[security-dev 00873]: Re: CR 6847459 Created, P3 java/classes_secu Allow trust anchor self-issued intermediate version 1 and version 2 certificate

Xuelei Fan Xuelei.Fan at Sun.COM
Wed Jun 3 03:23:20 UTC 2009 

Hi Max,

Would you please review the updates? I think JavaOne would occupy most 
of the time of others.

Webrev: http://cr.openjdk.java.net/~xuelei/6847459/webrev.00/

No new test case, the closed/sun/security/validator/BasicTests.java 
covered the case.

Thanks,
Andrew


Xuelei.Fan at Sun.COM wrote:
>                         Sun Confidential: Internal only
>
> *Synopsis*: Allow trust anchor self-issued intermediate version 1 and version 2 certificate
>
> CrPrint: http://bt2ws.central.sun.com/CrPrint?id=6847459
> Monaco: http://monaco.sfbay.sun.com/detail.jsf?cr=6847459
>
>      
> *Change Request ID*: 6847459
>
> *Synopsis*: Allow trust anchor self-issued intermediate version 1 and version 2 certificate
>
>   Product: java
>   Category: java
>   Subcategory: classes_security
>   Type: Defect
>   Subtype: 
>   Status: 1-Dispatched
>   Substatus: 
>   Priority: 3-Medium
>   Introduced In Release: 
>   Introduced In Build: 
>   Responsible Manager: frances.ho at sun.com
>   Responsible Engineer: xuelei.fan at sun.com
>   Initial Evaluator: jsn-sec-bugs at sun.com
>   Keywords: 
>
> === *Description* ============================================================
> With the updates at 6822460, we start support slef-issued certificate in PKIXValidator, which will try to validate self-issued certificate instead ignore them as past.
>
> However, the ConstraintsChecker will reject all version 1 and version 2 certificates for there is no basic constraints extension inside. Here comes a regression failure, before the updates of 6822460, self-issued version 1 and version 2 certificates could be validated because there is no trying to validate them, after the updates, self-issued version 1 and version 2 certificates would be denied by ConstraintsChecker.
>
> If a version 1 and version 2 self-issued certificate is issued by a trust anchor, we need to it at ConstraintsChecker, because there are practical cases that a trust anchor need to issue self-issued certificate in order to support key rollover or changes in certificate policies.
>
> *** (#1 of 1): 2009-06-03 03:10:11 GMT+00:00 xuelei.fan at sun.com
>
>
> === *Public Comments* ========================================================
>
> === *Comments* ===============================================================
>
> === *Evaluation* =============================================================
>
> === *Suggested Fix* ==========================================================
>
> === *Workaround* =============================================================
>
> === *Justification* ==========================================================
> Priority changed from [] to [3-Medium]
> there is a  failure of regression test
> xuelei.fan at sun.com 2009-06-03 03:10:11 GMT
>
> *** (#1 of 1): 2009-06-03 03:10:11 GMT+00:00 xuelei.fan at sun.com
>
>
> === *Additional Details* =====================================================
>         Targeted Release: 7
>         Commit To Fix In Build: 
>         Fixed In Build: 
>         Integrated In Build: 
>         Verified In Build: 
>   See Also: 
>   Duplicate of: 
>   Hooks:
>         Hook1: 
>         Hook2: 
>         Hook3: 
>         Hook4: 
>         Hook5: 
>         Hook6: 
>   Interest List: 
>   Program Management: 
>   Root Cause: 
>   Is a Security Vulnerability?: No
>   Fix Affects Documentation: No
>   Fix Affects Localization: No
>   Reported by: 
>
> === *History* ================================================================
>         Date Submitted: 2009-06-03 03:10:10 GMT+00:00
>         Submitted By: xuelei.fan at sun.com
>
>         Status Changed    Date Updated                  Updated By
>
>
> === *Solution* ===============================================================
>
>
> === *Service Request* ========================================================
>         ID: 1-544857704
>     	Customer:
>         Account Name: Sun Micosystems Inc
>         Customer Contact: 
>         Customer Contact Role: D-Development
>         Customer Contact Type: I-Internal (SMI) Customer
>         Impact: Significant
>         Functionality: Secondary
>         Severity: 3
>         Synopsis: 
>         Product Name: java
>         Product Release: 7
>         Product Build: b59
>         Operating System: generic
>         Hardware: generic
>         Reference Number: 
>         Sun Contact: xuelei.fan at sun.com
>         Status: Open
>         Source: BugTraq2
>         Reproducible: 
>         Submitted By: xuelei.fan at sun.com
>         Submitted Date: 2009-06-03 03:10:11 GMT+00:00
>         Description: 
>
>
> === *Activity* ===============================================================
>
>
> === *Multiple Release (MR) Cluster* - 0 ======================================
>
>
> === *Escalations* ============================================================
>
>

More information about the security-dev mailing list