Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-6668231

Presence of a critical subjectAltName causes JSSE's SunX509 to fail trusted checks

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: P2
    • Resolution: Fixed
    • Affects Version/s: 7
    • Fix Version/s: 7
    • Component/s: security-libs
    • Labels:
    • Subcomponent:
    • Resolved In Build:
      b26
    • CPU:
      generic
    • OS:
      generic
    • Verification:
      Verified

      Backports

        Description

        We should probably do something more intelligent with the presence of critical subjectAltName's. Although if the subject is really empty, we may not be able to do chaining correctly anyway. Need to check and see what we're really doing here.

        The email thread is below:


        Brad, what about using the PKIX TrustManagerFactory?

        --Sean

        V B Kumar Jayanti wrote:
        > Hi Brad,
        >
        > While interacting more with the Forum user he finally said i worked around it and so i asked him what was the workaround and the reply was not so pleasing :
        >
        > "I succeded trying certificate authentication on IMB WebSphere AS Community Edition using IBM Java5, so the bug I suppose is in Sun JSSE provider"
        >
        > http://forums.java.net/jive/thread.jspa?messageID=260939
        >
        > thanks.
        >
        > Brad Wetmore wrote:
        >
        >> cc'ing current JSSE team.
        >>
        >> I'm not 100% sure what our current behaviour on this is, but a quick glance at the code sure looks like even though we do understand/parse the subjectAltname in the X509 code, we just don't allow for critical subjectaltnames for TLS client authentications. I don't recall why offhand, nor see a bug (open or closed). If the subject field is empty and there is a Subjectaltname, the extension does need to be marked critical.
        >>
        >> Gang, do you offhand remember why it was done this way?
        >>
        >> If this is indeed the current behaviour, then best workaround is to provider your own X509TrustManager as was discussed in the thread you referenced, although I would suggest providing some actual code in the X509TrustManager, and not just returning on any input! ;)
        >>
        >> brad
        >>
        >>
        >>> V B Kumar Jayanti wrote:
        >>>
        >>>> Hi Sean,
        >>>>
        >>>> It appears the X509TrustManager in JDK does not support the SubjectAlternativeName Extension ?. I have seen mailing list threads dating back to 2003 where this issue was reported by some user. Do we have some plan of supporting this or is this really a low priority item. Is there any workaround we can suggest to this user.
        >>>>
        >>>> regards,
        >>>> kumar
        >>>>
        >>>>
        >>>> ------------------------------------------------------------------------
        >>>>
        >>>> Subject:
        >>>> Re: Client Certificate authentication
        >>>> From:
        >>>> ###@###.###
        >>>> Date:
        >>>> Wed, 13 Feb 2008 01:20:40 -0800 (PST)
        >>>> To:
        >>>> ###@###.###
        >>>>
        >>>> To:
        >>>> ###@###.###
        >>>>
        >>>>
        >>>> Hi,
        >>>> Your reply seems to have the root cause info :
        >>>>
        >>>> java.security.cert.CertificateException: Certificate contains unsupported critical extensions : [2.5.29.17]
        >>>>
        >>>> I checked out that extension 2.5.29.17 stands for : SubjectAlternativeName.
        >>>>
        >>>> now the JavaDoc for X509Extension : (http://java.sun.com/j2se/1.4.2/docs/api/java/security/cert/X509Extension.html) says :
        >>>>
        >>>> "Each extension in a certificate/CRL may be designated as critical or non-critical. A certificate/CRL-using system (an application validating a certificate/CRL) must reject the certificate/CRL if it encounters a critical extension it does not recognize. A non-critical extension may be ignored if it is not recognized."
        >>>>
        >>>> Since the extension in your cert is marked critical and since it does not understand the extension it rejected the cert.
        >>>>
        >>>> When i googled around i found the following link where the person is talking about downloading the CA cert from a different location in order to obtain the CA cert without the extension.
        >>>>
        >>>> http://forum.springframework.org/showthread.php?t=42510
        >>>>
        >>>> Can you try this workaround ?.
        >>>>
        >>>> Meantime i will investigate why the particular extension is unrecognized.
        >>>> [Message sent by forum member 'kumarjayanti' (kumarjayanti)]
        >>>>
        >>>> http://forums.java.net/jive/thread.jspa?messageID=258670
        >>>>
        >>>> ---------------------------------------------------------------------
        >>>> To unsubscribe, e-mail: ###@###.###
        >>>> For additional commands, e-mail: ###@###.###
        >>>>
        >>>
        >

          Attachments

            Issue Links

              Activity

                People

                Assignee:
                xuelei Xue-Lei Fan
                Reporter:
                wetmore Bradford Wetmore
                Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved:
                  Imported:
                  Indexed: