[security-dev 00973]: Re: code review request 6852744: PIT b61: PKI test suite fails because self signed certificates are being rejected

Xuelei Fan Xuelei.Fan at Sun.COM
Thu Jul 9 00:41:37 UTC 2009 

webrev updated, adding comments to tests:  
http://cr.openjdk.java.net/~xuelei/6852744/webrev.02/

Sean Mullan wrote:
> Xuelei Fan wrote:
>>
>>>>> In this block of code:
>>>>>
>>>>>  858                 if (principal != null && publicKey != null &&
>>>>>  859                         
>>>>> principal.equals(cert.getSubjectX500Principal())) {
>>>>>  860                     if (publicKey.equals(cert.getPublicKey())) {
>>>>>  861                         this.trustAnchor = anchor;
>>>>>  862                         return true;
>>>>>  863                     }
>>>>>  864                     // else, it is a self-issued certificate 
>>>>> of the abchor
>>>>>  865                 }
>>>>>
>>>>> you never check if the trust anchor name is equal to the issuer of 
>>>>> the cert before returning true. That seems to violate RFC 5280.
>>>>>
>>>> At line 859, when the cert's "subject" equals to the trust anchor 
>>>
>>> Why not match it with the cert's issuer? That would then be 
>>> compliant with 5280.
>>>
>> Above codes are used to check whether the target cert is a trust 
>> anchor, so we need to compare the "subject" of both. If the cert is 
>> not a trust anchor, we need to check its issuer.
> Ok, but shouldn't the trust anchor name also match the cert issuer in 
> that case? A trust anchor name is supposed to match the  issuer of the 
> first certificate in the chain. This is clearly specified in RFC 5280 
> (search for "working_issuer_name").  I would like to understand why we 
> don't need to check that in this case. Can you describe a chain that 
> doesn't satisfy this case and needs this check?
>
I think I understand what are your concerns now. If I'm right, you think 
that the target cert of the method is expected to be the first 
certificate in a certificate chain, which should be directly issued by a 
trust anchor. By my understand of the method, 
ForwardBuilder.isPathCompleted(X509Certificate cert), it would return 
true if the "cert" parameter is a trust anchor, which means we have got 
the first certificate in the certification path, now we are working on 
the cert that issues the first certificate in the path, the issuer could 
be a trust anchor.

For example, the expected path is EE->subca->trust anchor, and the 
previous step has verified "subca", and got the path EE->subca, here we 
don't know it is a complete path or not, we need one more step. We need 
to look for the issuer of "subca" now, get the "trust anchor cert", then 
we call ForwardBuilder.isPathCompleted("trust anchor cert"). In the 
method, we firstly check whether the "trust anchor cert" is a trust 
anchor or not, if itself is a trust anchor, return true immediately, and 
cert will not be added to the path by the builder. Then we get the 
conclusion that the path EE->subca is a complete certification path.

Does I make myself understood?

Thanks,
Andrew

> Thanks,
> Sean
>>
>> The follows codes are used to check whether the target cert is issued 
>> by the trust anchor:
>> -------------
>> 868                 // Check subject/issuer name chaining
>> 869                 if (principal == null ||
>> 870                         
>> !principal.equals(cert.getIssuerX500Principal())) {
>>
>> 871                     continue;
>> 872                 }
>>
>> ------------
>>
>> If it is a cert issued by a trust anchor, the method will then check 
>> the revocation and signature. I think that is your expected 
>> behaviors, right?
>>
>> Thanks,
>> Andrew
>

More information about the security-dev mailing list