-
Bug
-
Resolution: Duplicate
-
P3
-
None
-
1.4.0
-
generic
-
generic
Name: krC82822 Date: 06/26/2001
26 June 2001, eval1127@eng -- this may already have been fixed under
# 4330029 (for merlin-beta2?).
--------------
java version "1.3.1"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.3.1-b24)
Java HotSpot(TM) Client VM (build 1.3.1-b24, mixed mode)
The JSSE provided with JDK 1.4 beta has the exact same behaviour:
java version "1.4.0-beta"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.0-beta-b65)
Java HotSpot(TM) Client VM (build 1.4.0-beta-b65, mixed mode)
JDC Forum Thread:
http://204.160.241.35/thread.jsp?forum=2&thread=140766
Sun's JSSE implementation doesn't recognize OID.2.5.4.5 elements (serialNumber)
in the Subject field of X.509 V3 Qualified Certificates.
The JSSE implementation provided with JDK 1.4 beta has the exact same
behaviour.
Here is an excerpt of RFC 3039 :
Internet X.509 Public Key Infrastructure
Qualified Certificates Profile
http://www.ietf.org/rfc/rfc3039.txt):
"3.1.2 Subject
The subject field of a certificate compliant with this profile SHALL
contain a distinguished name of the subject (see 2.4 for definition
of distinguished name).
The subject field SHALL contain an appropriate subset of the
following attributes:
[...]
serialNumber;
[...]."
How to reproduce:
- Register Sun's HTTPS protocol handler with the JVM.
- Register Sun's JCE security provider with the JVM.
- Instantiate a new URL to a site using such a certificate
(i.e. https://www.certinomis.com).
- Open the connection to this URL
- Get the input stream from this connection
- An I/O exception is thrown.
Expected behaviour:
SunJSSE should ignore this serialNumber element as do Netscape Navigator 4.7
& 6.0 and Microsoft Internet Explorer browsers.
Java code (file JDCBugParade.java):
public class JDCBugParade {
public static void main (String args[]) {
try {
System.setProperty
("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");
java.security.Provider provider = (java.security.Provider)
Class.forName("com.sun.net.ssl.internal.ssl.Provider").newInstance();
java.security.Security.addProvider(provider);
java.net.URL url = new java.net.URL("https://www.certinomis.com");
java.net.URLConnection con = url.openConnection();
con.getInputStream();
} catch (Exception e) {
e.printStackTrace(System.out);
}
}
}
Exception stack trace:
java.io.IOException: unsupported keyword OID.2.5.4.5
at com.sun.net.ssl.internal.ssl.AVA.<init>([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.RDN.<init>([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.X500Name.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.X500Name.<init>([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-
V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-
V1.2-120198])
at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-
V1.2-120198])
at
com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.connect
([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.getInputStream
([DashoPro-V1.2-120198])
at JDCBugParade.main(JDCBugParade.java:13)
Runtime output:
C:\java\jdk1.3.1\bin\javaw -classpath
C:\Development\classes;
C:\java\jsse1.0.2\lib\jsse.jar;C:\java\jsse1.0.2\lib\jnet.jar;
C:\java\jsse1.0.2\lib\jcert.jar;C:\java\jdk1.3.1\jre\lib\i18n.jar;
C:\java\jdk1.3.1\jre\lib\jaws.jar;C:\java\jdk1.3.1\jre\lib\rt.jar;
C:\java\jdk1.3.1\jre\lib\sunrsasign.jar;C:\java\jdk1.3.1\lib\dt.jar;
C:\java\jdk1.3.1\lib\tools.jar
-Djavax.net.debug=all JDCBugParade
keyStore is :
keyStore type is : jks
init keystore
init keymanager of type SunX509
trustStore is: C:\java\jdk1.3.1\jre\lib\security\jssecacerts
trustStore type is : jks
init truststore
adding as trusted cert: [
[
Version: V3
Subject: CN=CertiNomis, OU=AC Racine - Root CA, O=CertiNomis, C=FR
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: com.sun.rsajca.JSA_RSAPublicKey@19681b
Validity: [From: Thu Nov 09 01:00:00 CET 2000,
To: Fri Nov 09 01:00:00 CET 2012]
Issuer: CN=CertiNomis, OU=AC Racine - Root CA, O=CertiNomis, C=FR
SerialNumber: [ 30303030 39373337 35373338 36303030 ]
Certificate Extensions: 3
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: [...]
