Can you give some suggestion about how build a Hacked JDK for The Malformed Certificates tests

Florian Weimer fweimer at redhat.com
Thu Mar 27 13:34:47 UTC 2014


On 03/19/2014 12:55 PM, zaiyao liu wrote:

> Can you give some suggestion about how to bypass this kind of check to
> generator a certificate for invalid certificate? (I will use this
> invalid to attack normal JDK).

IIRC, I sent you a reproducer when reporting CVE-2009-3876 that does 
this.  I haven't got it anymore, but I believe I used a trust manager 
that returned a subclass of X509CertImpl with an overridden getEncoded() 
method that simply returned crafted DER.  No further changes or 
bootclasspath hacks were required.

-- 
Florian Weimer / Red Hat Product Security Team


More information about the security-dev mailing list