[security-dev 00875]: Re: CR 6847459 Created, P3 java/classes_secu Allow trust anchor self-issued intermediate version 1 and version 2 certificate
Xuelei Fan
Xuelei.Fan at Sun.COM
Wed Jun 3 04:38:36 UTC 2009
Weijun Wang wrote:
> + // We choose to reject all version 1 and version 2 intermediate
> + // certificates except that it is self issued by the trust
> + // anchor in order to support key rollover or changes in
> + // certificate policies.
> + int pathLenConstraint = -1;
> + if (currCert.getVersion() < 3) { // version 1 or version 2
> + if (i == 1) { // issued by a trust anchor
>
> So, self-issued cert can be only issued by trust anchor, but not an
> intermediate CA?
>
No, self-issued cert can be issued by any entity, but I choose to reject
those self-issued version 1 and version 2 certificates here, because I
have no way to understand whether it is a CA or not.
> + try {
> + X509CertImpl certImpl = X509CertImpl.toImpl(currCert);
> + if (certImpl.isSelfIssued(currCert)) {
>
> Isn't isSelfIssued() a static method?
>
>
Oops, yes, it is. Updated:
http://cr.openjdk.java.net/~xuelei/6847459/webrev.01/
<http://cr.openjdk.java.net/%7Exuelei/6847459/webrev.01/>
Thanks,
Andrew
> + pathLenConstraint = Integer.MAX_VALUE;
> + }
> + } catch (CertificateException ce) {
> + throw new CertPathValidatorException(ce);
> + }
> + }
> + } else {
> + pathLenConstraint = currCert.getBasicConstraints();
> + }
>
> Xuelei Fan wrote:
>
>> Hi Max,
>>
>> Would you please review the updates? I think JavaOne would occupy most
>> of the time of others.
>>
>> Webrev: http://cr.openjdk.java.net/~xuelei/6847459/webrev.00/
>>
>> No new test case, the closed/sun/security/validator/BasicTests.java
>> covered the case.
>>
>> Thanks,
>> Andrew
>>
>>
>> Xuelei.Fan at Sun.COM wrote:
>>
>>> Sun Confidential: Internal only
>>>
>>> *Synopsis*: Allow trust anchor self-issued intermediate version 1 and
>>> version 2 certificate
>>>
>>> CrPrint: http://bt2ws.central.sun.com/CrPrint?id=6847459
>>> Monaco: http://monaco.sfbay.sun.com/detail.jsf?cr=6847459
>>>
>>> *Change Request ID*: 6847459
>>>
>>> *Synopsis*: Allow trust anchor self-issued intermediate version 1 and
>>> version 2 certificate
>>>
>>> Product: java
>>> Category: java
>>> Subcategory: classes_security
>>> Type: Defect
>>> Subtype: Status: 1-Dispatched
>>> Substatus: Priority: 3-Medium
>>> Introduced In Release: Introduced In Build: Responsible Manager:
>>> frances.ho at sun.com
>>> Responsible Engineer: xuelei.fan at sun.com
>>> Initial Evaluator: jsn-sec-bugs at sun.com
>>> Keywords:
>>> === *Description*
>>> ============================================================
>>> With the updates at 6822460, we start support slef-issued certificate
>>> in PKIXValidator, which will try to validate self-issued certificate
>>> instead ignore them as past.
>>>
>>> However, the ConstraintsChecker will reject all version 1 and version
>>> 2 certificates for there is no basic constraints extension inside.
>>> Here comes a regression failure, before the updates of 6822460,
>>> self-issued version 1 and version 2 certificates could be validated
>>> because there is no trying to validate them, after the updates,
>>> self-issued version 1 and version 2 certificates would be denied by
>>> ConstraintsChecker.
>>>
>>> If a version 1 and version 2 self-issued certificate is issued by a
>>> trust anchor, we need to it at ConstraintsChecker, because there are
>>> practical cases that a trust anchor need to issue self-issued
>>> certificate in order to support key rollover or changes in certificate
>>> policies.
>>>
>>> *** (#1 of 1): 2009-06-03 03:10:11 GMT+00:00 xuelei.fan at sun.com
>>>
>>>
>>> === *Public Comments*
>>> ========================================================
>>>
>>> === *Comments*
>>> ===============================================================
>>>
>>> === *Evaluation*
>>> =============================================================
>>>
>>> === *Suggested Fix*
>>> ==========================================================
>>>
>>> === *Workaround*
>>> =============================================================
>>>
>>> === *Justification*
>>> ==========================================================
>>> Priority changed from [] to [3-Medium]
>>> there is a failure of regression test
>>> xuelei.fan at sun.com 2009-06-03 03:10:11 GMT
>>>
>>> *** (#1 of 1): 2009-06-03 03:10:11 GMT+00:00 xuelei.fan at sun.com
>>>
>>>
>>> === *Additional Details*
>>> =====================================================
>>> Targeted Release: 7
>>> Commit To Fix In Build: Fixed In Build:
>>> Integrated In Build: Verified In Build: See Also:
>>> Duplicate of: Hooks:
>>> Hook1: Hook2: Hook3: Hook4:
>>> Hook5: Hook6: Interest List: Program Management: Root
>>> Cause: Is a Security Vulnerability?: No
>>> Fix Affects Documentation: No
>>> Fix Affects Localization: No
>>> Reported by:
>>> === *History*
>>> ================================================================
>>> Date Submitted: 2009-06-03 03:10:10 GMT+00:00
>>> Submitted By: xuelei.fan at sun.com
>>>
>>> Status Changed Date Updated Updated By
>>>
>>>
>>> === *Solution*
>>> ===============================================================
>>>
>>>
>>> === *Service Request*
>>> ========================================================
>>> ID: 1-544857704
>>> Customer:
>>> Account Name: Sun Micosystems Inc
>>> Customer Contact: Customer Contact Role: D-Development
>>> Customer Contact Type: I-Internal (SMI) Customer
>>> Impact: Significant
>>> Functionality: Secondary
>>> Severity: 3
>>> Synopsis: Product Name: java
>>> Product Release: 7
>>> Product Build: b59
>>> Operating System: generic
>>> Hardware: generic
>>> Reference Number: Sun Contact: xuelei.fan at sun.com
>>> Status: Open
>>> Source: BugTraq2
>>> Reproducible: Submitted By: xuelei.fan at sun.com
>>> Submitted Date: 2009-06-03 03:10:11 GMT+00:00
>>> Description:
>>>
>>> === *Activity*
>>> ===============================================================
>>>
>>>
>>> === *Multiple Release (MR) Cluster* - 0
>>> ======================================
>>>
>>>
>>> === *Escalations*
>>> ============================================================
>>>
>>>
>>>
More information about the security-dev
mailing list