[
https://issues.apache.org/jira/browse/WSS-97?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12571082#action_12571082
]
Patrick J Kobly commented on WSS-97:
------------------------------------
Suggest the following patch (against trunk) or similar:
diff -ur a/org/apache/ws/security/components/Merlin.java
b/org/apache/ws/security/components/Merlin.java
--- a/org/apache/ws/security/components/Merlin.java 2008-02-21
08:44:20.015625000 -0700
+++ b/org/apache/ws/security/components/Merlin.java 2008-02-21
08:53:39.187500000 -0700
@@ -49,6 +49,13 @@
public class Merlin extends AbstractCrypto {
/**
+ * OID For the NameConstraints Extension to X.509
+ *
+ * http://java.sun.com/j2se/1.4.2/docs/api/
+ * http://www.ietf.org/rfc/rfc3280.txt (s. 4.2.1.11)
+ */
+ public static final String NAME_CONSTRAINTS_OID = "2.5.29.30";
+ /**
* Constructor. <p/>
*
* @param properties
@@ -150,7 +157,7 @@
X509Certificate cert = (X509Certificate) this.cacerts
.getCertificate(alias);
TrustAnchor anchor = new TrustAnchor(cert, cert
- .getExtensionValue("NameConstraints"));
+ .getExtensionValue(NAME_CONSTRAINTS_OID));
set.add(anchor);
}
@@ -161,7 +168,7 @@
X509Certificate cert = (X509Certificate) this.keystore
.getCertificate(alias);
TrustAnchor anchor = new TrustAnchor(cert, cert
- .getExtensionValue("NameConstraints"));
+ .getExtensionValue(NAME_CONSTRAINTS_OID));
set.add(anchor);
}
> Merlin passes invalid OID to getExtensionValue
> ----------------------------------------------
>
> Key: WSS-97
> URL: https://issues.apache.org/jira/browse/WSS-97
> Project: WSS4J
> Issue Type: Bug
> Reporter: Patrick J Kobly
> Assignee: Ruchith Udayanga Fernando
>
> From org.apache.ws.security.components.crypto.Merlin:
> public boolean validateCertPath(X509Certificate[] certs)
> ...
> while (cacertsAliases.hasMoreElements()) {
> String alias = (String) cacertsAliases.nextElement();
> X509Certificate cert = (X509Certificate) this.cacerts
> .getCertificate(alias);
> TrustAnchor anchor = new TrustAnchor(cert, cert
> .getExtensionValue("NameConstraints"));
> set.add(anchor);
> }
> // Add certificates from the keystore
> Enumeration aliases = this.keystore.aliases();
> while (aliases.hasMoreElements()) {
> String alias = (String) aliases.nextElement();
> X509Certificate cert = (X509Certificate) this.keystore
> .getCertificate(alias);
> TrustAnchor anchor = new TrustAnchor(cert, cert
> .getExtensionValue("NameConstraints"));
> set.add(anchor);
> }
> From J2SE API docs:
> http://java.sun.com/j2se/1.5.0/docs/api/java/security/cert/X509Extension.html#getExtensionValue(java.lang.String)
> getExtensionValue(String oid) expects its parameter to be an OID (in this
> case, "2.5.29.30"). It appears that the default JCE provider simply returns
> null (indicating extension not present). However, this behaviour is not
> always the case. Notably, the Bouncy Castle JCE provider will throw the
> (unchecked) exception IllegalArgumentException if the argument does not
> appear to be an OID. This will cause cert path validation to fail with an
> exception on any JVM configured to use such a JCE provider (whether or not
> name constraints are used on any certs in the chain to be validated).
> In addition, when used with a JCE that does not exhibit this behaviour, the
> code will identify some invalid cert paths as valid. i.e. if a cert in the
> path has a naming constraint and is used to sign a cert which the name
> constraints would disallow, the path will still be seen as valid.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
