[jira] [Commented] (WSS-611) CAs with the NameConstraint extension cause exceptions when verifying trust

Fri, 04 Aug 2017 08:29:17 -0700 

    [ 
https://issues.apache.org/jira/browse/WSS-611?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16114517#comment-16114517
 ] 

Richard Porter commented on WSS-611:
------------------------------------

Because of the binary test resources - PKCS12 keys and the keystore - I thought 
a PR would be a bit less cumbersome than a patch.

Please note that there is some work beyond the scope of the bug. When I was 
writing the unit tests I discovered issues with certificate chaining in the 
{{CertificateStore}} class and fixed those as well.

> CAs with the NameConstraint extension cause exceptions when verifying trust
> ---------------------------------------------------------------------------
>
>                 Key: WSS-611
>                 URL: https://issues.apache.org/jira/browse/WSS-611
>             Project: WSS4J
>          Issue Type: Bug
>          Components: WSS4J Core
>    Affects Versions: 2.1.10
>            Reporter: Richard Porter
>            Assignee: Colm O hEigeartaigh
>             Fix For: 2.2.0
>
>
> When a CA with NameConstraints is in the truststore, it causes a failure with 
> any crypto Cert provider. The underlying cause is an 
> {{IllegalArgumentException}} thrown because the Sequence data has been 
> encoded as an Octet String and it is not being correctly decoded.
> While the relevant RFCs are a bit ambiguous with regard to extensions and 
> whether they are all encoded as Octet Strings or not, the documentation on 
> Java's implementation of 
> [X509Extension|https://docs.oracle.com/javase/8/docs/api/java/security/cert/X509Extension.html#getExtensionValue-java.lang.String-]
>  are unambiguous: it will be a "DER-encoded OCTET string for the extension 
> value.
> Beneath this issue lies another, the fact that the Sun default implementation 
> of PKIX path validation does not support TrustAnchors with NameConstraints 
> attached. So fixing the first issue also requires conditionally constructing 
> TrustAnchors with NameConstraints or with null.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to