Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-4531698

PKIX CertPathBuilder shouldn't require subject DN of targetConstraints to be set

XMLWordPrintable

    • Icon: Enhancement Enhancement
    • Resolution: Fixed
    • Icon: P5 P5
    • 1.4.2
    • 1.4.0
    • security-libs
    • mantis
    • generic
    • solaris_7
    • Verified


      ###@###.### 2001-11-27

      Sun's implementation of PKIX CertPathBuilder currently requires that the
      targetConstraints parameter of a PKIXBuilderParameters object be an
      instance of X509CertSelector and the subject criterion be non-null. There
      is no good reason for the second condition to be required. For example,
      the target certificate can be found in a CollectionCertSore
      by setting just the issuer & serialNumber criteria. This restriction
      should be removed, and the following enhancements should be made:

      1) If a user specifies target constraints using an X509CertSelector with a non-null certificateEquals criterion, the Sun PKIX CertPathBuilder implementation should not search any specified CertStores for the target certificate, since it has it already!

        Ex:

        X509CertSelector sel = new X509CertSelector();
        sel.setCertificate(targetCertificate);
        PKIXBuilderParameters params = new PKIXBuilderParameters(anchors, sel);
        CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
        CertPath cp = builder.build(params);

      2) It would be nice if our LDAPCertStore.getCertificates() implementation
        was enhanced to
        find certificates when the specified X509CertSelector contains a
        subjectAlternativeName criterion with an RFC822 email address (and a
        null subject criterion). The
        implementation should search the directory for
        DN entries containing the "mail" attribute with the specified RFC822 email
        address and then return certificates in that entry with SubjectAltName
        extensions containing the
        specified email address. This would be especially useful for S/MIME
        applications, and would
        allow the CertPathBuilder to build a path to a target certificate when
        the subject's email address, but not the subject DN is known. This is
        a common usage case in S/MIME when the relying party wants to send an
        encrypted email to someone but doesn't have their certificate and
        only knows their email address.

      3) The reverse builder uses the target subject name for deciding
      which certificates are most promising and ensuring that prospective CA
      certificates don't contain name constraints that would prohibit the
      desired target subject. This optimization should be done only if a
      non-null subject DN is set. (I think it is simply a matter of checking
      if selector.getSubjectAsBytes() == null in ReverseBuilder.java)

            andreas Andreas Sterbenz
            mullan Sean Mullan
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated:
              Resolved:
              Imported:
              Indexed: