[security-dev 00972]: Re: code review request 6852744: PIT b61: PKI test suite fails because self signed certificates are being rejected
Sean Mullan
Sean.Mullan at Sun.COM
Wed Jul 8 23:46:22 UTC 2009
Xuelei Fan wrote:
>
>>>> In this block of code:
>>>>
>>>> 858 if (principal != null && publicKey != null &&
>>>> 859
>>>> principal.equals(cert.getSubjectX500Principal())) {
>>>> 860 if (publicKey.equals(cert.getPublicKey())) {
>>>> 861 this.trustAnchor = anchor;
>>>> 862 return true;
>>>> 863 }
>>>> 864 // else, it is a self-issued certificate
>>>> of the abchor
>>>> 865 }
>>>>
>>>> you never check if the trust anchor name is equal to the issuer of
>>>> the cert before returning true. That seems to violate RFC 5280.
>>>>
>>> At line 859, when the cert's "subject" equals to the trust anchor
>>
>> Why not match it with the cert's issuer? That would then be compliant
>> with 5280.
>>
> Above codes are used to check whether the target cert is a trust
> anchor, so we need to compare the "subject" of both. If the cert is
> not a trust anchor, we need to check its issuer.
Ok, but shouldn't the trust anchor name also match the cert issuer in
that case? A trust anchor name is supposed to match the issuer of the
first certificate in the chain. This is clearly specified in RFC 5280
(search for "working_issuer_name"). I would like to understand why we
don't need to check that in this case. Can you describe a chain that
doesn't satisfy this case and needs this check?
Thanks,
Sean
>
> The follows codes are used to check whether the target cert is issued
> by the trust anchor:
> -------------
> 868 // Check subject/issuer name chaining
> 869 if (principal == null ||
> 870
> !principal.equals(cert.getIssuerX500Principal())) {
>
> 871 continue;
> 872 }
>
> ------------
>
> If it is a cert issued by a trust anchor, the method will then check
> the revocation and signature. I think that is your expected behaviors,
> right?
>
> Thanks,
> Andrew
More information about the security-dev
mailing list