Richard Porter created WSS-611: ---------------------------------- Summary: CAs with the NameConstraint extension cause exceptions when verifying trust Key: WSS-611 URL: https://issues.apache.org/jira/browse/WSS-611 Project: WSS4J Issue Type: Bug Components: WSS4J Core Affects Versions: 2.1.10 Reporter: Richard Porter Assignee: Colm O hEigeartaigh Fix For: 2.2.0
When a CA with NameConstraints is in the truststore, it causes a failure with any crypto Cert provider. The underlying cause is an {{IllegalArgumentException}} thrown because the Sequence data has been encoded as an Octet String and it is not being correctly decoded. While the relevant RFCs are a bit ambiguous with regard to extensions and whether they are all encoded as Octet Strings or not, the documentation on Java's implementation of [X509Extension|https://docs.oracle.com/javase/8/docs/api/java/security/cert/X509Extension.html#getExtensionValue-java.lang.String-] are unambiguous: it will be a "DER-encoded OCTET string for the extension value. Beneath this issue lies another, the fact that the Sun default implementation of PKIX path validation does not support TrustAnchors with NameConstraints attached. So fixing the first issue also requires conditionally constructing TrustAnchors with NameConstraints or with null. -- This message was sent by Atlassian JIRA (v6.4.14#64029) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org For additional commands, e-mail: dev-h...@ws.apache.org