Name: krC82822 Date: 02/09/2001


9 Feb 2001, eval1127@eng -- there are several bugs this
could be a duplicate of, but am filing a new one for reference
(see Comments section)
-----------
java version "1.2.2"
Classic VM (build JDK-1.2.2-001, native threads, symcjit)

The JSSE1.0.2 implementation is not able to use a CA certificate created by
iPlanet/Netscape Certificate Management System (CMS). I think the problem is
that there is only an implementation for V1 certificates (with no extensions),
and the certificate that I have is a CA's V3 certificate with extensions. It is
necessary to create my own TrustManager from a KeyStore that contains my CA's
root certificate (that was generated by the Netscape CMS), but I am unable to
create a X509 Certificate object from the certificate file. I get the error
"unsupported encoding" from this code:

   InputStream inStream = new FileInputStream(caCertsFilename);
   java.security.cert.CertificateFactory cf =
       java.security.cert.CertificateFactory.getInstance("X.509");
   java.security.cert.X509Certificate serverCACertProd =
     (java.security.cert.X509Certificate)cf.generateCertificate(inStream);
   inStream.close();

Where caCertsFilename is the filename of the CA certificate that signed the web
server certificate that I want to trust (in the correct base-64 format).

Again, I think this error is caused by the fact there there is no Implementation
for the V3 X509 Certificate (I could only find the class that implements V1,
X509V1CertImpl.class). The CA certificate that was created by the Netscape CMS
has 4 X509V3 extensions: Netscape Cert Type, X509V3 Basic Constraints, X509v3
Authority Key identifier, and Subject Key Identifier. I'm guessing that the X509
class is choking on these extensions instead of just ignoring them.

Please let me know if this is the problem and when a V3 X509 Cert implementation
will be available.
(Review ID: 111101)
======================================================================