[security-dev 00874]: Re: CR 6847459 Created, P3 java/classes_secu Allow trust anchor self-issued intermediate version 1 and version 2 certificate (original) (raw)
Weijun Wang Weijun.Wang at Sun.COM
Wed Jun 3 03:45:10 UTC 2009
- Previous message (by thread): [security-dev 00873]: Re: CR 6847459 Created, P3 java/classes_secu Allow trust anchor self-issued intermediate version 1 and version 2 certificate
- Next message (by thread): [security-dev 00875]: Re: CR 6847459 Created, P3 java/classes_secu Allow trust anchor self-issued intermediate version 1 and version 2 certificate
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- // We choose to reject all version 1 and version 2 intermediate
- // certificates except that it is self issued by the trust
- // anchor in order to support key rollover or changes in
- // certificate policies.
- int pathLenConstraint = -1;
- if (currCert.getVersion() < 3) { // version 1 or version 2
if (i == 1) { // issued by a trust anchor
So, self-issued cert can be only issued by trust anchor, but not an intermediate CA?
try {X509CertImpl certImpl = X509CertImpl.toImpl(currCert);if (certImpl.isSelfIssued(currCert)) {
Isn't isSelfIssued() a static method?
pathLenConstraint = Integer.MAX_VALUE;}} catch (CertificateException ce) {throw new CertPathValidatorException(ce);}}- } else {
pathLenConstraint = currCert.getBasicConstraints();- }
Xuelei Fan wrote:
Hi Max,
Would you please review the updates? I think JavaOne would occupy most of the time of others. Webrev: http://cr.openjdk.java.net/~xuelei/6847459/webrev.00/ No new test case, the closed/sun/security/validator/BasicTests.java covered the case. Thanks, Andrew
Xuelei.Fan at Sun.COM wrote: Sun Confidential: Internal only
Synopsis: Allow trust anchor self-issued intermediate version 1 and version 2 certificate CrPrint: http://bt2ws.central.sun.com/CrPrint?id=6847459 Monaco: http://monaco.sfbay.sun.com/detail.jsf?cr=6847459 Change Request ID: 6847459 Synopsis: Allow trust anchor self-issued intermediate version 1 and version 2 certificate Product: java Category: java Subcategory: classessecurity Type: Defect Subtype: Status: 1-Dispatched Substatus: Priority: 3-Medium Introduced In Release: Introduced In Build: Responsible Manager: frances.ho at sun.com Responsible Engineer: xuelei.fan at sun.com Initial Evaluator: jsn-sec-bugs at sun.com Keywords: === Description ============================================================ With the updates at 6822460, we start support slef-issued certificate in PKIXValidator, which will try to validate self-issued certificate instead ignore them as past. However, the ConstraintsChecker will reject all version 1 and version 2 certificates for there is no basic constraints extension inside. Here comes a regression failure, before the updates of 6822460, self-issued version 1 and version 2 certificates could be validated because there is no trying to validate them, after the updates, self-issued version 1 and version 2 certificates would be denied by ConstraintsChecker. If a version 1 and version 2 self-issued certificate is issued by a trust anchor, we need to it at ConstraintsChecker, because there are practical cases that a trust anchor need to issue self-issued certificate in order to support key rollover or changes in certificate policies. *** (#1 of 1): 2009-06-03 03:10:11 GMT+00:00 xuelei.fan at sun.com
=== Public Comments ======================================================== === Comments =============================================================== === Evaluation ============================================================= === Suggested Fix ========================================================== === Workaround ============================================================= === Justification ========================================================== Priority changed from [] to [3-Medium] there is a failure of regression test xuelei.fan at sun.com 2009-06-03 03:10:11 GMT *** (#1 of 1): 2009-06-03 03:10:11 GMT+00:00 xuelei.fan at sun.com === Additional Details ===================================================== Targeted Release: 7 Commit To Fix In Build: Fixed In Build: Integrated In Build: Verified In Build: See Also: Duplicate of: Hooks: Hook1: Hook2: Hook3: Hook4: Hook5: Hook6: Interest List: Program Management: Root Cause: Is a Security Vulnerability?: No Fix Affects Documentation: No Fix Affects Localization: No Reported by: === History ================================================================ Date Submitted: 2009-06-03 03:10:10 GMT+00:00 Submitted By: xuelei.fan at sun.com Status Changed Date Updated Updated By === Solution =============================================================== === Service Request ======================================================== ID: 1-544857704 Customer: Account Name: Sun Micosystems Inc Customer Contact: Customer Contact Role: D-Development Customer Contact Type: I-Internal (SMI) Customer Impact: Significant Functionality: Secondary Severity: 3 Synopsis: Product Name: java Product Release: 7 Product Build: b59 Operating System: generic Hardware: generic Reference Number: Sun Contact: xuelei.fan at sun.com Status: Open Source: BugTraq2 Reproducible: Submitted By: xuelei.fan at sun.com Submitted Date: 2009-06-03 03:10:11 GMT+00:00 Description: === Activity =============================================================== === Multiple Release (MR) Cluster - 0 ====================================== === Escalations ============================================================
- Previous message (by thread): [security-dev 00873]: Re: CR 6847459 Created, P3 java/classes_secu Allow trust anchor self-issued intermediate version 1 and version 2 certificate
- Next message (by thread): [security-dev 00875]: Re: CR 6847459 Created, P3 java/classes_secu Allow trust anchor self-issued intermediate version 1 and version 2 certificate
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]