You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by "Fred Dushin (JIRA)" <ji...@apache.org> on 2008/04/17 19:37:21 UTC
[jira] Resolved: (WSS-97) Merlin passes invalid OID to
getExtensionValue
[ https://issues.apache.org/jira/browse/WSS-97?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Fred Dushin resolved WSS-97.
----------------------------
Resolution: Fixed
Patch applied.
> Merlin passes invalid OID to getExtensionValue
> ----------------------------------------------
>
> Key: WSS-97
> URL: https://issues.apache.org/jira/browse/WSS-97
> Project: WSS4J
> Issue Type: Bug
> Reporter: Patrick J Kobly
> Assignee: Fred Dushin
> Attachments: WSS-97.patch
>
>
> From org.apache.ws.security.components.crypto.Merlin:
> public boolean validateCertPath(X509Certificate[] certs)
> ...
> while (cacertsAliases.hasMoreElements()) {
> String alias = (String) cacertsAliases.nextElement();
> X509Certificate cert = (X509Certificate) this.cacerts
> .getCertificate(alias);
> TrustAnchor anchor = new TrustAnchor(cert, cert
> .getExtensionValue("NameConstraints"));
> set.add(anchor);
> }
> // Add certificates from the keystore
> Enumeration aliases = this.keystore.aliases();
> while (aliases.hasMoreElements()) {
> String alias = (String) aliases.nextElement();
> X509Certificate cert = (X509Certificate) this.keystore
> .getCertificate(alias);
> TrustAnchor anchor = new TrustAnchor(cert, cert
> .getExtensionValue("NameConstraints"));
> set.add(anchor);
> }
> From J2SE API docs:
> http://java.sun.com/j2se/1.5.0/docs/api/java/security/cert/X509Extension.html#getExtensionValue(java.lang.String)
> getExtensionValue(String oid) expects its parameter to be an OID (in this case, "2.5.29.30"). It appears that the default JCE provider simply returns null (indicating extension not present). However, this behaviour is not always the case. Notably, the Bouncy Castle JCE provider will throw the (unchecked) exception IllegalArgumentException if the argument does not appear to be an OID. This will cause cert path validation to fail with an exception on any JVM configured to use such a JCE provider (whether or not name constraints are used on any certs in the chain to be validated).
> In addition, when used with a JCE that does not exhibit this behaviour, the code will identify some invalid cert paths as valid. i.e. if a cert in the path has a naming constraint and is used to sign a cert which the name constraints would disallow, the path will still be seen as valid.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org