Can you give some suggestion about how build a Hacked JDK for The Malformed Certificates tests

Florian Weimer fweimer at redhat.com
Thu Mar 27 13:52:20 UTC 2014


On 03/27/2014 02:34 PM, Florian Weimer wrote:

> IIRC, I sent you a reproducer when reporting CVE-2009-3876 that does
> this.  I haven't got it anymore, but I believe I used a trust manager

Sorry, this has to be an X509KeyManager with a suitable 
getCertificateChain() method.

> that returned a subclass of X509CertImpl with an overridden getEncoded()
> method that simply returned crafted DER.  No further changes or
> bootclasspath hacks were required.



-- 
Florian Weimer / Red Hat Product Security Team



More information about the security-dev mailing list