[jira] [Commented] (WSS-611) CAs with the NameConstraint extension cause exceptions when verifying trust

Fri, 04 Aug 2017 00:52:30 -0700 

    [ 
https://issues.apache.org/jira/browse/WSS-611?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16114074#comment-16114074
 ] 

Colm O hEigeartaigh commented on WSS-611:
-----------------------------------------

Yes please attach it as a patch to this JIRA. PRs are fine too though if you 
prefer. The timeframe for 2.2.0 is pretty soon. I need to get Santuario 2.0.0 
out first, something I will look at next week. So 2/3 weeks for WSS4J 2.2.0. In 
terms of backporting, it depends on what the patch looks like and how 
disruptive it is.

> CAs with the NameConstraint extension cause exceptions when verifying trust
> ---------------------------------------------------------------------------
>
>                 Key: WSS-611
>                 URL: https://issues.apache.org/jira/browse/WSS-611
>             Project: WSS4J
>          Issue Type: Bug
>          Components: WSS4J Core
>    Affects Versions: 2.1.10
>            Reporter: Richard Porter
>            Assignee: Colm O hEigeartaigh
>             Fix For: 2.2.0
>
>
> When a CA with NameConstraints is in the truststore, it causes a failure with 
> any crypto Cert provider. The underlying cause is an 
> {{IllegalArgumentException}} thrown because the Sequence data has been 
> encoded as an Octet String and it is not being correctly decoded.
> While the relevant RFCs are a bit ambiguous with regard to extensions and 
> whether they are all encoded as Octet Strings or not, the documentation on 
> Java's implementation of 
> [X509Extension|https://docs.oracle.com/javase/8/docs/api/java/security/cert/X509Extension.html#getExtensionValue-java.lang.String-]
>  are unambiguous: it will be a "DER-encoded OCTET string for the extension 
> value.
> Beneath this issue lies another, the fact that the Sun default implementation 
> of PKIX path validation does not support TrustAnchors with NameConstraints 
> attached. So fixing the first issue also requires conditionally constructing 
> TrustAnchors with NameConstraints or with null.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to