Richard Porter commented on WSS-611:

Changes up. There's a new PR up for WSS-612 for the {{CertificateStore}} 
change; the changes in that PR are also incorporated in this change, but I 
expect you'll merge the smaller patch first.

The PR for this change has the try/with/resources change to the unit tests.

> CAs with the NameConstraint extension cause exceptions when verifying trust
> ---------------------------------------------------------------------------
>                 Key: WSS-611
>                 URL: https://issues.apache.org/jira/browse/WSS-611
>             Project: WSS4J
>          Issue Type: Bug
>          Components: WSS4J Core
>    Affects Versions: 2.1.10
>            Reporter: Richard Porter
>            Assignee: Colm O hEigeartaigh
>             Fix For: 2.2.0
> When a CA with NameConstraints is in the truststore, it causes a failure with 
> any crypto Cert provider. The underlying cause is an 
> {{IllegalArgumentException}} thrown because the Sequence data has been 
> encoded as an Octet String and it is not being correctly decoded.
> While the relevant RFCs are a bit ambiguous with regard to extensions and 
> whether they are all encoded as Octet Strings or not, the documentation on 
> Java's implementation of 
> [X509Extension|https://docs.oracle.com/javase/8/docs/api/java/security/cert/X509Extension.html#getExtensionValue-java.lang.String-]
>  are unambiguous: it will be a "DER-encoded OCTET string for the extension 
> value.
> Beneath this issue lies another, the fact that the Sun default implementation 
> of PKIX path validation does not support TrustAnchors with NameConstraints 
> attached. So fixing the first issue also requires conditionally constructing 
> TrustAnchors with NameConstraints or with null.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org

Reply via email to