+        // generate a trust anchor
+        TrustAnchor anchor =
+            new TrustAnchor((X509Certificate)selfSignedCert, null);
+
+        return Collections.singleton(anchor);
+    }
+
+    private static CertStore generateCertificateStore() throws Exception {
+        // generate CRL from CRL string
+        CertificateFactory cf = CertificateFactory.getInstance("X.509");
+
+        ByteArrayInputStream is =
+                    new ByteArrayInputStream(crlStr.getBytes());
+
+        // generate a cert store
+        Collection crls = cf.generateCRLs(is);
+
+        is = new ByteArrayInputStream(crlIssuerCertStr.getBytes());
+        Collection certs = cf.generateCertificates(is);
+
+        Collection entries = new HashSet();
+        entries.addAll(crls);
+        entries.addAll(certs);
+
+        return CertStore.getInstance("Collection",
+                            new CollectionCertStoreParameters(entries));
+    }
+
+    public static void main(String args[]) throws Exception {
+        CertPath path = generateCertificatePath();
+        Set<TrustAnchor> anchors = generateTrustAnchors();
+        CertStore crls = generateCertificateStore();
+
+        PKIXParameters params = new PKIXParameters(anchors);
+
+        // add the CRL store
+        params.addCertStore(crls);
+
+        // Activate certificate revocation checking
+        params.setRevocationEnabled(true);
+
+        // set the validation time
+        params.setDate(new Date(109, 5, 1));   // 2009-05-01
+
+        // disable OCSP checker
+        Security.setProperty("ocsp.enable", "false");
+
+        // enable CRL checker
+        System.setProperty("com.sun.security.enableCRLDP", "true");
+
+        CertPathValidator validator = CertPathValidator.getInstance("PKIX");
+
+        try {
+            validator.validate(path, params);
+            throw new Exception("unexpected status, should be REVOKED");
+        } catch (CertPathValidatorException cpve) {
+            if (cpve.getReason() != BasicReason.REVOKED) {
+                throw new Exception(
+                    "unexpected exception, should be a REVOKED CPVE", cpve);
+            }
+        }
+
+    }
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/java/security/cert/CertPathValidator/indirectCRL/CircularCRLTwoLevel.java	Tue May 26 16:43:22 2009 +0800
@@ -0,0 +1,245 @@
+/*
+ * Copyright 2009 Sun Microsystems, Inc.  All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+/**
+ * @test
+ *
+ * @bug 6720721
+ * @summary CRL check with circular depency support needed
+ * @author Xuelei Fan
+ */
+
+import java.io.*;
+import java.net.SocketException;
+import java.util.*;
+import java.security.Security;
+import java.security.cert.*;
+import java.security.cert.CertPathValidatorException.BasicReason;
+
+public class CircularCRLTwoLevel {
+
+    static String selfSignedCertStr =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIICPjCCAaegAwIBAgIBADANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
+        "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzJaFw0zMDA0MDcwMjI0MzJa\n" +
+        "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" +
+        "AQUAA4GNADCBiQKBgQC4OTag24sTxL2tXTNuvpmUEtdxrYAZoFsslFQ60T+WD9wQ\n" +
+        "Jeiw87FSPsR2vxRuv0j8DNm2a4h7LNNIFcLurfNldbz5pvgZ7VqdbbUMPE9qP85n\n" +
+        "jgDl4woyRTSUeRI4A7O0CO6NpES21dtbdhroWQrEkHxpnrDPxsxrz5gf2m3gqwID\n" +
+        "AQABo4GJMIGGMB0GA1UdDgQWBBSCJd0hpl5PdAD9IZS+Hzng4lXLGzBHBgNVHSME\n" +
+        "QDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEwHzELMAkGA1UEBhMCVVMxEDAO\n" +
+        "BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQw\n" +
+        "DQYJKoZIhvcNAQEEBQADgYEAluy6HIjWcq009lTLmhp+Np6dxU78pInBK8RZkza0\n" +
+        "484qGaxFGD3UGyZkI5uWmsH2XuMbuox5khfIq6781gmkPBHXBIEtJN8eLusOHEye\n" +
+        "iE8h7WI+N3qa6Pj56WionMrioqC/3X+b06o147bbhx8U0vkYv/HyPaITOFfMXTdz\n" +
+        "Vjw=\n" +
+        "-----END CERTIFICATE-----";
+
+    static String subCaCertStr =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIICUDCCAbmgAwIBAgIBAzANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
+        "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzRaFw0yOTAxMTIwMjI0MzRa\n" +
+        "MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" +
+        "cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCiAJnAQW2ad3ZMKUhSJVZj\n" +
+        "8pBqxTcHSTwAVguQkDglsN/OIwUpvR5Jgp3lpRWUEt6idEp0FZzORpvtjt3pr5MG\n" +
+        "Eg2CDptekC5BSPS+fIAIKlncB3HwOiFFhH6b3wTydDCdEd2fvsi4QMOSVrIYMeA8\n" +
+        "P/mCz6kRhfUQPE0CMmOUewIDAQABo4GJMIGGMB0GA1UdDgQWBBT0/nNP8WpyxmYr\n" +
+        "IBp4tN8y08jw2jBHBgNVHSMEQDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEw\n" +
+        "HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw\n" +
+        "AwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEEBQADgYEAS9PzI6B39R/U9fRj\n" +
+        "UExzN1FXNP5awnAPtiv34kSCL6n6MryqkfG+8aaAOdZsSjmTylNFaF7cW/Xp1VBF\n" +
+        "hq0bg/SbEAbK7+UwL8GSC3crhULHLbh+1iFdVTEwxCw5YmB8ji3BaZ/WKW/PkjCZ\n" +
+        "7cXP6VDeZMG6oRQ4hbOcixoFPXo=\n" +
+        "-----END CERTIFICATE-----";
+
+    static String targetCertStr =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIICNzCCAaCgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQ\n" +
+        "MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0wOTA0MjcwMjI0\n" +
+        "MzZaFw0yOTAxMTIwMjI0MzZaMEExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt\n" +
+        "cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQ4wDAYDVQQDEwVBbGljZTCBnzANBgkqhkiG\n" +
+        "9w0BAQEFAAOBjQAwgYkCgYEAvYSaU3oiE4Pxp/aUIXwMqOwSiWkZ+O3aTu13hRtK\n" +
+        "ZyR+Wtj63IuvaigAC4uC+zBypF93ThjwCzVR2qKDQaQzV8CLleO96gStt7Y+i3G2\n" +
+        "V3IUGgrVCqeK7N6nNYu0wW84sibcPqG/TIy0UoaQMqgB21xtRF+1DUVlFh4Z89X/\n" +
+        "pskCAwEAAaNPME0wCwYDVR0PBAQDAgPoMB0GA1UdDgQWBBSynMEdcal/e9TmvlNE\n" +
+        "4suXGA4+hjAfBgNVHSMEGDAWgBT0/nNP8WpyxmYrIBp4tN8y08jw2jANBgkqhkiG\n" +
+        "9w0BAQQFAAOBgQB/jru7E/+piSmUwByw5qbZsoQZVcgR97pd2TErNJpJMAX2oIHR\n" +
+        "wJH6w4NuYs27+fEAX7wK4whc6EUH/w1SI6o28F2rG6HqYQPPZ2E2WqwbBQL9nYE3\n" +
+        "Vfzu/G9axTUQXFbf90h80UErA+mZVxqc2xtymLuH0YEaMZImtRZ2MXHfXg==\n" +
+        "-----END CERTIFICATE-----";
+
+    static String topCrlIssuerCertStr =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIICKzCCAZSgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
+        "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzNaFw0yOTAxMTIwMjI0MzNa\n" +
+        "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" +
+        "AQUAA4GNADCBiQKBgQDMJeBMBybHykI/YpwUJ4O9euqDSLb1kpWpceBS8TVqvgBC\n" +
+        "SgUJWtFZL0i6bdvF6mMdlbuBkGzhXqHiVAi96/zRLbUC9F8SMEJ6MuD+YhQ0ZFTQ\n" +
+        "atKy8zf8O9XzztelLJ26Gqb7QPV133WY3haAqHtCXOhEKkCN16NOYNC37DTaJwID\n" +
+        "AQABo3cwdTAdBgNVHQ4EFgQULXSWzXzUOIpOJpzbSCpW42IJUugwRwYDVR0jBEAw\n" +
+        "PoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8xCzAJBgNVBAYTAlVTMRAwDgYD\n" +
+        "VQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjANBgkqhkiG9w0BAQQFAAOBgQAY\n" +
+        "eMnf5AHSNlyUlzXk8o2S0h4gCuvKX6C3kFfKuZcWvFAbx4yQOWLS2s15/nzR4+AP\n" +
+        "FGX3lgJjROyAh7fGedTQK+NFWwkM2ag1g3hXktnlnT1qHohi0w31nVBJxXEDO/Ck\n" +
+        "uJTpJGt8XxxbFaw5v7cHy7XuTAeU/sekvjEiNHW00Q==\n" +
+        "-----END CERTIFICATE-----";
+
+    static String subCrlIssuerCertStr =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIICPTCCAaagAwIBAgIBBDANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
+        "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzRaFw0yOTAxMTIwMjI0MzRa\n" +
+        "MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" +
+        "cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWUtDQx2MB/7arDiquMJyd\n" +
+        "LWwSg6p8sg5z6wKrC1v47MT4DBhFX+0RUgTMUdQgYpgxGpczn+6y4zfV76064S0N\n" +
+        "4L/IQ+SunTW1w4yRGjB+xkyyJmWAqijG1nr+Dgkv5nxPI+9Er5lHcoVWVMEcvvRm\n" +
+        "6jIBQdldVlSgv+VgUnFm5wIDAQABo3cwdTAdBgNVHQ4EFgQUkV3Qqtk7gIot9n60\n" +
+        "jX6dloxrfMEwRwYDVR0jBEAwPoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8x\n" +
+        "CzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjAN\n" +
+        "BgkqhkiG9w0BAQQFAAOBgQADu4GM8EdmIKhC7FRvk5jF90zfvZ38wbXBzCjKI4jX\n" +
+        "QJrhne1bfyeNNm5c1w+VKidT+XzBzBGH7ZqYzoZmzRIfcbLKX2brEBKiukeeAyL3\n" +
+        "bctQtbp19tX+uu2dQberD188AAysKTkHcJUV+rRsTwVJ9vcYKxoRxKk8DhH7ZS3M\n" +
+        "rg==\n" +
+        "-----END CERTIFICATE-----";
+
+    static String topCrlStr =
+        "-----BEGIN X509 CRL-----\n" +
+        "MIIBGzCBhQIBATANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQMA4GA1UE\n" +
+        "ChMHRXhhbXBsZRcNMDkwNDI3MDIzODA0WhcNMjgwNjI2MDIzODA0WjAiMCACAQUX\n" +
+        "DTA5MDQyNzAyMzgwMFowDDAKBgNVHRUEAwoBBKAOMAwwCgYDVR0UBAMCAQIwDQYJ\n" +
+        "KoZIhvcNAQEEBQADgYEAoarfzXEtw3ZDi4f9U8eSvRIipHSyxOrJC7HR/hM5VhmY\n" +
+        "CErChny6x9lBVg9s57tfD/P9PSzBLusCcHwHMAbMOEcTltVVKUWZnnbumpywlYyg\n" +
+        "oKLrE9+yCOkYUOpiRlz43/3vkEL5hjIKMcDSZnPKBZi1h16Yj2hPe9GMibNip54=\n" +
+        "-----END X509 CRL-----";
+
+    static String subCrlStr =
+        "-----BEGIN X509 CRL-----\n" +
+        "MIIBLTCBlwIBATANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQMA4GA1UE\n" +
+        "ChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMRcNMDkwNDI3MDIzODA0WhcNMjgw\n" +
+        "NjI2MDIzODA0WjAiMCACAQQXDTA5MDQyNzAyMzgwMVowDDAKBgNVHRUEAwoBBKAO\n" +
+        "MAwwCgYDVR0UBAMCAQIwDQYJKoZIhvcNAQEEBQADgYEAeS+POqYEIHIIJcsLxuUr\n" +
+        "aJFzQ/ujH0QmnyMNEL3Uavyq4VQuAahF+w6aTPb5UBzms0uX8NAvD2vNoUJvmJOX\n" +
+        "nGKuq4Q1DFj82E7/9d25nXdWGOmFvFCRVO+St2Xe5n8CJuZNBiz388FDSIOiFSCa\n" +
+        "ARGr6Qu68MYGtLMC6ZqP3u0=\n" +
+        "-----END X509 CRL-----";
+
+    private static CertPath generateCertificatePath()
+            throws CertificateException {
+        // generate certificate from cert strings
+        CertificateFactory cf = CertificateFactory.getInstance("X.509");
+
+        ByteArrayInputStream is;
+
+        is = new ByteArrayInputStream(targetCertStr.getBytes());
+        Certificate targetCert = cf.generateCertificate(is);
+
+        is = new ByteArrayInputStream(subCaCertStr.getBytes());
+        Certificate subCaCert = cf.generateCertificate(is);
+
+        is = new ByteArrayInputStream(selfSignedCertStr.getBytes());
+        Certificate selfSignedCert = cf.generateCertificate(is);
+
+        // generate certification path
+        List<Certificate> list = Arrays.asList(new Certificate[] {
+                        targetCert, subCaCert, selfSignedCert});
+
+        return cf.generateCertPath(list);
+    }
+
+    private static Set<TrustAnchor> generateTrustAnchors()
+            throws CertificateException {
+        // generate certificate from cert string
+        CertificateFactory cf = CertificateFactory.getInstance("X.509");
+
+        ByteArrayInputStream is =
+                    new ByteArrayInputStream(selfSignedCertStr.getBytes());
+        Certificate selfSignedCert = cf.generateCertificate(is);
+
+        // generate a trust anchor
+        TrustAnchor anchor =
+            new TrustAnchor((X509Certificate)selfSignedCert, null);
+
+        return Collections.singleton(anchor);
+    }
+
+    private static CertStore generateCertificateStore() throws Exception {
+        Collection entries = new HashSet();
+
+        // generate CRL from CRL string
+        CertificateFactory cf = CertificateFactory.getInstance("X.509");
+
+        ByteArrayInputStream is =
+                    new ByteArrayInputStream(topCrlStr.getBytes());
+        Collection mixes = cf.generateCRLs(is);
+        entries.addAll(mixes);
+
+        is = new ByteArrayInputStream(subCrlStr.getBytes());
+        mixes = cf.generateCRLs(is);
+        entries.addAll(mixes);
+
+        // intermediate certs
+        is = new ByteArrayInputStream(topCrlIssuerCertStr.getBytes());
+        mixes = cf.generateCertificates(is);
+        entries.addAll(mixes);
+
+        is = new ByteArrayInputStream(subCrlIssuerCertStr.getBytes());
+        mixes = cf.generateCertificates(is);
+        entries.addAll(mixes);
+
+        return CertStore.getInstance("Collection",
+                            new CollectionCertStoreParameters(entries));
+    }
+
+    public static void main(String args[]) throws Exception {
+        CertPath path = generateCertificatePath();
+        Set<TrustAnchor> anchors = generateTrustAnchors();
+        CertStore crls = generateCertificateStore();
+
+        PKIXParameters params = new PKIXParameters(anchors);
+
+        // add the CRL store
+        params.addCertStore(crls);
+
+        // Activate certificate revocation checking
+        params.setRevocationEnabled(true);
+
+        // set the validation time
+        params.setDate(new Date(109, 5, 1));   // 2009-05-01
+
+        // disable OCSP checker
+        Security.setProperty("ocsp.enable", "false");
+
+        // enable CRL checker
+        System.setProperty("com.sun.security.enableCRLDP", "true");
+
+        CertPathValidator validator = CertPathValidator.getInstance("PKIX");
+
+        try {
+            validator.validate(path, params);
+        } catch (CertPathValidatorException cpve) {
+            if (cpve.getReason() != BasicReason.REVOKED) {
+                throw new Exception(
+                    "unexpect exception, should be a REVOKED CPVE", cpve);
+            }
+        }
+    }
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/java/security/cert/CertPathValidator/indirectCRL/CircularCRLTwoLevelRevoked.java	Tue May 26 16:43:22 2009 +0800
@@ -0,0 +1,247 @@
+/*
+ * Copyright 2009 Sun Microsystems, Inc.  All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+/**
+ * @test
+ *
+ * @bug 6720721
+ * @summary CRL check with circular depency support needed
+ * @author Xuelei Fan
+ */
+
+import java.io.*;
+import java.net.SocketException;
+import java.util.*;
+import java.security.Security;
+import java.security.cert.*;
+import java.security.cert.CertPathValidatorException.BasicReason;
+
+public class CircularCRLTwoLevelRevoked {
+
+    static String selfSignedCertStr =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIICPjCCAaegAwIBAgIBADANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
+        "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzJaFw0zMDA0MDcwMjI0MzJa\n" +
+        "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" +
+        "AQUAA4GNADCBiQKBgQC4OTag24sTxL2tXTNuvpmUEtdxrYAZoFsslFQ60T+WD9wQ\n" +
+        "Jeiw87FSPsR2vxRuv0j8DNm2a4h7LNNIFcLurfNldbz5pvgZ7VqdbbUMPE9qP85n\n" +
+        "jgDl4woyRTSUeRI4A7O0CO6NpES21dtbdhroWQrEkHxpnrDPxsxrz5gf2m3gqwID\n" +
+        "AQABo4GJMIGGMB0GA1UdDgQWBBSCJd0hpl5PdAD9IZS+Hzng4lXLGzBHBgNVHSME\n" +
+        "QDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEwHzELMAkGA1UEBhMCVVMxEDAO\n" +
+        "BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQw\n" +
+        "DQYJKoZIhvcNAQEEBQADgYEAluy6HIjWcq009lTLmhp+Np6dxU78pInBK8RZkza0\n" +
+        "484qGaxFGD3UGyZkI5uWmsH2XuMbuox5khfIq6781gmkPBHXBIEtJN8eLusOHEye\n" +
+        "iE8h7WI+N3qa6Pj56WionMrioqC/3X+b06o147bbhx8U0vkYv/HyPaITOFfMXTdz\n" +
+        "Vjw=\n" +
+        "-----END CERTIFICATE-----";
+
+    static String subCaCertStr =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIICUDCCAbmgAwIBAgIBAzANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
+        "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzRaFw0yOTAxMTIwMjI0MzRa\n" +
+        "MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" +
+        "cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCiAJnAQW2ad3ZMKUhSJVZj\n" +
+        "8pBqxTcHSTwAVguQkDglsN/OIwUpvR5Jgp3lpRWUEt6idEp0FZzORpvtjt3pr5MG\n" +
+        "Eg2CDptekC5BSPS+fIAIKlncB3HwOiFFhH6b3wTydDCdEd2fvsi4QMOSVrIYMeA8\n" +
+        "P/mCz6kRhfUQPE0CMmOUewIDAQABo4GJMIGGMB0GA1UdDgQWBBT0/nNP8WpyxmYr\n" +
+        "IBp4tN8y08jw2jBHBgNVHSMEQDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEw\n" +
+        "HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw\n" +
+        "AwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEEBQADgYEAS9PzI6B39R/U9fRj\n" +
+        "UExzN1FXNP5awnAPtiv34kSCL6n6MryqkfG+8aaAOdZsSjmTylNFaF7cW/Xp1VBF\n" +
+        "hq0bg/SbEAbK7+UwL8GSC3crhULHLbh+1iFdVTEwxCw5YmB8ji3BaZ/WKW/PkjCZ\n" +
+        "7cXP6VDeZMG6oRQ4hbOcixoFPXo=\n" +
+        "-----END CERTIFICATE-----";
+
+    // a revoked certificate
+    static String targetCertStr =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIICNzCCAaCgAwIBAgIBBDANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQ\n" +
+        "MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0wOTA0MjcwMjI0\n" +
+        "MzhaFw0yOTAxMTIwMjI0MzhaMEExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt\n" +
+        "cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQ4wDAYDVQQDEwVTdXNhbjCBnzANBgkqhkiG\n" +
+        "9w0BAQEFAAOBjQAwgYkCgYEAyPKlfep+EIIUOpZF3xtYUhAx79qEqe2RPRcH2YeR\n" +
+        "1ogM8+AZMdcXoiuDl4CFLzQwRv1DSKUZAPdPbROLVDsUn+IGvgn2jnE7ZQEUtQQJ\n" +
+        "+rorcasE7bo5MBPuno/0oQRi/4MZn6lX3qB13ZUHAvZH96oCF6C3Ro19LAwav1Lo\n" +
+        "FRcCAwEAAaNPME0wCwYDVR0PBAQDAgPoMB0GA1UdDgQWBBTCUH1tqQk96Pocr8Is\n" +
+        "tDKMoIRQljAfBgNVHSMEGDAWgBT0/nNP8WpyxmYrIBp4tN8y08jw2jANBgkqhkiG\n" +
+        "9w0BAQQFAAOBgQB3YXuTA+QfaImQ2aN/e27Nv5a/FMml6y6t0+pzt5hUYG2W0C2f\n" +
+        "5Hdmf3whNCA7zE5RVDQP0iuGBPgjvrABuN98Vimv2eTV+N5aYTak0Aav/OuR5Lpi\n" +
+        "tYhXMMg5gSmT+JDARba4CX+Ap1oAaNe9Mtv8L6FWdvBqfzzifDHWavdIWA==\n" +
+        "-----END CERTIFICATE-----";
+
+    static String topCrlIssuerCertStr =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIICKzCCAZSgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
+        "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzNaFw0yOTAxMTIwMjI0MzNa\n" +
+        "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" +
+        "AQUAA4GNADCBiQKBgQDMJeBMBybHykI/YpwUJ4O9euqDSLb1kpWpceBS8TVqvgBC\n" +
+        "SgUJWtFZL0i6bdvF6mMdlbuBkGzhXqHiVAi96/zRLbUC9F8SMEJ6MuD+YhQ0ZFTQ\n" +
+        "atKy8zf8O9XzztelLJ26Gqb7QPV133WY3haAqHtCXOhEKkCN16NOYNC37DTaJwID\n" +
+        "AQABo3cwdTAdBgNVHQ4EFgQULXSWzXzUOIpOJpzbSCpW42IJUugwRwYDVR0jBEAw\n" +
+        "PoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8xCzAJBgNVBAYTAlVTMRAwDgYD\n" +
+        "VQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjANBgkqhkiG9w0BAQQFAAOBgQAY\n" +
+        "eMnf5AHSNlyUlzXk8o2S0h4gCuvKX6C3kFfKuZcWvFAbx4yQOWLS2s15/nzR4+AP\n" +
+        "FGX3lgJjROyAh7fGedTQK+NFWwkM2ag1g3hXktnlnT1qHohi0w31nVBJxXEDO/Ck\n" +
+        "uJTpJGt8XxxbFaw5v7cHy7XuTAeU/sekvjEiNHW00Q==\n" +
+        "-----END CERTIFICATE-----";
+
+    static String subCrlIssuerCertStr =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIICPTCCAaagAwIBAgIBBDANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
+        "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzRaFw0yOTAxMTIwMjI0MzRa\n" +
+        "MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" +
+        "cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWUtDQx2MB/7arDiquMJyd\n" +
+        "LWwSg6p8sg5z6wKrC1v47MT4DBhFX+0RUgTMUdQgYpgxGpczn+6y4zfV76064S0N\n" +
+        "4L/IQ+SunTW1w4yRGjB+xkyyJmWAqijG1nr+Dgkv5nxPI+9Er5lHcoVWVMEcvvRm\n" +
+        "6jIBQdldVlSgv+VgUnFm5wIDAQABo3cwdTAdBgNVHQ4EFgQUkV3Qqtk7gIot9n60\n" +
+        "jX6dloxrfMEwRwYDVR0jBEAwPoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8x\n" +
+        "CzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjAN\n" +
+        "BgkqhkiG9w0BAQQFAAOBgQADu4GM8EdmIKhC7FRvk5jF90zfvZ38wbXBzCjKI4jX\n" +
+        "QJrhne1bfyeNNm5c1w+VKidT+XzBzBGH7ZqYzoZmzRIfcbLKX2brEBKiukeeAyL3\n" +
+        "bctQtbp19tX+uu2dQberD188AAysKTkHcJUV+rRsTwVJ9vcYKxoRxKk8DhH7ZS3M\n" +
+        "rg==\n" +
+        "-----END CERTIFICATE-----";
+
+    static String topCrlStr =
+        "-----BEGIN X509 CRL-----\n" +
+        "MIIBGzCBhQIBATANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQMA4GA1UE\n" +
+        "ChMHRXhhbXBsZRcNMDkwNDI3MDIzODA0WhcNMjgwNjI2MDIzODA0WjAiMCACAQUX\n" +
+        "DTA5MDQyNzAyMzgwMFowDDAKBgNVHRUEAwoBBKAOMAwwCgYDVR0UBAMCAQIwDQYJ\n" +
+        "KoZIhvcNAQEEBQADgYEAoarfzXEtw3ZDi4f9U8eSvRIipHSyxOrJC7HR/hM5VhmY\n" +
+        "CErChny6x9lBVg9s57tfD/P9PSzBLusCcHwHMAbMOEcTltVVKUWZnnbumpywlYyg\n" +
+        "oKLrE9+yCOkYUOpiRlz43/3vkEL5hjIKMcDSZnPKBZi1h16Yj2hPe9GMibNip54=\n" +
+        "-----END X509 CRL-----";
+
+    static String subCrlStr =
+        "-----BEGIN X509 CRL-----\n" +
+        "MIIBLTCBlwIBATANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQMA4GA1UE\n" +
+        "ChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMRcNMDkwNDI3MDIzODA0WhcNMjgw\n" +
+        "NjI2MDIzODA0WjAiMCACAQQXDTA5MDQyNzAyMzgwMVowDDAKBgNVHRUEAwoBBKAO\n" +
+        "MAwwCgYDVR0UBAMCAQIwDQYJKoZIhvcNAQEEBQADgYEAeS+POqYEIHIIJcsLxuUr\n" +
+        "aJFzQ/ujH0QmnyMNEL3Uavyq4VQuAahF+w6aTPb5UBzms0uX8NAvD2vNoUJvmJOX\n" +
+        "nGKuq4Q1DFj82E7/9d25nXdWGOmFvFCRVO+St2Xe5n8CJuZNBiz388FDSIOiFSCa\n" +
+        "ARGr6Qu68MYGtLMC6ZqP3u0=\n" +
+        "-----END X509 CRL-----";
+
+    private static CertPath generateCertificatePath()
+            throws CertificateException {
+        // generate certificate from cert strings
+        CertificateFactory cf = CertificateFactory.getInstance("X.509");
+
+        ByteArrayInputStream is;
+
+        is = new ByteArrayInputStream(targetCertStr.getBytes());
+        Certificate targetCert = cf.generateCertificate(is);
+
+        is = new ByteArrayInputStream(subCaCertStr.getBytes());
+        Certificate subCaCert = cf.generateCertificate(is);
+
+        is = new ByteArrayInputStream(selfSignedCertStr.getBytes());
+        Certificate selfSignedCert = cf.generateCertificate(is);
+
+        // generate certification path
+        List<Certificate> list = Arrays.asList(new Certificate[] {
+                        targetCert, subCaCert, selfSignedCert});
+
+        return cf.generateCertPath(list);
+    }
+
+    private static Set<TrustAnchor> generateTrustAnchors()
+            throws CertificateException {
+        // generate certificate from cert string
+        CertificateFactory cf = CertificateFactory.getInstance("X.509");
+
+        ByteArrayInputStream is =
+                    new ByteArrayInputStream(selfSignedCertStr.getBytes());
+        Certificate selfSignedCert = cf.generateCertificate(is);
+
+        // generate a trust anchor
+        TrustAnchor anchor =
+            new TrustAnchor((X509Certificate)selfSignedCert, null);
+
+        return Collections.singleton(anchor);
+    }
+
+    private static CertStore generateCertificateStore() throws Exception {
+        Collection entries = new HashSet();
+
+        // generate CRL from CRL string
+        CertificateFactory cf = CertificateFactory.getInstance("X.509");
+
+        ByteArrayInputStream is =
+                    new ByteArrayInputStream(topCrlStr.getBytes());
+        Collection mixes = cf.generateCRLs(is);
+        entries.addAll(mixes);
+
+        is = new ByteArrayInputStream(subCrlStr.getBytes());
+        mixes = cf.generateCRLs(is);
+        entries.addAll(mixes);
+
+        // intermediate certs
+        is = new ByteArrayInputStream(topCrlIssuerCertStr.getBytes());
+        mixes = cf.generateCertificates(is);
+        entries.addAll(mixes);
+
+        is = new ByteArrayInputStream(subCrlIssuerCertStr.getBytes());
+        mixes = cf.generateCertificates(is);
+        entries.addAll(mixes);
+
+        return CertStore.getInstance("Collection",
+                            new CollectionCertStoreParameters(entries));
+    }
+
+    public static void main(String args[]) throws Exception {
+        CertPath path = generateCertificatePath();
+        Set<TrustAnchor> anchors = generateTrustAnchors();
+        CertStore crls = generateCertificateStore();
+
+        PKIXParameters params = new PKIXParameters(anchors);
+
+        // add the CRL store
+        params.addCertStore(crls);
+
+        // Activate certificate revocation checking
+        params.setRevocationEnabled(true);
+
+        // set the validation time
+        params.setDate(new Date(109, 5, 1));   // 2009-05-01
+
+        // disable OCSP checker
+        Security.setProperty("ocsp.enable", "false");
+
+        // enable CRL checker
+        System.setProperty("com.sun.security.enableCRLDP", "true");
+
+        CertPathValidator validator = CertPathValidator.getInstance("PKIX");
+
+        try {
+            validator.validate(path, params);
+            throw new Exception("unexpected status, should be REVOKED");
+        } catch (CertPathValidatorException cpve) {
+            if (cpve.getReason() != BasicReason.REVOKED) {
+                throw new Exception(
+                    "unexpect exception, should be a REVOKED CPVE", cpve);
+            }
+        }
+    }
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/java/security/cert/CertPathValidator/indirectCRL/README	Tue May 26 16:43:22 2009 +0800
@@ -0,0 +1,373 @@
+/*
+ * Copyright 2009 Sun Microsystems, Inc.  All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+                  Certificates and CRLs
+
+Here lists the Certificates and CRLs, which was generated by generate.sh,
+used in the test cases.
+
+The generate.sh depends on openssl, and it should be run under ksh. The
+script will create many directories and files, please run it in a
+directory outside of JDK workspace.
+
+1. root certifiate and key
+-----BEGIN CERTIFICATE-----
+MIICPjCCAaegAwIBAgIBADANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ
+MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzJaFw0zMDA0MDcwMjI0MzJa
+MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB
+AQUAA4GNADCBiQKBgQC4OTag24sTxL2tXTNuvpmUEtdxrYAZoFsslFQ60T+WD9wQ
+Jeiw87FSPsR2vxRuv0j8DNm2a4h7LNNIFcLurfNldbz5pvgZ7VqdbbUMPE9qP85n
+jgDl4woyRTSUeRI4A7O0CO6NpES21dtbdhroWQrEkHxpnrDPxsxrz5gf2m3gqwID
+AQABo4GJMIGGMB0GA1UdDgQWBBSCJd0hpl5PdAD9IZS+Hzng4lXLGzBHBgNVHSME
+QDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEwHzELMAkGA1UEBhMCVVMxEDAO
+BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQw
+DQYJKoZIhvcNAQEEBQADgYEAluy6HIjWcq009lTLmhp+Np6dxU78pInBK8RZkza0
+484qGaxFGD3UGyZkI5uWmsH2XuMbuox5khfIq6781gmkPBHXBIEtJN8eLusOHEye
+iE8h7WI+N3qa6Pj56WionMrioqC/3X+b06o147bbhx8U0vkYv/HyPaITOFfMXTdz
+Vjw=
+-----END CERTIFICATE-----
+
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,407A749DF8F6338E
+
+4ukHU4tkRAh2w17NEjPTICMbVtoS24bNk11Ywd7OzLV0aXnes2nSAV0KnXqnPTP8
+0VdoMVpp7r/jdaJvd3oL7MF5WcURzcOx2rirg+HeD5lHv0Blrh1FADcI1CQNsi8b
+WZHVuCc1+feOKxixPB8Fge5lKeeU554iTTk5XjOxAKO6GFn8FInj7b3+Zse4A/1E
+AOSKVSIWbx71owQyzjrYfoGE/oJVaSRraUbJL4xKcSUYdK+7Qp6h/HI1Cne2DZKu
+UmApdQnZbxa8hjuLqOiQFu6TVpzJh2UOqu1PEmjJgEM4DQQ9C8AgHdkVYitcLjiI
+b90H7JFl3EekMbjKEX/w2Z6y4RzFC9oGpJL/QpKvlq6sY7htPd1MK2UbWVE7/yq/
+holkrvySI1S7BFqKEdIY8Oe0tCNlmELdmL1+yVnQT0LnAX/bkzLNDw1n5J4WpLSX
+JdsgAXmw1hTh24tnT1E6IUd8HM4QyVrvsqCuEHTSMix1u6QCLvdlw4P6yA39ruiY
+xbBIcb5PHic0UrcdElRCzXLtW6tRe/98ET7WDEJOLudSUOSG3CKwrEX/kekBqJ11
+pAO34wLW5gsPwk2AQ1fAaNwHtGBlvKXnmbyuNitytA3/oSENSXnDHD2tIe1Jtep6
+yrfB9IqYEhINRi9BRR4rCkUwkBSRi4bRI7AzRP8pImG+iCDN6sT7T/mUmTTgFVLX
+NxPSGxbLxbidxnBU0B2JA3PfXqtt7J2Q5n0t3R3SC3iUxURGOvvccA3TcIWd4H75
+yQZNzvSIfTG3RhIM0as8/Ahad8hsdE/MqgW50yhzyjNF/UkvFLV8mw==
+-----END RSA PRIVATE KEY-----
+
+2. root crl issuer and key
+-----BEGIN CERTIFICATE-----
+MIICKzCCAZSgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ
+MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzNaFw0yOTAxMTIwMjI0MzNa
+MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB
+AQUAA4GNADCBiQKBgQDMJeBMBybHykI/YpwUJ4O9euqDSLb1kpWpceBS8TVqvgBC
+SgUJWtFZL0i6bdvF6mMdlbuBkGzhXqHiVAi96/zRLbUC9F8SMEJ6MuD+YhQ0ZFTQ
+atKy8zf8O9XzztelLJ26Gqb7QPV133WY3haAqHtCXOhEKkCN16NOYNC37DTaJwID
+AQABo3cwdTAdBgNVHQ4EFgQULXSWzXzUOIpOJpzbSCpW42IJUugwRwYDVR0jBEAw
+PoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8xCzAJBgNVBAYTAlVTMRAwDgYD
+VQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjANBgkqhkiG9w0BAQQFAAOBgQAY
+eMnf5AHSNlyUlzXk8o2S0h4gCuvKX6C3kFfKuZcWvFAbx4yQOWLS2s15/nzR4+AP
+FGX3lgJjROyAh7fGedTQK+NFWwkM2ag1g3hXktnlnT1qHohi0w31nVBJxXEDO/Ck
+uJTpJGt8XxxbFaw5v7cHy7XuTAeU/sekvjEiNHW00Q==
+-----END CERTIFICATE-----
+
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,96FBBE554515B5A4
+
+cDfhsWvWCNruFN+9gSWSEz8kffFrqnvp9sxQx2/EwBrC8HNdQQqQqhkcb5moALz0
+KxAFQMmUG476v1zRv4ZRIpmT9gYhuqSpqKVQLRzFhe9wUDsCOcNCSfqK4I4blt+R
+gqRF+o97iNun+T2QXvku6B72CgQhJQHrEifoSTSGYpKGIVnhBmBPgadKn864zrv0
+ZvwjjRtgyC6/QTfKcXTW+8TIa8Bg/821ZJ0FcNsJs+2tQnki/KubRBIo7rGXGcxO
+f5PtO8BTjsw6G9TMuHKPlozOgGBgkQzf3gNXOLhdjwSDJUlTLLx5ugal+q0VVK7a
+Np8rK1SLrbC9ReI/VGD8BBW8qHRYhJny2JQ0ub8rXIptILNxH4d8r5ye3NaoskVN
+S4i5Jr5bgr0ijZ6kdECDiAoUo6UtTX1O9nbZA2AyJLch8gfNs+WeJLDmG9JPGVsW
+moGPGev1ykTc11Hn8K6S0errWD778B+k0ODLWg3EP8E1GFgdChTdMz2fT+YNrvQ/
+0iJATduzl4BN9eVB2qnadDAXfWm9kwkaX915ePKU1RpEnU3WygSnze8MfWshVJTn
+2F/meijLWgqrb4fmyd6KoDeqP5a+ByAPAiw/oAtemWSDviDc6VpXcXCL8dYoIBOV
+ehg/3Z/DmjfVFHdl5PWQfHiuVbIJbr/soQiTvDsjypYDi/aiY729ils2IxmzIQR8
+iLhOtBr6yd9qfqQ0761cYrdW5HlsTHOyZFctKxIf98ybzp+bJlskH8ifA1kgNLs3
+18T2gS+SkKqITi6TmD4Fkob+UtXPyzsb/8g7cNSv82k=
+-----END RSA PRIVATE KEY-----
+
+3. root CRL issued by root crl issuer.
