Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8072463

Remove requirement that AKID and SKID have to match when building certificate chain

    Details

    • Subcomponent:
    • Introduced In Build:
      fcs
    • Introduced In Version:
      7
    • Resolved In Build:
      b94
    • CPU:
      generic
    • OS:
      generic
    • Verification:
      Verified

      Backports

        Description

        FULL PRODUCT VERSION :
        All 7.x and 8.x version

        ADDITIONAL OS VERSION INFORMATION :
        Generic OS

        A DESCRIPTION OF THE PROBLEM :
        This bug is heavily related to JDK-8027249 (JDK 7 Certpathbuilder.build throws SunCertPathBuilderException when JDK 6 works ).
        Since JDK 7 checking of serial number and Key Identifier from Authority Key Identifier extension was added to certificate chain building process.

        Sean Mullan said that

        "In JDK 7 we enhanced our PKIX CertPathBuilder implementation to discover certificate chains using the Authority Key Identifier extension (as specified in section 4.2.1.1 of RFC 5280), which allows you to find the correct certificate when a CA has more than one certificate with different keypairs. This is quite common, for example when you rollover the key of a CA but you want to keep the same subject name.

        The certificates that are used in this test case do not have a correct AKID that allow a path to be found. In particular, the authorityCertSerialNumber field of the end entity certificate is set to 3130323032353433323531. The key identifier and issuer are correct, but not the serial number. We match on all fields when looking for a matching CA. This should match the serial number of the issuing CA certificate.
        "

        According to RFC5280 (Internet X.509 Public Key Infrastructure Certificate
                     and Certificate Revocation List (CRL) Profile )
        "
           The authority key identifier extension provides a means of
           identifying the public key corresponding to the private key used to
           sign a certificate. This extension is used where an issuer has
           multiple signing keys (either due to multiple concurrent key pairs or
           due to changeover). The identification MAY be based on either the
           key identifier (the subject key identifier in the issuer's
           certificate) or the issuer name and serial number. "

        this checks looks correct. If fields from Authority Key Identifier do not match fields from Subject Key Identifier we may not accept this certificate for chain building.

        But in RFC4158 ( Internet X.509 Public Key Infrastructure: Certification Path Building )

        From 3.5.12. Matching Key Identifiers (KIDs)

        "NOTE: Although required to be present by [RFC3280], it is extremely
           important that KIDs be used only as sorting criteria or as hints
           during certification path building. KIDs are not required to match
           during certification path validation and cannot be used to eliminate
           certificates. This is of critical importance for interoperating
           across domains and multi-vendor implementations where the KIDs may
           not be calculated in the same fashion."

        explicitly noted that matching Key Identifiers must be used only as hints to chain building process but not to reject such certificates.
        With this checks JDK is unable to build certificate chains using "CROSS certificates" when a certificate have Authority KID with serial number. In that case serial number will be matched to ROOT certificate and not match CROSS certificate.

        REGRESSION. Last worked in version 6u45


        ERROR MESSAGES/STACK TRACES THAT OCCUR :
        sun.security.provider.certpath.SunCertPathBuilderException: unable to find
        valid certification path to requested target
                at
        sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuild
        er.java:196)
                at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
        ...

        REPRODUCIBILITY :
        This bug can be reproduced always.

        ---------- BEGIN SOURCE ----------
        Test case is available at bug JDK-8027249 (JDK 7 Certpathbuilder.build throws SunCertPathBuilderException when JDK 6 works ).
        ---------- END SOURCE ----------

          Issue Links

            Activity

            Hide
            mullan Sean Mullan added a comment -
            Triaging for now, but needs more investigation to see if we should make any changes. We have never claimed to support RFC 4158.
            Show
            mullan Sean Mullan added a comment - Triaging for now, but needs more investigation to see if we should make any changes. We have never claimed to support RFC 4158.
            Hide
            mullan Sean Mullan added a comment -
            The regression was introduced by the fix for JDK-6852744. In that fix, a check was made to require the AKID and SKID to match when building a certificate chain.
            Show
            mullan Sean Mullan added a comment - The regression was introduced by the fix for JDK-6852744 . In that fix, a check was made to require the AKID and SKID to match when building a certificate chain.
            Hide
            mullan Sean Mullan added a comment -
            I will be removing the requirement that the AKID and SKID have to match when building a certificate chain. The PKIX CertPathBuilder implementation uses a Comparator to decide which certificate should be tried first when building a path. I will enhance that so that if the AKID/SKID match, it will try that certificate first. However, it will try other certificates even if the AKID/SKID do not match. This seems to be the right balance and is more aligned with the RFC 4158 text mentioned in the description above.
            Show
            mullan Sean Mullan added a comment - I will be removing the requirement that the AKID and SKID have to match when building a certificate chain. The PKIX CertPathBuilder implementation uses a Comparator to decide which certificate should be tried first when building a path. I will enhance that so that if the AKID/SKID match, it will try that certificate first. However, it will try other certificates even if the AKID/SKID do not match. This seems to be the right balance and is more aligned with the RFC 4158 text mentioned in the description above.
            Hide
            hgupdate HG Updates added a comment -
            URL: http://hg.openjdk.java.net/jdk9/dev/jdk/rev/c8e7b9c8b2fd
            User: mullan
            Date: 2015-11-13 12:23:00 +0000
            Show
            hgupdate HG Updates added a comment - URL: http://hg.openjdk.java.net/jdk9/dev/jdk/rev/c8e7b9c8b2fd User: mullan Date: 2015-11-13 12:23:00 +0000
            Hide
            hgupdate HG Updates added a comment -
            URL: http://hg.openjdk.java.net/jdk9/jdk9/jdk/rev/c8e7b9c8b2fd
            User: lana
            Date: 2015-11-25 21:18:22 +0000
            Show
            hgupdate HG Updates added a comment - URL: http://hg.openjdk.java.net/jdk9/jdk9/jdk/rev/c8e7b9c8b2fd User: lana Date: 2015-11-25 21:18:22 +0000

              People

              • Assignee:
                mullan Sean Mullan
                Reporter:
                webbuggrp Webbug Group
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: