[security-dev 00874]: Re: CR 6847459 Created, P3 java/classes_secu Allow trust anchor self-issued intermediate version 1 and version 2 certificate
Weijun Wang
Weijun.Wang at Sun.COM
Wed Jun 3 03:45:10 UTC 2009
+ // We choose to reject all version 1 and version 2 intermediate
+ // certificates except that it is self issued by the trust
+ // anchor in order to support key rollover or changes in
+ // certificate policies.
+ int pathLenConstraint = -1;
+ if (currCert.getVersion() < 3) { // version 1 or version 2
+ if (i == 1) { // issued by a trust anchor
So, self-issued cert can be only issued by trust anchor, but not an
intermediate CA?
+ try {
+ X509CertImpl certImpl = X509CertImpl.toImpl(currCert);
+ if (certImpl.isSelfIssued(currCert)) {
Isn't isSelfIssued() a static method?
+ pathLenConstraint = Integer.MAX_VALUE;
+ }
+ } catch (CertificateException ce) {
+ throw new CertPathValidatorException(ce);
+ }
+ }
+ } else {
+ pathLenConstraint = currCert.getBasicConstraints();
+ }
Xuelei Fan wrote:
> Hi Max,
>
> Would you please review the updates? I think JavaOne would occupy most
> of the time of others.
>
> Webrev: http://cr.openjdk.java.net/~xuelei/6847459/webrev.00/
>
> No new test case, the closed/sun/security/validator/BasicTests.java
> covered the case.
>
> Thanks,
> Andrew
>
>
> Xuelei.Fan at Sun.COM wrote:
>> Sun Confidential: Internal only
>>
>> *Synopsis*: Allow trust anchor self-issued intermediate version 1 and
>> version 2 certificate
>>
>> CrPrint: http://bt2ws.central.sun.com/CrPrint?id=6847459
>> Monaco: http://monaco.sfbay.sun.com/detail.jsf?cr=6847459
>>
>> *Change Request ID*: 6847459
>>
>> *Synopsis*: Allow trust anchor self-issued intermediate version 1 and
>> version 2 certificate
>>
>> Product: java
>> Category: java
>> Subcategory: classes_security
>> Type: Defect
>> Subtype: Status: 1-Dispatched
>> Substatus: Priority: 3-Medium
>> Introduced In Release: Introduced In Build: Responsible Manager:
>> frances.ho at sun.com
>> Responsible Engineer: xuelei.fan at sun.com
>> Initial Evaluator: jsn-sec-bugs at sun.com
>> Keywords:
>> === *Description*
>> ============================================================
>> With the updates at 6822460, we start support slef-issued certificate
>> in PKIXValidator, which will try to validate self-issued certificate
>> instead ignore them as past.
>>
>> However, the ConstraintsChecker will reject all version 1 and version
>> 2 certificates for there is no basic constraints extension inside.
>> Here comes a regression failure, before the updates of 6822460,
>> self-issued version 1 and version 2 certificates could be validated
>> because there is no trying to validate them, after the updates,
>> self-issued version 1 and version 2 certificates would be denied by
>> ConstraintsChecker.
>>
>> If a version 1 and version 2 self-issued certificate is issued by a
>> trust anchor, we need to it at ConstraintsChecker, because there are
>> practical cases that a trust anchor need to issue self-issued
>> certificate in order to support key rollover or changes in certificate
>> policies.
>>
>> *** (#1 of 1): 2009-06-03 03:10:11 GMT+00:00 xuelei.fan at sun.com
>>
>>
>> === *Public Comments*
>> ========================================================
>>
>> === *Comments*
>> ===============================================================
>>
>> === *Evaluation*
>> =============================================================
>>
>> === *Suggested Fix*
>> ==========================================================
>>
>> === *Workaround*
>> =============================================================
>>
>> === *Justification*
>> ==========================================================
>> Priority changed from [] to [3-Medium]
>> there is a failure of regression test
>> xuelei.fan at sun.com 2009-06-03 03:10:11 GMT
>>
>> *** (#1 of 1): 2009-06-03 03:10:11 GMT+00:00 xuelei.fan at sun.com
>>
>>
>> === *Additional Details*
>> =====================================================
>> Targeted Release: 7
>> Commit To Fix In Build: Fixed In Build:
>> Integrated In Build: Verified In Build: See Also:
>> Duplicate of: Hooks:
>> Hook1: Hook2: Hook3: Hook4:
>> Hook5: Hook6: Interest List: Program Management: Root
>> Cause: Is a Security Vulnerability?: No
>> Fix Affects Documentation: No
>> Fix Affects Localization: No
>> Reported by:
>> === *History*
>> ================================================================
>> Date Submitted: 2009-06-03 03:10:10 GMT+00:00
>> Submitted By: xuelei.fan at sun.com
>>
>> Status Changed Date Updated Updated By
>>
>>
>> === *Solution*
>> ===============================================================
>>
>>
>> === *Service Request*
>> ========================================================
>> ID: 1-544857704
>> Customer:
>> Account Name: Sun Micosystems Inc
>> Customer Contact: Customer Contact Role: D-Development
>> Customer Contact Type: I-Internal (SMI) Customer
>> Impact: Significant
>> Functionality: Secondary
>> Severity: 3
>> Synopsis: Product Name: java
>> Product Release: 7
>> Product Build: b59
>> Operating System: generic
>> Hardware: generic
>> Reference Number: Sun Contact: xuelei.fan at sun.com
>> Status: Open
>> Source: BugTraq2
>> Reproducible: Submitted By: xuelei.fan at sun.com
>> Submitted Date: 2009-06-03 03:10:11 GMT+00:00
>> Description:
>>
>> === *Activity*
>> ===============================================================
>>
>>
>> === *Multiple Release (MR) Cluster* - 0
>> ======================================
>>
>>
>> === *Escalations*
>> ============================================================
>>
>>
More information about the security-dev
mailing list