ws-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Richard Porter (JIRA)" <j...@apache.org>
Subject [jira] [Created] (WSS-611) CAs with the NameConstraint extension cause exceptions when verifying trust
Date Thu, 03 Aug 2017 20:46:00 GMT
Richard Porter created WSS-611:
----------------------------------

             Summary: CAs with the NameConstraint extension cause exceptions when verifying
trust
                 Key: WSS-611
                 URL: https://issues.apache.org/jira/browse/WSS-611
             Project: WSS4J
          Issue Type: Bug
          Components: WSS4J Core
    Affects Versions: 2.1.10
            Reporter: Richard Porter
            Assignee: Colm O hEigeartaigh
             Fix For: 2.2.0


When a CA with NameConstraints is in the truststore, it causes a failure with any crypto Cert
provider. The underlying cause is an {{IllegalArgumentException}} thrown because the Sequence
data has been encoded as an Octet String and it is not being correctly decoded.

While the relevant RFCs are a bit ambiguous with regard to extensions and whether they are
all encoded as Octet Strings or not, the documentation on Java's implementation of [X509Extension|https://docs.oracle.com/javase/8/docs/api/java/security/cert/X509Extension.html#getExtensionValue-java.lang.String-]
are unambiguous: it will be a "DER-encoded OCTET string for the extension value.

Beneath this issue lies another, the fact that the Sun default implementation of PKIX path
validation does not support TrustAnchors with NameConstraints attached. So fixing the first
issue also requires conditionally constructing TrustAnchors with NameConstraints or with null.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org


Mime
View raw message