]
]
[2]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
[3]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
]
Algorithm: [SHA1withRSA]
Signature:
0000: [...]
]
adding as trusted cert: [
[
Version: V3
Subject: CN=CertiNomis Classe 2, O=CertiNomis, C=FR
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: com.sun.rsajca.JSA_RSAPublicKey@bc49d
Validity: [From: Wed Nov 29 01:00:00 CET 2000,
To: Mon Nov 29 01:00:00 CET 2004]
Issuer: CN=CertiNomis, OU=AC Racine - Root CA, O=CertiNomis, C=FR
SerialNumber: [ 30303030 39373534 38383434 39303030 ]
Certificate Extensions: 6
[1]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
SSL CA
S/MIME CA
Object Signing CA]
[2]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: [...]
]
]
[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: [...]
]
]
[4]: ObjectId: 2.5.29.31 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: [...]
[5]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
[6]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
]
Algorithm: [SHA1withRSA]
Signature:
0000: [...]
]
init context
trigger seeding of SecureRandom
done seeding SecureRandom
%% No cached client session
*** ClientHello, v3.1
RandomCookie: GMT: 993394508 bytes = { 24, 22, 81, 16, 235, 187, 118, 86, 45,
138, 98, 195,
155, 110, 203, 166, 77, 227, 57, 128, 191, 247, 109, 154, 243, 212, 78, 25 }
Session ID: {}
Cipher Suites: { 0, 5, 0, 4, 0, 9, 0, 10, 0, 18, 0, 19, 0, 3, 0, 17 }
Compression Methods: { 0 }
***
[write] MD5 and SHA1 hashes: len = 59
0000: [...]
AWT-EventQueue-0, WRITE: SSL v3.1 Handshake, length = 59
[write] MD5 and SHA1 hashes: len = 77
0000: [...]
AWT-EventQueue-0, WRITE: SSL v2, contentType = 22, translated length = 16310
AWT-EventQueue-0, READ: SSL v3.1 Handshake, length = 74
*** ServerHello, v3.1
RandomCookie: GMT: 993394166 bytes = { 7, 124, 93, 170, 159, 46, 253, 150, 76,
123, 239,
155, 27, 14, 132, 20, 203, 83, 219, 221, 217, 201, 21, 212, 79, 18, 122, 73 }
Session ID: {179, 250, 40, 17, 25, 73, 235, 228, 229, 141, 93, 207, 137, 204,
71, 144, 235,
210, 99, 135, 15, 169, 170, 141, 156, 3, 58, 135, 178, 196, 112, 222}
Cipher Suite: { 0, 5 }
Compression Method: 0
***
%% Created: [Session-1, SSL_RSA_WITH_RC4_128_SHA]
** SSL_RSA_WITH_RC4_128_SHA
[read] MD5 and SHA1 hashes: len = 74
0000: [...]
AWT-EventQueue-0, READ: SSL v3.1 Handshake, length = 1088
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: OID.2.5.4.5=10052821, OU=Certificat Mercatis,
EmailAddress=###@###.###, CN=xxxxxx.xxxxxxxx.com, OU=FC,
O=XXXXXXXXX-XXXXXXXXX, L=Paris, ST=Paris, C=FR
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: com.sun.rsajca.JSA_RSAPublicKey@4a0115
Validity: [From: Fri Mar 23 11:54:32 CET 2001,
To: Sun Mar 24 11:54:32 CET 2002]
Issuer: CN=CertiNomis Classe 2, O=CertiNomis, C=FR
SerialNumber: [ 39383533 34313237 32353633 ]
Certificate Extensions: 8
[1]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
SSL server
S/MIME
Object Signing
]
[2]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: [...]
]
]
[3]: ObjectId: 2.5.29.32 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: [...]
[4]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: [...]
]
]
[5]: ObjectId: 2.5.29.31 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: [...]
[6]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
[RFC822Name: ###@###.###]
[7]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Non_repudiation
Key_Encipherment
Data_Encipherment
]
[8]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
]
Algorithm: [SHA1withRSA]
Signature:
0000: [...]
]
***
add missing root cert: [
[
Version: V3
Subject: CN=CertiNomis Classe 2, O=CertiNomis, C=FR
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: com.sun.rsajca.JSA_RSAPublicKey@bc49d
Validity: [From: Wed Nov 29 01:00:00 CET 2000,
To: Mon Nov 29 01:00:00 CET 2004]
Issuer: CN=CertiNomis, OU=AC Racine - Root CA, O=CertiNomis, C=FR
SerialNumber: [ 30303030 39373534 38383434 39303030 ]
Certificate Extensions: 6
[1]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
SSL CA
S/MIME CA
Object Signing CA]
[2]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: [...]
]
]
[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: [...]
]
]
[4]: ObjectId: 2.5.29.31 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: [...]
[5]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
[6]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
]
Algorithm: [SHA1withRSA]
Signature:
0000: [...]
]
stop on trusted cert: [
[
Version: V3
Subject: CN=CertiNomis Classe 2, O=CertiNomis, C=FR
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: com.sun.rsajca.JSA_RSAPublicKey@bc49d
Validity: [From: Wed Nov 29 01:00:00 CET 2000,
To: Mon Nov 29 01:00:00 CET 2004]
Issuer: CN=CertiNomis, OU=AC Racine - Root CA, O=CertiNomis, C=FR
SerialNumber: [ 30303030 39373534 38383434 39303030 ]
Certificate Extensions: 6
[1]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
SSL CA
S/MIME CA
Object Signing CA]
[2]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: [...]
]
]
[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: [...]
]
]
[4]: ObjectId: 2.5.29.31 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: [...]
[5]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
[6]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
]
Algorithm: [SHA1withRSA]
Signature:
0000: [...]
]
[read] MD5 and SHA1 hashes: len = 1088
0000: [...]
AWT-EventQueue-0, READ: SSL v3.1 Handshake, length = 4
*** ServerHelloDone
[read] MD5 and SHA1 hashes: len = 4
0000: [...]
*** ClientKeyExchange, RSA PreMasterSecret, v3.1
Random Secret: { 3, 1, 94, 206, 199, 220, 80, 40, 86, 42, 59, 54, 23, 92, 139,
128, 16, 86, 141, 241, 78, 190, 245, 233, 179, 240, 248, 239, 144, 179, 120,
41, 52, 117, 74, 230, 249, 185, 175, 141, 182, 0, 207, 81, 217, 66, 216, 69 }
[write] MD5 and SHA1 hashes: len = 134
0000: [...]
AWT-EventQueue-0, WRITE: SSL v3.1 Handshake, length = 134
SESSION KEYGEN:
PreMaster Secret:
0000: [...]
CONNECTION KEYGEN:
Client Nonce:
0000: [...]
Server Nonce:
0000: [...]
Master Secret:
0000: [...]
Client MAC write Secret:
0000: [...]
Server MAC write Secret:
0000: [...]
Client write key:
0000: [...]
Server write key:
0000: [...]
... no IV for cipher
AWT-EventQueue-0, WRITE: SSL v3.1 Change Cipher Spec, length = 1
*** Finished, v3.1
verify_data: { 48, 119, 230, 86, 67, 207, 57, 59, 18, 222, 4, 107 }
***
[write] MD5 and SHA1 hashes: len = 16
0000: [...]
Plaintext before ENCRYPTION: len = 36
0000: [...]
AWT-EventQueue-0, WRITE: SSL v3.1 Handshake, length = 36
AWT-EventQueue-0, READ: SSL v3.1 Change Cipher Spec, length = 1
AWT-EventQueue-0, READ: SSL v3.1 Handshake, length = 36
Plaintext after DECRYPTION: len = 36
0000: [...]
*** Finished, v3.1
verify_data: { 238, 82, 186, 214, 115, 130, 241, 249, 113, 52, 93, 58 }
***
%% Cached client session: [Session-1, SSL_RSA_WITH_RC4_128_SHA]
[read] MD5 and SHA1 hashes: len = 16
0000: [...]
Finalizer, SEND SSL v3.1 ALERT: warning, description = close_notify
Plaintext before ENCRYPTION: len = 22
0000: [...]
Finalizer, WRITE: SSL v3.1 Alert, length = 22
(Review ID: 127413)
======================================================================
- duplicates
-
-
- Resolved
-