[jira] Created: (WSS-97) Merlin passes invalid OID to getExtensionValue

Mon, 10 Dec 2007 13:15:07 -0800 

Merlin passes invalid OID to getExtensionValue
----------------------------------------------

                 Key: WSS-97
                 URL: https://issues.apache.org/jira/browse/WSS-97
             Project: WSS4J
          Issue Type: Bug
            Reporter: Patrick J Kobly
            Assignee: Ruchith Udayanga Fernando


>From org.apache.ws.security.components.crypto.Merlin:

    public boolean validateCertPath(X509Certificate[] certs)
...
            while (cacertsAliases.hasMoreElements()) {
                String alias = (String) cacertsAliases.nextElement();
                X509Certificate cert = (X509Certificate) this.cacerts
                        .getCertificate(alias);
                TrustAnchor anchor = new TrustAnchor(cert, cert
                        .getExtensionValue("NameConstraints"));
                set.add(anchor);
            }

            // Add certificates from the keystore
            Enumeration aliases = this.keystore.aliases();
            while (aliases.hasMoreElements()) {
                String alias = (String) aliases.nextElement();
                X509Certificate cert = (X509Certificate) this.keystore
                        .getCertificate(alias);
                TrustAnchor anchor = new TrustAnchor(cert, cert
                        .getExtensionValue("NameConstraints"));
                set.add(anchor);
            }

>From J2SE API docs:
http://java.sun.com/j2se/1.5.0/docs/api/java/security/cert/X509Extension.html#getExtensionValue(java.lang.String)

getExtensionValue(String oid) expects its parameter to be an OID (in this case, 
"2.5.29.30").  It appears that the default JCE provider simply returns null 
(indicating extension not present).  However, this behaviour is not always the 
case.  Notably, the Bouncy Castle JCE provider will throw the (unchecked) 
exception IllegalArgumentException if the argument does not appear to be an 
OID.  This will cause cert path validation to fail with an exception on any JVM 
configured to use such a JCE provider (whether or not name constraints are used 
on any certs in the chain to be validated).

In addition, when used with a JCE that does not exhibit this behaviour, the 
code will identify some invalid cert paths as valid.  i.e. if a cert in the 
path has a naming constraint and is used to sign a cert which the name 
constraints would disallow, the path will still be seen as valid.


-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to