Uploaded image for project: 'WSS4J'
  1. WSS4J
  2. WSS-611

CAs with the NameConstraint extension cause exceptions when verifying trust

VotersWatch issueWatchersLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 2.1.10
    • 2.2.0, 2.1.11
    • WSS4J Core
    • None

    Description

      When a CA with NameConstraints is in the truststore, it causes a failure with any crypto Cert provider. The underlying cause is an IllegalArgumentException thrown because the Sequence data has been encoded as an Octet String and it is not being correctly decoded.

      While the relevant RFCs are a bit ambiguous with regard to extensions and whether they are all encoded as Octet Strings or not, the documentation on Java's implementation of X509Extension are unambiguous: it will be a "DER-encoded OCTET string for the extension value.

      Beneath this issue lies another, the fact that the Sun default implementation of PKIX path validation does not support TrustAnchors with NameConstraints attached. So fixing the first issue also requires conditionally constructing TrustAnchors with NameConstraints or with null.

      Attachments

        Issue Links

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            coheigea Colm O hEigeartaigh
            coyotesqrl Richard Porter
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment