Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8176350

Usage constraints don't take effect when using PKIX

    Details

    • Subcomponent:
    • Resolved In Build:
      b161
    • Verification:
      Not verified

      Backports

        Description

        1. Imports the below SHA1 certificate into TEST_JDK/lib/security/cacerts as a trusted JDK CA with alias like "testca [jdk]"
        -----BEGIN CERTIFICATE-----
        MIICWzCCAcQCCQCtPczRiCRiFjANBgkqhkiG9w0BAQUFADByMQswCQYDVQQGEwJV
        TjETMBEGA1UECAwKU29tZSBTdGF0ZTEVMBMGA1UEBwwMVW5rbm93biBDaXR5MREw
        DwYDVQQKDAhUZXN0IE9yZzESMBAGA1UECwwJVGVzdCBVbml0MRAwDgYDVQQDDAdU
        ZXN0IENBMB4XDTE3MDIyODAyNTIwN1oXDTE3MDMzMDAyNTIwN1owcjELMAkGA1UE
        BhMCVU4xEzARBgNVBAgMClNvbWUgU3RhdGUxFTATBgNVBAcMDFVua25vd24gQ2l0
        eTERMA8GA1UECgwIVGVzdCBPcmcxEjAQBgNVBAsMCVRlc3QgVW5pdDEQMA4GA1UE
        AwwHVGVzdCBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArtAsOS/uNlIP
        TGGT3if2yM00BMkjdiMUUpIH4BqzryFz8y5Q4V0x7E5NeLjwMlHcGpvHOyqMadi1
        FoWT5nvJzeBvvwQwL4JwN1LLpqZyITmIRh8Ps7mfGbUX87phKig16Qc4o9jlH5y5
        +i2lGJWx3ByENo3dFaHcTvXS0vrPZCUCAwEAATANBgkqhkiG9w0BAQUFAAOBgQB3
        Ij4727A9yZQKF5S8YRTSiA1+8G7lFm+BQu9uBJw5cm/+TL2UsJPn96Asy8EUfD9k
        SI685uGxRg90CAf5DYZ2gZe4LAP79KFmPlJKjbaVl8QuaFUmur9x5cR6aLCRBBLH
        5UW4OxLmPBJGk0FwpVf9fXJooh7W4wt4cJW1SlNrZQ==
        -----END CERTIFICATE-----

        2. The attached JSSECertPathCheck.java is a SSL test which depends on SSLSocketTemplate.
        It contains a SHA1 end entity certificate, which is issued by the above SHA1 CA, and uses constraint "SHA1 jdkCA & usage TLSServer" for jdk.certpath.disabledAlgorithms.
        The test should fail on C/S communication, but it doesn't.
        1. client.log
          7 kB
          John Jiang
        2. JSSECertPathCheck.java
          5 kB
          John Jiang
        3. server.log
          0.8 kB
          John Jiang
        4. SSLClient.java
          1 kB
          John Jiang
        5. SSLServer.java
          2 kB
          John Jiang

          Issue Links

            Activity

            Hide
            jjiang John Jiang added a comment - - edited
            Just uploaded SSLServer.java and SSLClient.java for further investigation. Both of the classes need JSSECertPathCheck.java to create ssl context.

            After imported the SHA1 cert in the description of this issue into cacerts, run SSLServer and SSLCient in sequence.
            The validation sill doesn't fail even though dev's patch [1] is applied.

            [1] http://cr.openjdk.java.net/~ascarpino/8176350/webrev/
            Show
            jjiang John Jiang added a comment - - edited Just uploaded SSLServer.java and SSLClient.java for further investigation. Both of the classes need JSSECertPathCheck.java to create ssl context. After imported the SHA1 cert in the description of this issue into cacerts, run SSLServer and SSLCient in sequence. The validation sill doesn't fail even though dev's patch [1] is applied. [1] http://cr.openjdk.java.net/~ascarpino/8176350/webrev/
            Hide
            hgupdate HG Updates added a comment -
            URL: http://hg.openjdk.java.net/jdk9/dev/jdk/rev/95c66fb5c294
            User: ascarpino
            Date: 2017-03-11 05:07:02 +0000
            Show
            hgupdate HG Updates added a comment - URL: http://hg.openjdk.java.net/jdk9/dev/jdk/rev/95c66fb5c294 User: ascarpino Date: 2017-03-11 05:07:02 +0000
            Hide
            hgupdate HG Updates added a comment -
            URL: http://hg.openjdk.java.net/jdk9/jdk9/jdk/rev/95c66fb5c294
            User: lana
            Date: 2017-03-15 14:49:32 +0000
            Show
            hgupdate HG Updates added a comment - URL: http://hg.openjdk.java.net/jdk9/jdk9/jdk/rev/95c66fb5c294 User: lana Date: 2017-03-15 14:49:32 +0000

              People

              • Assignee:
                ascarpino Anthony Scarpino
                Reporter:
                jjiang John Jiang
              • Votes:
                0 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: