'[jira] [Created] (WSS-611) CAs with the NameConstraint extension cause exceptions when verifying tru'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       wss4j-dev
Subject:    [jira] [Created] (WSS-611) CAs with the NameConstraint extension cause exceptions when verifying tru
From:       "Richard Porter (JIRA)" <jira () apache ! org>
Date:       2017-08-03 20:46:00
Message-ID: JIRA.13092301.1501793105000.88402.1501793160060 () Atlassian ! JIRA
[Download RAW message or body]

Richard Porter created WSS-611:
----------------------------------

             Summary: CAs with the NameConstraint extension cause exceptions when \
verifying trust  Key: WSS-611
                 URL: https://issues.apache.org/jira/browse/WSS-611
             Project: WSS4J
          Issue Type: Bug
          Components: WSS4J Core
    Affects Versions: 2.1.10
            Reporter: Richard Porter
            Assignee: Colm O hEigeartaigh
             Fix For: 2.2.0


When a CA with NameConstraints is in the truststore, it causes a failure with any \
crypto Cert provider. The underlying cause is an {{IllegalArgumentException}} thrown \
because the Sequence data has been encoded as an Octet String and it is not being \
correctly decoded.

While the relevant RFCs are a bit ambiguous with regard to extensions and whether \
they are all encoded as Octet Strings or not, the documentation on Java's \
implementation of [X509Extension|https://docs.oracle.com/javase/8/docs/api/java/security/cert/X509Extension.html#getExtensionValue-java.lang.String-] \
are unambiguous: it will be a "DER-encoded OCTET string for the extension value.

Beneath this issue lies another, the fact that the Sun default implementation of PKIX \
path validation does not support TrustAnchors with NameConstraints attached. So \
fixing the first issue also requires conditionally constructing TrustAnchors with \
NameConstraints or with null.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic