Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8176350

Usage constraints don't take effect when using PKIX

    Details

    • Subcomponent:
    • Resolved In Build:
      b161
    • Verification:
      Not verified

      Backports

        Description

        1. Imports the below SHA1 certificate into TEST_JDK/lib/security/cacerts as a trusted JDK CA with alias like "testca [jdk]"
        -----BEGIN CERTIFICATE-----
        MIICWzCCAcQCCQCtPczRiCRiFjANBgkqhkiG9w0BAQUFADByMQswCQYDVQQGEwJV
        TjETMBEGA1UECAwKU29tZSBTdGF0ZTEVMBMGA1UEBwwMVW5rbm93biBDaXR5MREw
        DwYDVQQKDAhUZXN0IE9yZzESMBAGA1UECwwJVGVzdCBVbml0MRAwDgYDVQQDDAdU
        ZXN0IENBMB4XDTE3MDIyODAyNTIwN1oXDTE3MDMzMDAyNTIwN1owcjELMAkGA1UE
        BhMCVU4xEzARBgNVBAgMClNvbWUgU3RhdGUxFTATBgNVBAcMDFVua25vd24gQ2l0
        eTERMA8GA1UECgwIVGVzdCBPcmcxEjAQBgNVBAsMCVRlc3QgVW5pdDEQMA4GA1UE
        AwwHVGVzdCBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArtAsOS/uNlIP
        TGGT3if2yM00BMkjdiMUUpIH4BqzryFz8y5Q4V0x7E5NeLjwMlHcGpvHOyqMadi1
        FoWT5nvJzeBvvwQwL4JwN1LLpqZyITmIRh8Ps7mfGbUX87phKig16Qc4o9jlH5y5
        +i2lGJWx3ByENo3dFaHcTvXS0vrPZCUCAwEAATANBgkqhkiG9w0BAQUFAAOBgQB3
        Ij4727A9yZQKF5S8YRTSiA1+8G7lFm+BQu9uBJw5cm/+TL2UsJPn96Asy8EUfD9k
        SI685uGxRg90CAf5DYZ2gZe4LAP79KFmPlJKjbaVl8QuaFUmur9x5cR6aLCRBBLH
        5UW4OxLmPBJGk0FwpVf9fXJooh7W4wt4cJW1SlNrZQ==
        -----END CERTIFICATE-----

        2. The attached JSSECertPathCheck.java is a SSL test which depends on SSLSocketTemplate.
        It contains a SHA1 end entity certificate, which is issued by the above SHA1 CA, and uses constraint "SHA1 jdkCA & usage TLSServer" for jdk.certpath.disabledAlgorithms.
        The test should fail on C/S communication, but it doesn't.

          Attachments

          1. client.log
            7 kB
          2. JSSECertPathCheck.java
            5 kB
          3. server.log
            0.8 kB
          4. SSLClient.java
            1 kB
          5. SSLServer.java
            2 kB

            Issue Links

              Activity

                People

                • Assignee:
                  ascarpino Anthony Scarpino
                  Reporter:
                  jjiang John Jiang
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  7 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: