[security-dev 00954]: Re: code review request 6852744: PIT b61: PKI test suite fails because self signed certificates are being rejected

[Xuelei Fan]

Webrev updated that a CRL issuer now can delegated itself as CRL issuer 
in the DistributionPoint extension.

------------
DistributionPointFetcher.java:

          if (pointCrlIssuers != null) {
              ......
              if (match == false) {
                  return false;
              }
+
+             // we accept the case that a CRL issuer provide status
+             // information for itself.
+             if (ForwardBuilder.issues(certImpl, crlImpl, provider)) {
+                 // reset the public key used to verify the CRL's signature
+                 prevKey = certImpl.getPublicKey();
+             } else {
                  indirectCRL = true;
+             }
          } else if (crlIssuer.equals(certIssuer) == false) {
----------

Thanks,
Xuelei

Xuelei Fan wrote:
> Hi,
>
> bug description: 
> http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6852744
> webrev: http://cr.openjdk.java.net/~xuelei/6852744/webrev/
>
> Evaluation of the bug:
> 1. There is a loop of forward builder for self-issused intermediate 
> certificates.
>   The ForwardBuilder looks for the next certificate based on 
> IssuerDN/SubjectDN. However, a self-issued certificate has the same 
> IssuerDN and SubjectDN, the looking will loop on the self-issued 
> certificate untill the loop detected.
>
> 2. Circular dependences
>   In the PIT tests,  the valid of the intermediate CA certificate 
> (oldCA) depends on the CRL; the valid of CRL depends on its issuer, 
> the self-issued intermediate CA certificate (newWithOldCA); the valid 
> of newWithOldCA depends on its issuer, the oldCA, here comes a dead loop.
>
> Thanks,
> Xuelei