[security-dev 00945]: code review request 6852744: PIT b61: PKI test suite fails because self signed certificates are being rejected
Xuelei Fan
Xuelei.Fan at Sun.COM
Thu Jul 2 09:04:37 UTC 2009
Hi,
bug description: http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6852744
webrev: http://cr.openjdk.java.net/~xuelei/6852744/webrev/
Evaluation of the bug:
1. There is a loop of forward builder for self-issused intermediate
certificates.
The ForwardBuilder looks for the next certificate based on
IssuerDN/SubjectDN. However, a self-issued certificate has the same
IssuerDN and SubjectDN, the looking will loop on the self-issued
certificate untill the loop detected.
2. Circular dependences
In the PIT tests, the valid of the intermediate CA certificate
(oldCA) depends on the CRL; the valid of CRL depends on its issuer, the
self-issued intermediate CA certificate (newWithOldCA); the valid of
newWithOldCA depends on its issuer, the oldCA, here comes a dead loop.
Thanks,
Xuelei
More information about the security-dev
mailing list