[ https://issues.apache.org/jira/browse/WSS-611?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16114517#comment-16114517 ]
Richard Porter commented on WSS-611: ------------------------------------ Because of the binary test resources - PKCS12 keys and the keystore - I thought a PR would be a bit less cumbersome than a patch. Please note that there is some work beyond the scope of the bug. When I was writing the unit tests I discovered issues with certificate chaining in the {{CertificateStore}} class and fixed those as well. > CAs with the NameConstraint extension cause exceptions when verifying trust > --------------------------------------------------------------------------- > > Key: WSS-611 > URL: https://issues.apache.org/jira/browse/WSS-611 > Project: WSS4J > Issue Type: Bug > Components: WSS4J Core > Affects Versions: 2.1.10 > Reporter: Richard Porter > Assignee: Colm O hEigeartaigh > Fix For: 2.2.0 > > > When a CA with NameConstraints is in the truststore, it causes a failure with > any crypto Cert provider. The underlying cause is an > {{IllegalArgumentException}} thrown because the Sequence data has been > encoded as an Octet String and it is not being correctly decoded. > While the relevant RFCs are a bit ambiguous with regard to extensions and > whether they are all encoded as Octet Strings or not, the documentation on > Java's implementation of > [X509Extension|https://docs.oracle.com/javase/8/docs/api/java/security/cert/X509Extension.html#getExtensionValue-java.lang.String-] > are unambiguous: it will be a "DER-encoded OCTET string for the extension > value. > Beneath this issue lies another, the fact that the Sun default implementation > of PKIX path validation does not support TrustAnchors with NameConstraints > attached. So fixing the first issue also requires conditionally constructing > TrustAnchors with NameConstraints or with null. -- This message was sent by Atlassian JIRA (v6.4.14#64029) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org For additional commands, e-mail: dev-h...@ws.apache.org