ws-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Richard Porter (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (WSS-611) CAs with the NameConstraint extension cause exceptions when verifying trust
Date Tue, 08 Aug 2017 20:05:00 GMT

    [ https://issues.apache.org/jira/browse/WSS-611?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16118942#comment-16118942
] 

Richard Porter commented on WSS-611:
------------------------------------

Changes up. There's a new PR up for WSS-612 for the {{CertificateStore}} change; the changes
in that PR are also incorporated in this change, but I expect you'll merge the smaller patch
first.

The PR for this change has the try/with/resources change to the unit tests.

> CAs with the NameConstraint extension cause exceptions when verifying trust
> ---------------------------------------------------------------------------
>
>                 Key: WSS-611
>                 URL: https://issues.apache.org/jira/browse/WSS-611
>             Project: WSS4J
>          Issue Type: Bug
>          Components: WSS4J Core
>    Affects Versions: 2.1.10
>            Reporter: Richard Porter
>            Assignee: Colm O hEigeartaigh
>             Fix For: 2.2.0
>
>
> When a CA with NameConstraints is in the truststore, it causes a failure with any crypto
Cert provider. The underlying cause is an {{IllegalArgumentException}} thrown because the
Sequence data has been encoded as an Octet String and it is not being correctly decoded.
> While the relevant RFCs are a bit ambiguous with regard to extensions and whether they
are all encoded as Octet Strings or not, the documentation on Java's implementation of [X509Extension|https://docs.oracle.com/javase/8/docs/api/java/security/cert/X509Extension.html#getExtensionValue-java.lang.String-]
are unambiguous: it will be a "DER-encoded OCTET string for the extension value.
> Beneath this issue lies another, the fact that the Sun default implementation of PKIX
path validation does not support TrustAnchors with NameConstraints attached. So fixing the
first issue also requires conditionally constructing TrustAnchors with NameConstraints or
with null.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org


Mime
View raw message