[jira] [Commented] (WSS-611) CAs with the NameConstraint extension cause exceptions when verifying trust

Thu, 03 Aug 2017 13:50:21 -0700 

    [ 
https://issues.apache.org/jira/browse/WSS-611?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16113457#comment-16113457
 ] 

Richard Porter commented on WSS-611:
------------------------------------

[~coheigea], I am almost done with a patch for this issue against the current 
trunk. I need to review it a little more and verify that it is solid. I have a 
few questions:

# Should I attach a patch to this PR? It doesn't look like there have ever been 
any PRs against the Github mirror of the project, so I assume that patches are 
the preferred method.
# What is the timeframe for 2.2.0? I have a customer that is impacted by this 
and our efforts at extending {{Merlin}} as a short-term fix are hitting 
roadblocks. 
# Should I backport my patch for the 2_1_x-fixes branch as well? Is it more 
likely we will see a 2.1.11 version in a shorter timeframe?

> CAs with the NameConstraint extension cause exceptions when verifying trust
> ---------------------------------------------------------------------------
>
>                 Key: WSS-611
>                 URL: https://issues.apache.org/jira/browse/WSS-611
>             Project: WSS4J
>          Issue Type: Bug
>          Components: WSS4J Core
>    Affects Versions: 2.1.10
>            Reporter: Richard Porter
>            Assignee: Colm O hEigeartaigh
>             Fix For: 2.2.0
>
>
> When a CA with NameConstraints is in the truststore, it causes a failure with 
> any crypto Cert provider. The underlying cause is an 
> {{IllegalArgumentException}} thrown because the Sequence data has been 
> encoded as an Octet String and it is not being correctly decoded.
> While the relevant RFCs are a bit ambiguous with regard to extensions and 
> whether they are all encoded as Octet Strings or not, the documentation on 
> Java's implementation of 
> [X509Extension|https://docs.oracle.com/javase/8/docs/api/java/security/cert/X509Extension.html#getExtensionValue-java.lang.String-]
>  are unambiguous: it will be a "DER-encoded OCTET string for the extension 
> value.
> Beneath this issue lies another, the fact that the Sun default implementation 
> of PKIX path validation does not support TrustAnchors with NameConstraints 
> attached. So fixing the first issue also requires conditionally constructing 
> TrustAnchors with NameConstraints or with null.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to