Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-7192000

MSCAPI as trust provider does not include all certificates with same Subject

    Details

    • Type: Bug
    • Status: Closed
    • Priority: P4
    • Resolution: Duplicate
    • Affects Version/s: 7
    • Fix Version/s: None
    • Component/s: security-libs
    • Labels:

      Description

      FULL PRODUCT VERSION :
      java version "1.7.0_05"
      Java(TM) SE Runtime Environment (build 1.7.0_05-b05)
      Java HotSpot(TM) 64-Bit Server VM (build 23.1-b03, mixed mode)

      ADDITIONAL OS VERSION INFORMATION :
      Version 6.1.7601

      EXTRA RELEVANT SYSTEM CONFIGURATION :
      -Djavax.net.ssl.trustStoreProvider=SunMSCAPI
      -Djavax.net.ssl.trustStoreType=WINDOWS-ROOT

      A DESCRIPTION OF THE PROBLEM :
      I would like to be able to use the SunMSCAPIProvider as described on your website http://java.sun.com/developer/technicalArticles/J2SE/security/: "a consistent behavior that matches what native applications have when they use the same native library"

      So if a certificate for SSL connection is trusted in Windows (e.g. in Internet Explorer) my Java application started with the options
      -Djavax.net.ssl.trustStoreProvider=SunMSCAPI
      -Djavax.net.ssl.trustStoreType=WINDOWS-ROOT
      should trust the same certificate. However due to or similarly to bug 6483657 it seems that not all certificates are included because they have either the same alias or no alias (Friendly Name in MS terms) and the same CN in the Subject.

      Due to the implementation of sun.security.validator.KeyStores.getTrustedCerts(KeyStore ks) which assumes that all aliases are unique only one of the certificates will be included (the first to be returned by alias).

      Maybe Java lacks a clear definition of the purpose of an alias in the sense that it may or may not be assumed to be a Unique Identifier as in the case of JKS, which would help to decern what part of Java to blame.

      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      use -Djavax.net.debug=ssl shows which certificates are added where duplicate aliases will be missing


      REPRODUCIBILITY :
      This bug can be reproduced always.

      CUSTOMER SUBMITTED WORKAROUND :
      Open MMC, add Certificates plugin, go to Trusted Root Certification Authorities, Certificates, Order by Friendly Name, make sure they all have a filled in unique value.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                vinnie Vincent Ryan
                Reporter:
                webbuggrp Webbug Group
              • Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Imported:
                  Indexed: