-
Bug
-
Resolution: Fixed
-
P3
-
1.4.0
-
None
-
beta2
-
generic
-
generic
sun.security.x509.NameConstraintsExtension.verify(X509Certificate) does not check whether any of the GeneralSubtree objects in the permitted or excluded subtrees contain a minimum or maximum field. RFC 2459 requires that these fields not be employed, but CAs that are X.509-compliant and not PKIX-compliant may include them.
Currently, our code simply ignores these fields. This could cause us to validate a certification path that is not valid (because an early certificate includes a minimum or maximum field and a subsequent certificate includes a name that does not conform to those constraints). I believe that these fields are not widely used, so this is probably not likely to happen. But we should still handle it properly.
The simplest thing for us to do is to have NameConstraintsExtension.verify(X509Certificate) throw an exception if one of these fields is encountered. This is acceptable for a PKIX-compliant validator.
Currently, our code simply ignores these fields. This could cause us to validate a certification path that is not valid (because an early certificate includes a minimum or maximum field and a subsequent certificate includes a name that does not conform to those constraints). I believe that these fields are not widely used, so this is probably not likely to happen. But we should still handle it properly.
The simplest thing for us to do is to have NameConstraintsExtension.verify(X509Certificate) throw an exception if one of these fields is encountered. This is acceptable for a PKIX-compliant validator.