+ // We choose to reject all version 1 and version 2 intermediate + // certificates except that it is self issued by the trust + // anchor in order to support key rollover or changes in + // certificate policies. + int pathLenConstraint = -1; + if (currCert.getVersion() < 3) { // version 1 or version 2 + if (i == 1) { // issued by a trust anchor
So, self-issued cert can be only issued by trust anchor, but not an intermediate CA? + try { + X509CertImpl certImpl = X509CertImpl.toImpl(currCert); + if (certImpl.isSelfIssued(currCert)) { Isn't isSelfIssued() a static method? + pathLenConstraint = Integer.MAX_VALUE; + } + } catch (CertificateException ce) { + throw new CertPathValidatorException(ce); + } + } + } else { + pathLenConstraint = currCert.getBasicConstraints(); + } Xuelei Fan wrote: > Hi Max, > > Would you please review the updates? I think JavaOne would occupy most > of the time of others. > > Webrev: http://cr.openjdk.java.net/~xuelei/6847459/webrev.00/ > > No new test case, the closed/sun/security/validator/BasicTests.java > covered the case. > > Thanks, > Andrew > > > xuelei....@sun.com wrote: >> Sun Confidential: Internal only >> >> *Synopsis*: Allow trust anchor self-issued intermediate version 1 and >> version 2 certificate >> >> CrPrint: http://bt2ws.central.sun.com/CrPrint?id=6847459 >> Monaco: http://monaco.sfbay.sun.com/detail.jsf?cr=6847459 >> >> *Change Request ID*: 6847459 >> >> *Synopsis*: Allow trust anchor self-issued intermediate version 1 and >> version 2 certificate >> >> Product: java >> Category: java >> Subcategory: classes_security >> Type: Defect >> Subtype: Status: 1-Dispatched >> Substatus: Priority: 3-Medium >> Introduced In Release: Introduced In Build: Responsible Manager: >> frances...@sun.com >> Responsible Engineer: xuelei....@sun.com >> Initial Evaluator: jsn-sec-b...@sun.com >> Keywords: >> === *Description* >> ============================================================ >> With the updates at 6822460, we start support slef-issued certificate >> in PKIXValidator, which will try to validate self-issued certificate >> instead ignore them as past. >> >> However, the ConstraintsChecker will reject all version 1 and version >> 2 certificates for there is no basic constraints extension inside. >> Here comes a regression failure, before the updates of 6822460, >> self-issued version 1 and version 2 certificates could be validated >> because there is no trying to validate them, after the updates, >> self-issued version 1 and version 2 certificates would be denied by >> ConstraintsChecker. >> >> If a version 1 and version 2 self-issued certificate is issued by a >> trust anchor, we need to it at ConstraintsChecker, because there are >> practical cases that a trust anchor need to issue self-issued >> certificate in order to support key rollover or changes in certificate >> policies. >> >> *** (#1 of 1): 2009-06-03 03:10:11 GMT+00:00 xuelei....@sun.com >> >> >> === *Public Comments* >> ======================================================== >> >> === *Comments* >> =============================================================== >> >> === *Evaluation* >> ============================================================= >> >> === *Suggested Fix* >> ========================================================== >> >> === *Workaround* >> ============================================================= >> >> === *Justification* >> ========================================================== >> Priority changed from [] to [3-Medium] >> there is a failure of regression test >> xuelei....@sun.com 2009-06-03 03:10:11 GMT >> >> *** (#1 of 1): 2009-06-03 03:10:11 GMT+00:00 xuelei....@sun.com >> >> >> === *Additional Details* >> ===================================================== >> Targeted Release: 7 >> Commit To Fix In Build: Fixed In Build: >> Integrated In Build: Verified In Build: See Also: >> Duplicate of: Hooks: >> Hook1: Hook2: Hook3: Hook4: >> Hook5: Hook6: Interest List: Program Management: Root >> Cause: Is a Security Vulnerability?: No >> Fix Affects Documentation: No >> Fix Affects Localization: No >> Reported by: >> === *History* >> ================================================================ >> Date Submitted: 2009-06-03 03:10:10 GMT+00:00 >> Submitted By: xuelei....@sun.com >> >> Status Changed Date Updated Updated By >> >> >> === *Solution* >> =============================================================== >> >> >> === *Service Request* >> ======================================================== >> ID: 1-544857704 >> Customer: >> Account Name: Sun Micosystems Inc >> Customer Contact: Customer Contact Role: D-Development >> Customer Contact Type: I-Internal (SMI) Customer >> Impact: Significant >> Functionality: Secondary >> Severity: 3 >> Synopsis: Product Name: java >> Product Release: 7 >> Product Build: b59 >> Operating System: generic >> Hardware: generic >> Reference Number: Sun Contact: xuelei....@sun.com >> Status: Open >> Source: BugTraq2 >> Reproducible: Submitted By: xuelei....@sun.com >> Submitted Date: 2009-06-03 03:10:11 GMT+00:00 >> Description: >> >> === *Activity* >> =============================================================== >> >> >> === *Multiple Release (MR) Cluster* - 0 >> ====================================== >> >> >> === *Escalations* >> ============================================================ >> >>