[
https://issues.apache.org/jira/browse/WSS-97?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12588656#action_12588656
]
Patrick J Kobly commented on WSS-97:
------------------------------------
There are likely to be a couple of test cases to exercise this patch... We
actually ran across this issue with a cert that didn't have NameConstraints.
The first test case is going to involve a valid cert without NameConstraints
anywhere in the chain, and a JCE provider config that uses BouncyCastle - i.e.
with such a config., _no_ cert paths were seen as valid prior to this patch...
The second test case will involve a CA with NameConstraints signing a cert
whose name would not be permitted by the NameConstraints...
I can provide a rough approach to testing (including the relevant test certs /
keystores, generation instructions, and configs), but am unfamiliar with the
project's testing infrastructure - so producing a case for inclusion in your
regression suite will take some time...
> Merlin passes invalid OID to getExtensionValue
> ----------------------------------------------
>
> Key: WSS-97
> URL: https://issues.apache.org/jira/browse/WSS-97
> Project: WSS4J
> Issue Type: Bug
> Reporter: Patrick J Kobly
> Assignee: Ruchith Udayanga Fernando
> Attachments: WSS-97.patch
>
>
> From org.apache.ws.security.components.crypto.Merlin:
> public boolean validateCertPath(X509Certificate[] certs)
> ...
> while (cacertsAliases.hasMoreElements()) {
> String alias = (String) cacertsAliases.nextElement();
> X509Certificate cert = (X509Certificate) this.cacerts
> .getCertificate(alias);
> TrustAnchor anchor = new TrustAnchor(cert, cert
> .getExtensionValue("NameConstraints"));
> set.add(anchor);
> }
> // Add certificates from the keystore
> Enumeration aliases = this.keystore.aliases();
> while (aliases.hasMoreElements()) {
> String alias = (String) aliases.nextElement();
> X509Certificate cert = (X509Certificate) this.keystore
> .getCertificate(alias);
> TrustAnchor anchor = new TrustAnchor(cert, cert
> .getExtensionValue("NameConstraints"));
> set.add(anchor);
> }
> From J2SE API docs:
> http://java.sun.com/j2se/1.5.0/docs/api/java/security/cert/X509Extension.html#getExtensionValue(java.lang.String)
> getExtensionValue(String oid) expects its parameter to be an OID (in this
> case, "2.5.29.30"). It appears that the default JCE provider simply returns
> null (indicating extension not present). However, this behaviour is not
> always the case. Notably, the Bouncy Castle JCE provider will throw the
> (unchecked) exception IllegalArgumentException if the argument does not
> appear to be an OID. This will cause cert path validation to fail with an
> exception on any JVM configured to use such a JCE provider (whether or not
> name constraints are used on any certs in the chain to be validated).
> In addition, when used with a JCE that does not exhibit this behaviour, the
> code will identify some invalid cert paths as valid. i.e. if a cert in the
> path has a naming constraint and is used to sign a cert which the name
> constraints would disallow, the path will still be seen as valid.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
