[
https://issues.apache.org/jira/browse/WSS-611?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Colm O hEigeartaigh updated WSS-611:
------------------------------------
Fix Version/s: 2.1.11
> CAs with the NameConstraint extension cause exceptions when verifying trust
> ---------------------------------------------------------------------------
>
> Key: WSS-611
> URL: https://issues.apache.org/jira/browse/WSS-611
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Core
> Affects Versions: 2.1.10
> Reporter: Richard Porter
> Assignee: Colm O hEigeartaigh
> Fix For: 2.2.0, 2.1.11
>
>
> When a CA with NameConstraints is in the truststore, it causes a failure with
> any crypto Cert provider. The underlying cause is an
> {{IllegalArgumentException}} thrown because the Sequence data has been
> encoded as an Octet String and it is not being correctly decoded.
> While the relevant RFCs are a bit ambiguous with regard to extensions and
> whether they are all encoded as Octet Strings or not, the documentation on
> Java's implementation of
> [X509Extension|https://docs.oracle.com/javase/8/docs/api/java/security/cert/X509Extension.html#getExtensionValue-java.lang.String-]
> are unambiguous: it will be a "DER-encoded OCTET string for the extension
> value.
> Beneath this issue lies another, the fact that the Sun default implementation
> of PKIX path validation does not support TrustAnchors with NameConstraints
> attached. So fixing the first issue also requires conditionally constructing
> TrustAnchors with NameConstraints or with null.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org
