Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8255731

End entity cert extensions are not checked when that cert is trusted

    XMLWordPrintable

    Details

      Description

      A DESCRIPTION OF THE PROBLEM :
      when I connect to a TLS server presenting a self-signed certificate, and the certificate is a trust anchor, TLS connection succeeds even if the certificate declares extensions that do not allow it to be used as a TLS server certificate.

      The code responsible for this behavior can be found here:
      http://hg.openjdk.java.net/jdk/jdk/file/ee1d592a9f53/src/java.base/share/classes/sun/security/validator/Validator.java#l267
      The code wasn't changed since the initial import; I couldn't find any arguments explaining why it was implemented that way, so I'm filing this issue to evaluate if it still makes sense.

      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      - Create a self-signed certificate with key usage that does not allow it to be used during key exchange
      - Start a server with that certificate
      - Connect to that server.

      Example command that creates a self-signed certificate that cannot be used for handshaking:
      keytool -genkeypair -alias ec -keyalg EC -keysize 256 -sigalg SHA256withECDSA -validity 365 -dname "CN=localhost,OU=Unknown,O=Unknown,L=Unknown,S=Unknown,C=Unknown" -storetype JKS -keystore ectest.jks -storepass 123456 -ext KeyUsage:c=keyCertSign

      Example code to set up a server and connect to it:
      https://gist.github.com/djelinski/b4543a3eb7ea66306044c08b41bba00f

      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      TLS handshake should fail
      ACTUAL -
      TLS handshake succeeds

      FREQUENCY : always


        Attachments

          Activity

            People

            Assignee:
            hchao Haimay Chao
            Reporter:
            webbuggrp Webbug Group
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated: