[jira] Resolved: (WSS-97) Merlin passes invalid OID to getExtensionValue

Thu, 17 Apr 2008 10:40:32 -0700 

     [ 
https://issues.apache.org/jira/browse/WSS-97?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Fred Dushin resolved WSS-97.
----------------------------

    Resolution: Fixed

Patch applied.

> Merlin passes invalid OID to getExtensionValue
> ----------------------------------------------
>
>                 Key: WSS-97
>                 URL: https://issues.apache.org/jira/browse/WSS-97
>             Project: WSS4J
>          Issue Type: Bug
>            Reporter: Patrick J Kobly
>            Assignee: Fred Dushin
>         Attachments: WSS-97.patch
>
>
> From org.apache.ws.security.components.crypto.Merlin:
>     public boolean validateCertPath(X509Certificate[] certs)
> ...
>             while (cacertsAliases.hasMoreElements()) {
>                 String alias = (String) cacertsAliases.nextElement();
>                 X509Certificate cert = (X509Certificate) this.cacerts
>                         .getCertificate(alias);
>                 TrustAnchor anchor = new TrustAnchor(cert, cert
>                         .getExtensionValue("NameConstraints"));
>                 set.add(anchor);
>             }
>             // Add certificates from the keystore
>             Enumeration aliases = this.keystore.aliases();
>             while (aliases.hasMoreElements()) {
>                 String alias = (String) aliases.nextElement();
>                 X509Certificate cert = (X509Certificate) this.keystore
>                         .getCertificate(alias);
>                 TrustAnchor anchor = new TrustAnchor(cert, cert
>                         .getExtensionValue("NameConstraints"));
>                 set.add(anchor);
>             }
> From J2SE API docs:
> http://java.sun.com/j2se/1.5.0/docs/api/java/security/cert/X509Extension.html#getExtensionValue(java.lang.String)
> getExtensionValue(String oid) expects its parameter to be an OID (in this 
> case, "2.5.29.30").  It appears that the default JCE provider simply returns 
> null (indicating extension not present).  However, this behaviour is not 
> always the case.  Notably, the Bouncy Castle JCE provider will throw the 
> (unchecked) exception IllegalArgumentException if the argument does not 
> appear to be an OID.  This will cause cert path validation to fail with an 
> exception on any JVM configured to use such a JCE provider (whether or not 
> name constraints are used on any certs in the chain to be validated).
> In addition, when used with a JCE that does not exhibit this behaviour, the 
> code will identify some invalid cert paths as valid.  i.e. if a cert in the 
> path has a naming constraint and is used to sign a cert which the name 
> constraints would disallow, the path will still be seen as valid.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to