Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-4479283

Unknown revocation reasons aren't handled well

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: P3
    • Resolution: Fixed
    • Affects Version/s: 1.3.1_07, 1.4.0
    • Fix Version/s: 1.3.1_10
    • Component/s: security-libs
    • Labels:
      None
    • Subcomponent:
    • Resolved In Build:
      10
    • CPU:
      generic, sparc
    • OS:
      generic, solaris_8
    • Verification:
      Verified

      Backports

        Description

        CRLReasonCodeExtension throws an exception if it encounters an unrecognized reason code. This is not compliant with X.509 or the latest PKIX specs (as noted in Appendix B of draft-ietf-pkix-new-part1-07.txt), which say that unrecognized revocation reason codes should be ignored.

        Because of this behavior, our PKIX CertPathVerifier and CertPathBuilder are not strictly PKIX compliant. In fact, they reject any CRL that contains one of the new reason codes added to X.509(2000) and draft-ietf-pkix-new-part1-07.txt: privilegeWithdrawn and aACompromise.

          Attachments

            Issue Links

              Activity

                People

                Assignee:
                andreas Andreas Sterbenz
                Reporter:
                duke J. Duke (Inactive)
                Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved:
                  Imported:
                  Indexed: