[security-dev 00875]: Re: CR 6847459 Created, P3 java/classes_secu Allow trust anchor self-issued intermediate version 1 and version 2 certificate (original) (raw)

Xuelei Fan Xuelei.Fan at Sun.COM
Wed Jun 3 04:38:36 UTC 2009

Weijun Wang wrote:

+ // We choose to reject all version 1 and version 2 intermediate + // certificates except that it is self issued by the trust + // anchor in order to support key rollover or changes in + // certificate policies. + int pathLenConstraint = -1; + if (currCert.getVersion() < 3) { // version 1 or version 2 + if (i == 1) { // issued by a trust anchor

So, self-issued cert can be only issued by trust anchor, but not an intermediate CA? No, self-issued cert can be issued by any entity, but I choose to reject those self-issued version 1 and version 2 certificates here, because I have no way to understand whether it is a CA or not. + try { + X509CertImpl certImpl = X509CertImpl.toImpl(currCert); + if (certImpl.isSelfIssued(currCert)) { Isn't isSelfIssued() a static method? Oops, yes, it is. Updated: http://cr.openjdk.java.net/~xuelei/6847459/webrev.01/ <http://cr.openjdk.java.net/%7Exuelei/6847459/webrev.01/>

Thanks, Andrew

+ pathLenConstraint = Integer.MAXVALUE; + } + } catch (CertificateException ce) { + throw new CertPathValidatorException(ce); + } + } + } else { + pathLenConstraint = currCert.getBasicConstraints(); + }

Xuelei Fan wrote:

Hi Max,

Would you please review the updates? I think JavaOne would occupy most of the time of others. Webrev: http://cr.openjdk.java.net/~xuelei/6847459/webrev.00/ No new test case, the closed/sun/security/validator/BasicTests.java covered the case. Thanks, Andrew

Xuelei.Fan at Sun.COM wrote: Sun Confidential: Internal only Synopsis: Allow trust anchor self-issued intermediate version 1 and version 2 certificate CrPrint: http://bt2ws.central.sun.com/CrPrint?id=6847459 Monaco: http://monaco.sfbay.sun.com/detail.jsf?cr=6847459 Change Request ID: 6847459 Synopsis: Allow trust anchor self-issued intermediate version 1 and version 2 certificate Product: java Category: java Subcategory: classessecurity Type: Defect Subtype: Status: 1-Dispatched Substatus: Priority: 3-Medium Introduced In Release: Introduced In Build: Responsible Manager: frances.ho at sun.com Responsible Engineer: xuelei.fan at sun.com Initial Evaluator: jsn-sec-bugs at sun.com Keywords: === Description ============================================================ With the updates at 6822460, we start support slef-issued certificate in PKIXValidator, which will try to validate self-issued certificate instead ignore them as past. However, the ConstraintsChecker will reject all version 1 and version 2 certificates for there is no basic constraints extension inside. Here comes a regression failure, before the updates of 6822460, self-issued version 1 and version 2 certificates could be validated because there is no trying to validate them, after the updates, self-issued version 1 and version 2 certificates would be denied by ConstraintsChecker. If a version 1 and version 2 self-issued certificate is issued by a trust anchor, we need to it at ConstraintsChecker, because there are practical cases that a trust anchor need to issue self-issued certificate in order to support key rollover or changes in certificate policies. *** (#1 of 1): 2009-06-03 03:10:11 GMT+00:00 xuelei.fan at sun.com

=== Public Comments ======================================================== === Comments =============================================================== === Evaluation ============================================================= === Suggested Fix ========================================================== === Workaround ============================================================= === Justification ========================================================== Priority changed from [] to [3-Medium] there is a failure of regression test xuelei.fan at sun.com 2009-06-03 03:10:11 GMT *** (#1 of 1): 2009-06-03 03:10:11 GMT+00:00 xuelei.fan at sun.com === Additional Details ===================================================== Targeted Release: 7 Commit To Fix In Build: Fixed In Build: Integrated In Build: Verified In Build: See Also: Duplicate of: Hooks: Hook1: Hook2: Hook3: Hook4: Hook5: Hook6: Interest List: Program Management: Root Cause: Is a Security Vulnerability?: No Fix Affects Documentation: No Fix Affects Localization: No Reported by: === History ================================================================ Date Submitted: 2009-06-03 03:10:10 GMT+00:00 Submitted By: xuelei.fan at sun.com Status Changed Date Updated Updated By === Solution =============================================================== === Service Request ======================================================== ID: 1-544857704 Customer: Account Name: Sun Micosystems Inc Customer Contact: Customer Contact Role: D-Development Customer Contact Type: I-Internal (SMI) Customer Impact: Significant Functionality: Secondary Severity: 3 Synopsis: Product Name: java Product Release: 7 Product Build: b59 Operating System: generic Hardware: generic Reference Number: Sun Contact: xuelei.fan at sun.com Status: Open Source: BugTraq2 Reproducible: Submitted By: xuelei.fan at sun.com Submitted Date: 2009-06-03 03:10:11 GMT+00:00 Description: === Activity =============================================================== === Multiple Release (MR) Cluster - 0 ====================================== === Escalations ============================================================

More information about the security-dev mailing list