[
https://issues.apache.org/jira/browse/WSS-611?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16114511#comment-16114511
]
ASF GitHub Bot commented on WSS-611:
------------------------------------
GitHub user coyotesqrl opened a pull request:
https://github.com/apache/wss4j/pull/6
WSS-611 Fixes logic for extracting NameConstraint information from a cert
- Adds a new property so users can affirm that their cert provider can
handle TrustAnchors with NameConstraints added and updates the Merlin and
MerlinAKI crypto implementations to respect that and either add the
NameConstraints or set them to null.
- Updates the CertificateStore crypto implementation to correctly handle
certificate chains.
Note that this change does not allow for conditional inclusion of
NameConstraints on TrustAnchors for the CertificateStore crypto implementation.
There are several outstanding issues with that implementation still remaining
after this update.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/coyotesqrl/wss4j WSS-611
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/wss4j/pull/6.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #6
----
commit b74d8c60da560039e63e818efe80d4afa3120e11
Author: Richard A. Porter <[email protected]>
Date: 2017-08-03T20:52:41Z
WSS-611 Fixes logic for extracting NameConstraint information from a cert.
Adds a new property so users can affirm that their cert provider can handle
TrustAnchors with NameConstraints added and updates the Merlin and MerlinAKI
crypto implementations to respect that and either add the NameConstraints or
set them to null.
Updates the CertificateStore crypto implementation to correctly handle
certificate chains.
Note that this change does not allow for conditional inclusion of
NameConstraints on TrustAnchors for the CertificateStore crypto implementation.
There are several outstanding issues with that implementation still remaining
after this update.
----
> CAs with the NameConstraint extension cause exceptions when verifying trust
> ---------------------------------------------------------------------------
>
> Key: WSS-611
> URL: https://issues.apache.org/jira/browse/WSS-611
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Core
> Affects Versions: 2.1.10
> Reporter: Richard Porter
> Assignee: Colm O hEigeartaigh
> Fix For: 2.2.0
>
>
> When a CA with NameConstraints is in the truststore, it causes a failure with
> any crypto Cert provider. The underlying cause is an
> {{IllegalArgumentException}} thrown because the Sequence data has been
> encoded as an Octet String and it is not being correctly decoded.
> While the relevant RFCs are a bit ambiguous with regard to extensions and
> whether they are all encoded as Octet Strings or not, the documentation on
> Java's implementation of
> [X509Extension|https://docs.oracle.com/javase/8/docs/api/java/security/cert/X509Extension.html#getExtensionValue-java.lang.String-]
> are unambiguous: it will be a "DER-encoded OCTET string for the extension
> value.
> Beneath this issue lies another, the fact that the Sun default implementation
> of PKIX path validation does not support TrustAnchors with NameConstraints
> attached. So fixing the first issue also requires conditionally constructing
> TrustAnchors with NameConstraints or with null.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
