ws-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Colm O hEigeartaigh (Closed) (JIRA)" <>
Subject [jira] [Closed] (WSS-97) Merlin passes invalid OID to getExtensionValue
Date Mon, 03 Oct 2011 09:04:40 GMT


Colm O hEigeartaigh closed WSS-97.

> Merlin passes invalid OID to getExtensionValue
> ----------------------------------------------
>                 Key: WSS-97
>                 URL:
>             Project: WSS4J
>          Issue Type: Bug
>            Reporter: Patrick J Kobly
>            Assignee: Fred Dushin
>             Fix For: 1.5.4
>         Attachments: WSS-97.patch
> From
>     public boolean validateCertPath(X509Certificate[] certs)
> ...
>             while (cacertsAliases.hasMoreElements()) {
>                 String alias = (String) cacertsAliases.nextElement();
>                 X509Certificate cert = (X509Certificate) this.cacerts
>                         .getCertificate(alias);
>                 TrustAnchor anchor = new TrustAnchor(cert, cert
>                         .getExtensionValue("NameConstraints"));
>                 set.add(anchor);
>             }
>             // Add certificates from the keystore
>             Enumeration aliases = this.keystore.aliases();
>             while (aliases.hasMoreElements()) {
>                 String alias = (String) aliases.nextElement();
>                 X509Certificate cert = (X509Certificate) this.keystore
>                         .getCertificate(alias);
>                 TrustAnchor anchor = new TrustAnchor(cert, cert
>                         .getExtensionValue("NameConstraints"));
>                 set.add(anchor);
>             }
> From J2SE API docs:
> getExtensionValue(String oid) expects its parameter to be an OID (in this case, "").
 It appears that the default JCE provider simply returns null (indicating extension not present).
 However, this behaviour is not always the case.  Notably, the Bouncy Castle JCE provider
will throw the (unchecked) exception IllegalArgumentException if the argument does not appear
to be an OID.  This will cause cert path validation to fail with an exception on any JVM configured
to use such a JCE provider (whether or not name constraints are used on any certs in the chain
to be validated).
> In addition, when used with a JCE that does not exhibit this behaviour, the code will
identify some invalid cert paths as valid.  i.e. if a cert in the path has a naming constraint
and is used to sign a cert which the name constraints would disallow, the path will still
be seen as valid.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:!default.jspa
For more information on JIRA, see:


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message