+-----BEGIN X509 CRL-----
+MIIBGzCBhQIBATANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQMA4GA1UE
+ChMHRXhhbXBsZRcNMDkwNDI3MDIzODA0WhcNMjgwNjI2MDIzODA0WjAiMCACAQUX
+DTA5MDQyNzAyMzgwMFowDDAKBgNVHRUEAwoBBKAOMAwwCgYDVR0UBAMCAQIwDQYJ
+KoZIhvcNAQEEBQADgYEAoarfzXEtw3ZDi4f9U8eSvRIipHSyxOrJC7HR/hM5VhmY
+CErChny6x9lBVg9s57tfD/P9PSzBLusCcHwHMAbMOEcTltVVKUWZnnbumpywlYyg
+oKLrE9+yCOkYUOpiRlz43/3vkEL5hjIKMcDSZnPKBZi1h16Yj2hPe9GMibNip54=
+-----END X509 CRL-----
+
+4. subca certificate and key
+-----BEGIN CERTIFICATE-----
+MIICUDCCAbmgAwIBAgIBAzANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ
+MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzRaFw0yOTAxMTIwMjI0MzRa
+MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz
+cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCiAJnAQW2ad3ZMKUhSJVZj
+8pBqxTcHSTwAVguQkDglsN/OIwUpvR5Jgp3lpRWUEt6idEp0FZzORpvtjt3pr5MG
+Eg2CDptekC5BSPS+fIAIKlncB3HwOiFFhH6b3wTydDCdEd2fvsi4QMOSVrIYMeA8
+P/mCz6kRhfUQPE0CMmOUewIDAQABo4GJMIGGMB0GA1UdDgQWBBT0/nNP8WpyxmYr
+IBp4tN8y08jw2jBHBgNVHSMEQDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEw
+HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw
+AwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEEBQADgYEAS9PzI6B39R/U9fRj
+UExzN1FXNP5awnAPtiv34kSCL6n6MryqkfG+8aaAOdZsSjmTylNFaF7cW/Xp1VBF
+hq0bg/SbEAbK7+UwL8GSC3crhULHLbh+1iFdVTEwxCw5YmB8ji3BaZ/WKW/PkjCZ
+7cXP6VDeZMG6oRQ4hbOcixoFPXo=
+-----END CERTIFICATE-----
+
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,AB196C2474B93EE0
+
+8S3B4hsTW2OI6CA7bgoou4nt8VQckaRKvC6v+J/gHhnjd9aWnv3wKHhZsQl42+dY
+HB8DImLTU02gnf3tEGJrTIyrIGrrAjwvio8yzxVqOnNuB6CamlCYx6Td7L09+Wlp
+8qV1dj+czHhkoH/r0oRHU8NKQMphLQ0kcq3n+hM1UcSzdPxStyIBSRn34dKkuA+t
+UjKfxbaPMN0dABPesN5emyAUYvVu4qSgDaw4pkqJKk/3+DL6lP3Ih93vTnyx7KU5
+UexoA9apTDGQuiNbhoKJwOlrG2E7Y57eVOW52b7QPHH8miNCJ5UJALBymPkBc76s
+D1ioMSdPWfy5C70Hh219oWync3UTToL/Jh1jc0ir5XI5l9lFz/IEA9uhxg137ixB
+Gj1f2S+eSgnQ3SADVrA5wwX88nrjDufrFpH7ofq947IbI9F6iTMOSqR1uIy0SryW
+jhB6t/fB0alZceqn8dLAFMV2WvVCGsWx53zcGg09q29FkjpLJpZiI6Bc6EYdk+nn
+aeGbHLxwKf/vLcD0Oyx4FiJS1vMAEex41eblcwqjiU6vql9LbIFX4hVjGoQ/cL0U
+bjEZjWlNPAvbBVAlStEXOyZzrrDJUags5gqhdv6VKvzQouwH3+Ivbx7UiSTpJ3If
+A9txNSVsqc5MTy4hA30RSdMwoP4lK2PrHvivNnZi/kD7Knxn9OuEVBL3KXTmYduQ
+kDmJzsKWOPvXHEgAZkfXIPKYNT2Z5LuS3yPSlGUcInImBawOkqgs5NJvUTrkbDMk
+uSrOUFUBdBczU4I5oD1vs9yNhLtaK0S6w3gfiHNpIfg4FIFbdqmnAA==
+-----END RSA PRIVATE KEY-----
+
+5. crl issuer of subca, the certificate and key
+-----BEGIN CERTIFICATE-----
+MIICPTCCAaagAwIBAgIBBDANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ
+MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzRaFw0yOTAxMTIwMjI0MzRa
+MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz
+cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWUtDQx2MB/7arDiquMJyd
+LWwSg6p8sg5z6wKrC1v47MT4DBhFX+0RUgTMUdQgYpgxGpczn+6y4zfV76064S0N
+4L/IQ+SunTW1w4yRGjB+xkyyJmWAqijG1nr+Dgkv5nxPI+9Er5lHcoVWVMEcvvRm
+6jIBQdldVlSgv+VgUnFm5wIDAQABo3cwdTAdBgNVHQ4EFgQUkV3Qqtk7gIot9n60
+jX6dloxrfMEwRwYDVR0jBEAwPoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8x
+CzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjAN
+BgkqhkiG9w0BAQQFAAOBgQADu4GM8EdmIKhC7FRvk5jF90zfvZ38wbXBzCjKI4jX
+QJrhne1bfyeNNm5c1w+VKidT+XzBzBGH7ZqYzoZmzRIfcbLKX2brEBKiukeeAyL3
+bctQtbp19tX+uu2dQberD188AAysKTkHcJUV+rRsTwVJ9vcYKxoRxKk8DhH7ZS3M
+rg==
+-----END CERTIFICATE-----
+
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,8C523D20E1687EC3
+
+KdLa0JlKnRDBf/bwtpvmcerBOzJNPidRoIrqDt8fZ5r4WyUWhmBzkNgmBu6KFFPQ
+4IKK4GW7Oo/D7x1w4hIyDt+JaMSdWWgSyvlIWZ6gSDEsqhzMHQpFNxDet8oD3B6H
+CMdfXuQ7VHWcYhjX078FNxSRqTQvKR1eAv3AdnXAkuH6Z8V/if1dlQ/yFteSKzCZ
+Y468leZR14Fl0J8au8LOHxZ6tUBvVXUTo0/FutsfOs9BfLTLkKvLS2pEjMdwnfvS
+4utV/keK7edAXALfnclAshjYShxgwcyAWszJs9M16k/jqAGdDLAfluoZaznfZ1sc
+KhAyIKYRo1XivjmTQxvQRwdG+X/w8CYUzawybt8TtXyLyu4cRdEHsEDyjJ5eG9ap
++ZDP+djWmrjUPKN5Ahc+Fjtsi6i8PcVFnYTnMAwfjiBd4iU+zJEhne0YUB4QRZee
+5jdLC8OUfqU0tByj7kDxn6shU2F3r7gIjPqx9DEWGWSf5XDlfk880GGIR67cNEqo
+lMLP/9/KUEeCwgrvqKdoD/O7qbNlmX7JyGcl/eU2Zsq5P5xkLWenuRHwpJlmV19m
+2Ovg2gK24okl7FiUgP3vNAzDznqHfyoyoR4noKPwtRANOI3otJxokMFGlgzQAXZB
+4Eg6M+VLuTxoV14tsSqtkBGNFOUE06n3G5CKuXbh3gXQs0gc8BvzuRMawVSHC144
+UJM3X73aqSM42lwO2pBjMfxyPdFNkxf3lDuyfMOhGlpDwsny4N4EAOS5ctKNl3Ua
+oP0BiqyKSuzreg1Ouwq1XxxnWec6XqlHm9482I/vautunqLYQDcfQQ==
+-----END RSA PRIVATE KEY-----
+
+6. CLR issued by subca CRL issuer
+-----BEGIN X509 CRL-----
+MIIBLTCBlwIBATANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQMA4GA1UE
+ChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMRcNMDkwNDI3MDIzODA0WhcNMjgw
+NjI2MDIzODA0WjAiMCACAQQXDTA5MDQyNzAyMzgwMVowDDAKBgNVHRUEAwoBBKAO
+MAwwCgYDVR0UBAMCAQIwDQYJKoZIhvcNAQEEBQADgYEAeS+POqYEIHIIJcsLxuUr
+aJFzQ/ujH0QmnyMNEL3Uavyq4VQuAahF+w6aTPb5UBzms0uX8NAvD2vNoUJvmJOX
+nGKuq4Q1DFj82E7/9d25nXdWGOmFvFCRVO+St2Xe5n8CJuZNBiz388FDSIOiFSCa
+ARGr6Qu68MYGtLMC6ZqP3u0=
+-----END X509 CRL-----
+
+7. dumca certificate and key
+-----BEGIN CERTIFICATE-----
+MIICUDCCAbmgAwIBAgIBBTANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ
+MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzVaFw0yOTAxMTIwMjI0MzVa
+MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz
+cy1EMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDAwfZ3wIYzdCkiFIKjrUKc
+0B32HaRkUeVJthadinLmoAVruCi3GRkLZUIPXDD9b7dFBbdeT1+8qDHV5wu/ES8W
+bgfirO8ng8h2hRuJbZgtfljNnVc3fptjxo7x73aP++w2oIcmjzVwaV08sgahoaY4
+f249t4EXbvjJQ8kuj1I8qQIDAQABo4GJMIGGMB0GA1UdDgQWBBR3fwdjpP4WiuyL
+/MDVrXUORrarXDBHBgNVHSMEQDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEw
+HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw
+AwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEEBQADgYEAp/2sXI/XLtXu+X05
+EISyBPQqdE3kgN3dmXOuoK9J7Io8jhgetdbr9S1WTSGBonaXZgc52FNsaaDU+VIp
+TGTYU5SFloUyOu/e095eAf9Q867pAPcE5zArfKpXEBLbJwhLFwrsKPk/WZM7Yaxs
+mihnXyZWWTA1sPZlVJu7/abJ2v0=
+-----END CERTIFICATE-----
+
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,8CE4AB01D39EC5B3
+
+KUkwAyP6ba59QAdDbaXGLmtxtrAilKjFVB+2eawq2Arpumu4cl1joeLtMANF9f1f
+afG5FDATYke6C0FMD/bfF4VkUcVUq+Daw8uS5LkDTYjRqrxE4nCLBhxDJdNiIhUi
+VNuTMITqcpOOU77nUu2O5LW9Z40F6H9x86SeHOeY0IrmhlFVgHuxr81jdrd8OLYK
+7DkKPUa5F331fAkknOQIYnhmCXeHtlTv8ozU5bfBc6TePAL6Y1jn7Hv7EB9C2yYU
+6qejxzKBgxWWWuYU21K0gayPmq8gAKyfi21xSxFR+a9GxRlf+K/x07i7w7oT6QLh
+Qft76I+UER2jYYeQm3sxEeLBq9nDb2HfSjOnLjh3J2c5Tp9B2dmLxPk2hHim4cUn
+nyE8lGDwt/+t6lM8GWfAPn92r2/YOQWr+MXcwE7hi8NZp4cjRR+UqXc0p4+3rKzQ
+IuD5CGgtx78sxMrAxfwvkedmYpjf9L8nGWdbivOI25mNKSXhEjMNzv+lC6nLQE7o
+6LLA3voN+SiVh7wu45FMJHsz1JOjUjwYXS931GsHyd/sy9q7wUkzokKc1WHML2vl
+NglC/4w3NOuEYm5ZDlu6QYQh2uIg/pHPO3am2NTjffjFV0uXEZGd0Qw3gPv9gPNv
+iMRa+6vQfl97xOYOtep4yp5L7XatoLMrVmboykdrojUuAQSiZgfwIR/f/NPbVvHp
+q3/fadE2hLpkkSJjPm5ensFXoLn14QTdVpKl3mjnAa0rb8q5edz4d8r644NHaYH0
+nxToTdZpSH7uGAuOMZwvUaKT//hojKBj6hjlDuVJWs/kwRHbWJEd4A==
+-----END RSA PRIVATE KEY-----
+
+8. crl issuer for dumca, the certificate and key
+-----BEGIN CERTIFICATE-----
+MIICPTCCAaagAwIBAgIBBjANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ
+MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzVaFw0yOTAxMTIwMjI0MzVa
+MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz
+cy1EMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCcDDBVR9IPJq6ND9z3Wpsv
+s0VfJief2QW6U7fNYAnpD4eXNXdwWtZvybMI12crUp31AWzjIaffsBzlFjBO3vKn
+edJ+Om2nhqPPT31nDIWIx1VdS7jL+XoFpo8QgzJQpX0rDZNhaTbQcgnuRhzOZ+x2
+AzxxQf7aMI6YQ5xklO1ftQIDAQABo3cwdTAdBgNVHQ4EFgQUYqt5Hbekj/p4UkfY
+sP4Ma5HdTpkwRwYDVR0jBEAwPoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8x
+CzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjAN
+BgkqhkiG9w0BAQQFAAOBgQAMBqjEfALPFj+asQfTjSqXZimybm5WCYJcv92WAaFm
+2aJe08jUKCwCVo29CFMMgVG5X0UhEP+ude9RyonYNrMg84hFrQdZSto4Co5yfCGi
+SMaa91gkN8/W4VKFjDoooOQ/9o6i22OC7av6+r+qhGMsop5mqRMumAM+C00dy1m6
+5g==
+-----END CERTIFICATE-----
+
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,FE34D030ADCF25E5
+
+V+hWLshb8wbqv8MqBFVZUBK3T995hc6xxWt9wn1aFVcvoxSmWQ20/9LdYDFNhf5j
+3grRdy6sBmQY1Ch73Q1N8egl0FlqqttBY62ulpVQFCYcYhCSMJKSDJyw5pYlQjd4
+LpVXhqsTCB1KdeOVkdB45Ljg7wy+idWfo6U0pAPjhnbPysZWuPrIGVIrVfDMz1tw
+ohuh/NOsF8r2w/U3zBaGKoeW/TGkxXBCKhMU78fve5ytEwv9Gp5m1O5yHJDqNC1M
+gtAQvvXifeLaCRfOpQtCHGuoR0fhdOnQPJQ/4Nre/dRG8zDVa3FKvWjMPbse4cxJ
+OljgVyd7UWrnUvnlNufI3T069b6aAfk16eLz9RAJZNZfpXflboRcaHW9VmjU8m7Y
+ir353hxKQk+P+lU2Ysmu7hx/QKmfG8aKI+r7tXnm1J0dmbeOZE69i4lhvXNvx1N2
+kPNKXsQ3kMKdJNVg5TQrUaqa7GtdQlg3Nr+FpaZ5aZJhTNFejQZrTV9bnQHob0q2
+1KCveDPOy2qtRY/mK+BnlNwGx1Ti87iGHv0Om8tXI53G0UkJs3LMI5JPcmHXVC1c
+skU6nAxhdNPSDN7EBMF80xte99qQTTtDbYQbIqMtd8lCP4HaYhTtlBeaROuntEjx
+3XDXVIHKHxSsrrKn/dE8Ls7tv1j0XxarzGekhQWZ6xbxxursiMstZUfDeQR7SlwC
+a3Lem76iGo2BqZd6wbv0i45P2hVQ8DuNhmOphC7DTFQmudOnFJKHPp8pmca+LGfV
+dgFmct3vSnWjnTvRDktFblfYa0r0QZDSKZt7TiI4QjR5iqP8WEziKA==
+-----END RSA PRIVATE KEY-----
+
+9. end entity certificate issued by subca, Alice
+-----BEGIN CERTIFICATE-----
+MIICNzCCAaCgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQ
+MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0wOTA0MjcwMjI0
+MzZaFw0yOTAxMTIwMjI0MzZaMEExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt
+cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQ4wDAYDVQQDEwVBbGljZTCBnzANBgkqhkiG
+9w0BAQEFAAOBjQAwgYkCgYEAvYSaU3oiE4Pxp/aUIXwMqOwSiWkZ+O3aTu13hRtK
+ZyR+Wtj63IuvaigAC4uC+zBypF93ThjwCzVR2qKDQaQzV8CLleO96gStt7Y+i3G2
+V3IUGgrVCqeK7N6nNYu0wW84sibcPqG/TIy0UoaQMqgB21xtRF+1DUVlFh4Z89X/
+pskCAwEAAaNPME0wCwYDVR0PBAQDAgPoMB0GA1UdDgQWBBSynMEdcal/e9TmvlNE
+4suXGA4+hjAfBgNVHSMEGDAWgBT0/nNP8WpyxmYrIBp4tN8y08jw2jANBgkqhkiG
+9w0BAQQFAAOBgQB/jru7E/+piSmUwByw5qbZsoQZVcgR97pd2TErNJpJMAX2oIHR
+wJH6w4NuYs27+fEAX7wK4whc6EUH/w1SI6o28F2rG6HqYQPPZ2E2WqwbBQL9nYE3
+Vfzu/G9axTUQXFbf90h80UErA+mZVxqc2xtymLuH0YEaMZImtRZ2MXHfXg==
+-----END CERTIFICATE-----
+
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,3616B3F098ED6707
+
+uXoAPYIUINSr8Cc67K1XdLPO/toBasXYJAYYodq+qMsqYVhjgUgzJWYBwayav04Y
+tPgID3f4olLMQP77h5nHLArQCdgI3ZmKDZ6tYR7c2YglTqO1h4pzptv3Csc6lsnr
+zYS43Wg5YK8lAVxAbaDqG/xRiJhEG6+Xqno/lyDSUcDjcsyULWCf1mUZUR66fpnO
+Kcvmec3RFS6PPpYKJ/3Hl6Px5TsnSMEgb8OIrLik4Tj08XhdBEZxTJcyA1JPeAUP
+PH9hm+TWb3E+kDywpItMlTFIhS6b41JGo6Rq6HwVYquCoE4NO32vovd57u5R20yy
+3mfzc0udAYDD8drnzp2XPridqy47m/zFpVgfYU+irH3uW/n1QSB0w3fdCRXNEl6c
+5dAAwwIR1Pn+RAVUvZ7sQ/qReSOHg85uH7FjY9+m4d4vtf8aV410pyDbaNnevvfK
+fTiwmopWujL9sJoZZYP04QZ1f+8aGA41dWS837d9e2F/9BtI5zlymEhLs8UFHziJ
+Cw41xnOHHaoxtDFSvSmc2G6o0jfwJ0AZf8toyB5kj+rd5iu2Z1Kmk8vd4bK5SCwT
+dZRLri75Hyns7fLMXuzOrJXLaYkLp7gk2YaN368M7mj2Z7yLBV0CoVopS2tfRVJn
+fzaxyrkzmZKPKq+m8+UjnlwRW7yR+2RYlFNP3/KemB2i+nXd35f1QCZqb20Lmbbx
+jDc1CxESY1wzY5oqUGXeFapbM4YKhQQ5BK90AjVfss1ymBT5vhSjoJSIW2yeklcI
+F/WuQ/CrBlmODbiM2LsQMTSoYcAIOUaRcVh/7kvlOlQ=
+-----END RSA PRIVATE KEY-----
+
+10. end entity certificate issued by subca, Bob
+-----BEGIN CERTIFICATE-----
+MIICNTCCAZ6gAwIBAgIBAzANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQ
+MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0wOTA0MjcwMjI0
+MzdaFw0yOTAxMTIwMjI0MzdaMD8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt
+cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQwwCgYDVQQDEwNCb2IwgZ8wDQYJKoZIhvcN
+AQEBBQADgY0AMIGJAoGBANHxsJI6N5CawwUWJ63i2bvgdHzrsKUeBs7CXEIovPll
++utfqwJGGkkiW9FVxQ2NQfMoHKdSrbLQaZ4I6U75yh40ZiSgSCELzlW8JC48kX7u
+txYJzszjT6lATW+mRdMoO0guxAS4NcldoFHZ0nLkAvhRRpZgdS+wdc0LODxeplqT
+AgMBAAGjTzBNMAsGA1UdDwQEAwID6DAdBgNVHQ4EFgQU2yqQyfYTig4K30lCbEsR
+rSrhM6UwHwYDVR0jBBgwFoAU9P5zT/FqcsZmKyAaeLTfMtPI8NowDQYJKoZIhvcN
+AQEEBQADgYEAn6j1wY0G5dieYdwUBAJuh6zP1Cu+J12NgdetHAaN6Q3tP339ToCi
+C2NQYvFSwOZ7CKf2ofQq5qWA4EFd7PNxpYaVjhhxzkeQRuv/r/sA3rH+01MPx5ob
+N1wXY5QmBOuHJIKroNH60u9GzOIGIANZuYWsluw4spWRpvOdqudJWlg=
+-----END CERTIFICATE-----
+
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,3DD8B45BA8A57B72
+
+cC15d0phhzxu+Y3FMLu22WejN0JEVGCD0Qbwz73+ahVCqivd7aaipXfnuyuIJW12
+ZHKR0ixZUwezRqqM0/D4vKyFR9giJ14A5Tk7RFzimm0JqdJYRXrmVEp+QdVYbJFC
+5ncmU/KCAJcHwewixbjo5pkrWNDpIWeIqI8F6rvY1MLSMCCwYfr+1SP5U6AB3+1T
+yySvWwK+TIAgVMNjhDKlJ78BxQ3C/AMw5grAU0t2jmuuuXJPML72mQ95ZBgcJsRF
+S0walZGZlK+p9S/b4EVzO+oaR1icazH1WJTyuzKOOurlFjFk3tmsnhNuWQTkNjgV
+wKODHLA8E8tBajYAYmkQX+uQOmol9LXSOrQFrxvHF3dWC5giOtPYeh9ibEFx+RMu
+2EmkF/9VFxzh+kK9KL2qplm4K3HoL/v9g/LlKowjQlr7LoJRCRDOmESCUWX0JPPB
+nD01HvyRjgpUAeKtxR3hjH3CrUM1rdLAJaFi1RzgjvXeXhX5stD3X6UCWFbeBBh1
+yic4RIGYWjqE7RJRd/Q+/11rCkONg9stYcpe1PL5fJWSC8Sixo6XQTQDbxOJBQbr
+gCoUFfCcN8nOYdSe2wWrE/l7r/mRFYbwlErlpomSaxye5yzXhombnZ2k4jNKylEp
+TMsvFtVXFyoLWFqhtrv/Sg+0zDox1HMx+qzePYsz9+/rrS7ej6b5c8r6yqmg7nHn
+XM4REA46bWcAVjkLNpNZU4i0iURrkjuK0uVFYfnFIxrvGLys8dzH+xAfAHcP0zZ3
+/K54gAGk4ZVVXOt8JKOVxAOj2+8f0Gbf28leRx/VOJlEZBpU6UVg4g==
+-----END RSA PRIVATE KEY-----
+
+10. end entity certificate issued by subca, Susan
+-----BEGIN CERTIFICATE-----
+MIICNzCCAaCgAwIBAgIBBDANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQ
+MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0wOTA0MjcwMjI0
+MzhaFw0yOTAxMTIwMjI0MzhaMEExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt
+cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQ4wDAYDVQQDEwVTdXNhbjCBnzANBgkqhkiG
+9w0BAQEFAAOBjQAwgYkCgYEAyPKlfep+EIIUOpZF3xtYUhAx79qEqe2RPRcH2YeR
+1ogM8+AZMdcXoiuDl4CFLzQwRv1DSKUZAPdPbROLVDsUn+IGvgn2jnE7ZQEUtQQJ
++rorcasE7bo5MBPuno/0oQRi/4MZn6lX3qB13ZUHAvZH96oCF6C3Ro19LAwav1Lo
+FRcCAwEAAaNPME0wCwYDVR0PBAQDAgPoMB0GA1UdDgQWBBTCUH1tqQk96Pocr8Is
+tDKMoIRQljAfBgNVHSMEGDAWgBT0/nNP8WpyxmYrIBp4tN8y08jw2jANBgkqhkiG
+9w0BAQQFAAOBgQB3YXuTA+QfaImQ2aN/e27Nv5a/FMml6y6t0+pzt5hUYG2W0C2f
+5Hdmf3whNCA7zE5RVDQP0iuGBPgjvrABuN98Vimv2eTV+N5aYTak0Aav/OuR5Lpi
+tYhXMMg5gSmT+JDARba4CX+Ap1oAaNe9Mtv8L6FWdvBqfzzifDHWavdIWA==
+-----END CERTIFICATE-----
+
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,A03CB9ABBA747E7A
+
+YhChWe6DOA1Ck5BAjWrHmPkHcS9x5pDw81p31gSf7SE9MCwfsvAIq9jZ7xol3cIJ
+5dhbXtBaJIRghke11McQ6zM2DE+9izCO4itedw94i95jSzgpEHTk6gwp9MuomSsm
+ytrqIhwEtVC8PaQmywqshKWnpDn3tZESwySNZjUjzHhyzn2Vuyrb0WaHmw3uk33O
+7muGNkmn/1yP1qRyJ3YSGcMNpk2zvJDZS5CfJH9sb00+LL4PTKg4dymw4Vjk7b5f
+P5JGLbFCBbQ73CwSNLsQGV4qGz7AnRhsmPmNughshOoLKSEAxUsRHE67qyl+Flx0
+KZEGeKZUJD9fzgMMdNoYk0Pg9zxzM1oNewxsFk2tTrtMfGq+XFokWKfJoQWguStY
+BJWETGrSbXiDMIE93gX40C2zlT06ziOYfFCXeVRcBarolonTrOXt3RZzsQpY4lTz
+AAGrb2I9ZByL59ujfniTqljtBpuCKAm+jS0ofcGlQQ0MawtSOeSbQkFKHcKpcK0V
+cKMFL3sEzeJf+1LCt7Xnt4gaoXtTpVoWVWFZkghDSmIAHzKaWHAHn5PcUjwAAZHb
+47IRq+pe1WLc+tb61+E2jkhFC06QOSxmWSV3CHfMZTxkXX7B7RCiqs+tVH5Vlj/C
+ZhkSfmANUVPW1H0KXsDq6lzrEnvaZXZIzTLvj+OsLcG1anXdwPn0NPikfRU0GTvA
+fCzg7ZWlexJgl5I48X7AzpHpTPGAHGeNpYjzGWbxmC0KREcAM0yD15uFVac/ZIVI
+TO0icmSiRoshC70zo9/u2hUP1e4+s1vl0laq0WjGfFORE1JZ1Cs2Dg==
+-----END RSA PRIVATE KEY-----
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/java/security/cert/CertPathValidator/indirectCRL/generate.sh	Tue May 26 16:43:22 2009 +0800
@@ -0,0 +1,221 @@
+#
+# Copyright 2009 Sun Microsystems, Inc.  All Rights Reserved.
+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+#
+# This code is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 2 only, as
+# published by the Free Software Foundation.  Sun designates this
+# particular file as subject to the "Classpath" exception as provided
+# by Sun in the LICENSE file that accompanied this code.
+#
+# This code is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# version 2 for more details (a copy is included in the LICENSE file that
+# accompanied this code).
+#
+# You should have received a copy of the GNU General Public License version
+# 2 along with this work; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+# CA 95054 USA or visit www.sun.com if you need additional information or
+# have any questions.
+#
+
+#!/bin/ksh
+#
+# needs ksh to run the script.
+
+# generate a self-signed root certificate
+if [ ! -f root/root_cert.pem ]; then
+    if [ ! -d root ]; then
+        mkdir root
+    fi
+
+    openssl req -x509 -newkey rsa:1024 -keyout root/root_key.pem \
+        -out root/root_cert.pem -subj "/C=US/O=Example" \
+        -config openssl.cnf -reqexts cert_issuer -days 7650 \
+        -passin pass:passphrase -passout pass:passphrase
+fi
+
+# generate a sele-issued root crl issuer certificate
+if [ ! -f root/top_crlissuer_cert.pem ]; then
+    if [ ! -d root ]; then
+        mkdir root
+    fi
+
+    openssl req -newkey rsa:1024 -keyout root/top_crlissuer_key.pem \
+        -out root/top_crlissuer_req.pem -subj "/C=US/O=Example" -days 7650 \
+        -passin pass:passphrase -passout pass:passphrase
+
+    openssl x509 -req -in root/top_crlissuer_req.pem -extfile openssl.cnf \
+        -extensions crl_issuer -CA root/root_cert.pem \
+        -CAkey root/root_key.pem -out root/top_crlissuer_cert.pem \
+        -CAcreateserial -CAserial root/root_cert.srl -days 7200 \
+        -passin pass:passphrase
+fi
+
+# generate subca cert issuer and crl iuuser certificates
+if [ ! -f subca/subca_cert.pem ]; then
+    if [ ! -d subca ]; then
+        mkdir subca
+    fi
+
+    openssl req -newkey rsa:1024 -keyout subca/subca_key.pem \
+        -out subca/subca_req.pem -subj "/C=US/O=Example/OU=Class-1" \
+        -days 7650 -passin pass:passphrase -passout pass:passphrase
+
+    openssl x509 -req -in subca/subca_req.pem -extfile openssl.cnf \
+        -extensions cert_issuer -CA root/root_cert.pem \
+        -CAkey root/root_key.pem -out subca/subca_cert.pem -CAcreateserial \
+        -CAserial root/root_cert.srl -days 7200 -passin pass:passphrase
+
+    openssl req -newkey rsa:1024 -keyout subca/subca_crlissuer_key.pem \
+        -out subca/subca_crlissuer_req.pem -subj "/C=US/O=Example/OU=Class-1" \
+        -days 7650 -passin pass:passphrase -passout pass:passphrase
+
+    openssl x509 -req -in subca/subca_crlissuer_req.pem -extfile openssl.cnf \
+        -extensions crl_issuer -CA root/root_cert.pem \
+        -CAkey root/root_key.pem -out subca/subca_crlissuer_cert.pem \
+        -CAcreateserial -CAserial root/root_cert.srl -days 7200 \
+        -passin pass:passphrase
+fi
+
+# generate dumca cert issuer and crl iuuser certificates
+if [ ! -f dumca/dumca_cert.pem ]; then
+    if [ ! -d sumca ]; then
+        mkdir dumca
+    fi
+
+    openssl req -newkey rsa:1024 -keyout dumca/dumca_key.pem \
+        -out dumca/dumca_req.pem -subj "/C=US/O=Example/OU=Class-D" \
+        -days 7650 -passin pass:passphrase -passout pass:passphrase
+
+    openssl x509 -req -in dumca/dumca_req.pem -extfile openssl.cnf \
+        -extensions cert_issuer -CA root/root_cert.pem \
+        -CAkey root/root_key.pem -out dumca/dumca_cert.pem \
+        -CAcreateserial -CAserial root/root_cert.srl -days 7200 \
+        -passin pass:passphrase
+
+    openssl req -newkey rsa:1024 -keyout dumca/dumca_crlissuer_key.pem \
+        -out dumca/dumca_crlissuer_req.pem -subj "/C=US/O=Example/OU=Class-D" \
+        -days 7650 -passin pass:passphrase -passout pass:passphrase
+
+    openssl x509 -req -in dumca/dumca_crlissuer_req.pem \
+        -extfile openssl.cnf -extensions crl_issuer -CA root/root_cert.pem \
+        -CAkey root/root_key.pem -out dumca/dumca_crlissuer_cert.pem \
+        -CAcreateserial -CAserial root/root_cert.srl -days 7200 \
+        -passin pass:passphrase
+fi
+
+# generate certifiacte for Alice
+if [ ! -f subca/alice/alice_cert.pem ]; then
+    if [ ! -d subca/alice ]; then
+        mkdir -p subca/alice
+    fi
+
+    openssl req -newkey rsa:1024 -keyout subca/alice/alice_key.pem \
+        -out subca/alice/alice_req.pem \
+        -subj "/C=US/O=Example/OU=Class-1/CN=Alice" -days 7650 \
+        -passin pass:passphrase -passout pass:passphrase
+
+    openssl x509 -req -in subca/alice/alice_req.pem \
+        -extfile openssl.cnf -extensions ee_of_subca \
+        -CA subca/subca_cert.pem -CAkey subca/subca_key.pem \
+        -out subca/alice/alice_cert.pem -CAcreateserial \
+        -CAserial subca/subca_cert.srl -days 7200 -passin pass:passphrase
+fi
+
+# generate certifiacte for Bob
+if [ ! -f subca/bob/bob_cert.pem ]; then
+    if [ ! -d subca/bob ]; then
+        mkdir -p subca/bob
+    fi
+
+    openssl req -newkey rsa:1024 -keyout subca/bob/bob_key.pem \
+        -out subca/bob/bob_req.pem \
+        -subj "/C=US/O=Example/OU=Class-1/CN=Bob" -days 7650 \
+        -passin pass:passphrase -passout pass:passphrase
+
+    openssl x509 -req -in subca/bob/bob_req.pem \
+        -extfile openssl.cnf -extensions ee_of_subca \
+        -CA subca/subca_cert.pem -CAkey subca/subca_key.pem \
+        -out subca/bob/bob_cert.pem -CAcreateserial \
+        -CAserial subca/subca_cert.srl -days 7200 -passin pass:passphrase
+fi
+
+# generate certifiacte for Susan
+if [ ! -f subca/susan/susan_cert.pem ]; then
+    if [ ! -d subca/susan ]; then
+        mkdir -p subca/susan
+    fi
+
+    openssl req -newkey rsa:1024 -keyout subca/susan/susan_key.pem \
+        -out subca/susan/susan_req.pem \
+        -subj "/C=US/O=Example/OU=Class-1/CN=Susan" -days 7650 \
+        -passin pass:passphrase -passout pass:passphrase
+
+    openssl x509 -req -in subca/susan/susan_req.pem -extfile openssl.cnf \
+        -extensions ee_of_subca -CA subca/subca_cert.pem \
+        -CAkey subca/subca_key.pem -out subca/susan/susan_cert.pem \
+        -CAcreateserial -CAserial subca/subca_cert.srl -days 7200 \
+        -passin pass:passphrase
+fi
+
+
+# generate the top CRL
+if [ ! -f root/top_crl.pem ]; then
+    if [ ! -d root ]; then
+        mkdir root
+    fi
+
+    if [ ! -f root/index.txt ]; then
+        touch root/index.txt
+        echo 00 > root/crlnumber
+    fi
+
+    openssl ca -gencrl -config openssl.cnf -name ca_top -crldays 7000 \
+        -crl_reason superseded -keyfile root/top_crlissuer_key.pem \
+        -cert root/top_crlissuer_cert.pem -out root/top_crl.pem \
+        -passin pass:passphrase
+fi
+
+# revoke dumca
+openssl ca -revoke dumca/dumca_cert.pem -config openssl.cnf \
+        -name ca_top -crl_reason superseded \
+        -keyfile root/top_crlissuer_key.pem -cert root/top_crlissuer_cert.pem \
+        -passin pass:passphrase
+
+openssl ca -gencrl -config openssl.cnf -name ca_top -crldays 7000 \
+        -crl_reason superseded -keyfile root/top_crlissuer_key.pem \
+        -cert root/top_crlissuer_cert.pem -out root/top_crl.pem \
+        -passin pass:passphrase
+
+# revoke for subca
+if [ ! -f subca/subca_crl.pem ]; then
+    if [ ! -d subca ]; then
+        mkdir subca
+    fi
+
+    if [ ! -f subca/index.txt ]; then
+        touch subca/index.txt
+        echo 00 > subca/crlnumber
+    fi
+
+    openssl ca -gencrl -config openssl.cnf -name ca_subca -crldays 7000 \
+        -crl_reason superseded -keyfile subca/subca_crlissuer_key.pem \
+        -cert subca/subca_crlissuer_cert.pem -out subca/subca_crl.pem \
+        -passin pass:passphrase
+fi
+
+# revoke susan
+openssl ca -revoke subca/susan/susan_cert.pem -config openssl.cnf \
+        -name ca_subca -crl_reason superseded \
+        -keyfile subca/subca_crlissuer_key.pem \
+        -cert subca/subca_crlissuer_cert.pem -passin pass:passphrase
+
+openssl ca -gencrl -config openssl.cnf -name ca_subca -crldays 7000 \
+        -crl_reason superseded -keyfile subca/subca_crlissuer_key.pem \
+        -cert subca/subca_crlissuer_cert.pem -out subca/subca_crl.pem \
+        -passin pass:passphrase
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/java/security/cert/CertPathValidator/indirectCRL/openssl.cnf	Tue May 26 16:43:22 2009 +0800
@@ -0,0 +1,206 @@
+#
+# Copyright 2009 Sun Microsystems, Inc.  All Rights Reserved.
+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+#
+# This code is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 2 only, as
+# published by the Free Software Foundation.  Sun designates this
+# particular file as subject to the "Classpath" exception as provided
+# by Sun in the LICENSE file that accompanied this code.
+#
+# This code is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# version 2 for more details (a copy is included in the LICENSE file that
+# accompanied this code).
+#
+# You should have received a copy of the GNU General Public License version
+# 2 along with this work; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+# CA 95054 USA or visit www.sun.com if you need additional information or
+# have any questions.
+#
+
+#
+# OpenSSL configuration file.
+#
+
+HOME                = .
+RANDFILE            = $ENV::HOME/.rnd
+
+[ ca ]
+default_ca          = CA_default
+
+[ CA_default ]
+dir                 = ./top
+certs               = $dir/certs
+crl_dir             = $dir/crl
+database            = $dir/index.txt
+unique_subject      = no
+new_certs_dir       = $dir/newcerts
+certificate         = $dir/cacert.pem
+serial              = $dir/serial
+crlnumber           = $dir/crlnumber
+crl                 = $dir/crl.pem
+private_key         = $dir/private/cakey.pem
+RANDFILE            = $dir/private/.rand
+x509_extensions     = v3_ca
+
+name_opt            = ca_default
+cert_opt            = ca_default
+
+default_days        = 7650
+default_crl_days    = 30
+default_md          = sha1
+preserve            = no
+
+policy              = policy_anything
+
+[ ca_top ]
+dir                 = ./root
+certs               = $dir/certs
+crl_dir             = $dir/crl
+database            = $dir/index.txt
+unique_subject      = no
+new_certs_dir       = $dir/newcerts
+certificate         = $dir/cacert.pem
+serial              = $dir/serial
+crlnumber           = $dir/crlnumber
+crl                 = $dir/crl.pem
+private_key         = $dir/private/cakey.pem
+RANDFILE            = $dir/private/.rand
+
+x509_extensions     = v3_ca
+
+name_opt            = ca_default
+cert_opt            = ca_default
+
+default_days        = 7650
+default_crl_days    = 30
+default_md          = sha1
+preserve            = no
+
+policy              = policy_anything
+
+[ ca_subca ]
+dir                 = ./subca
+certs               = $dir/certs
+crl_dir             = $dir/crl
+database            = $dir/index.txt
+unique_subject      = no
+new_certs_dir       = $dir/newcerts
+
+certificate         = $dir/cacert.pem
+serial              = $dir/serial
+crlnumber           = $dir/crlnumber
+crl                 = $dir/crl.pem
+private_key         = $dir/private/cakey.pem
+RANDFILE            = $dir/private/.rand
+
+x509_extensions     = usr_cert
+
+name_opt            = ca_default
+cert_opt            = ca_default
+
+default_days        = 7650
+default_crl_days    = 30
+default_md          = sha1
+preserve            = no
+
+policy              = policy_anything
+
+[ policy_match ]
+countryName         = match
+stateOrProvinceName = match
+organizationName    = match
+organizationalUnitName  = optional
+commonName          = supplied
+emailAddress        = optional
+
+[ policy_anything ]
+countryName         = optional
+stateOrProvinceName = optional
+localityName        = optional
+organizationName    = optional
+organizationalUnitName  = optional
+commonName          = supplied
+emailAddress        = optional
+
+[ req ]
+default_bits        = 1024
+default_keyfile     = privkey.pem
+distinguished_name  = req_distinguished_name
+attributes          = req_attributes
+x509_extensions     = v3_ca
+
+string_mask = nombstr
+
+[ req_distinguished_name ]
+countryName         = Country Name (2 letter code)
+countryName_default = NO
+countryName_min     = 2
+countryName_max     = 2
+
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default  = A-State
+
+localityName        = Locality Name (eg, city)
+
+0.organizationName  = Organization Name (eg, company)
+0.organizationName_default   = Internet Widgits Pty Ltd
+
+organizationalUnitName       = Organizational Unit Name (eg, section)
+
+commonName              = Common Name (eg, YOUR name)
+commonName_max          = 64
+
+emailAddress            = Email Address
+emailAddress_max        = 64
+
+[ req_attributes ]
+challengePassword       = A challenge password
+challengePassword_min   = 4
+challengePassword_max   = 20
+unstructuredName        = An optional company name
+
+
+[ usr_cert ]
+keyUsage                = nonRepudiation, digitalSignature, keyEncipherment
+
+subjectKeyIdentifier    = hash
+authorityKeyIdentifier  = keyid,issuer
+
+[ v3_req ]
+basicConstraints        = CA:FALSE
+keyUsage                = nonRepudiation, digitalSignature, keyEncipherment
+subjectAltName          = email:example@openjdk.net, RID:1.2.3.4:true
+
+[ v3_ca ]
+subjectKeyIdentifier    = hash
+authorityKeyIdentifier  = keyid:always,issuer:always
+basicConstraints        = critical,CA:true
+keyUsage                = keyCertSign
+
+[ cert_issuer ]
+subjectKeyIdentifier    = hash
+authorityKeyIdentifier  = keyid:always,issuer:always
+basicConstraints        = critical,CA:true
+keyUsage                = keyCertSign
+
+
+[ crl_issuer ]
+subjectKeyIdentifier    = hash
+authorityKeyIdentifier  = keyid:always,issuer:always
+keyUsage                = cRLSign
+
+
+[ crl_ext ]
+authorityKeyIdentifier  = keyid:always,issuer:always
+
+[ ee_of_subca ]
+keyUsage    = nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
+
+subjectKeyIdentifier    = hash
+authorityKeyIdentifier  = keyid,issuer