Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-4776466

CertificateFactory.generateCertificate(InputStream) accepts defective certificat

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: P3 P3
    • 5.0
    • 1.4.1
    • security-libs
    • tiger
    • x86
    • windows_2000



      Name: nt126004 Date: 11/08/2002


      FULL PRODUCT VERSION :
      java version "1.4.1"
      Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.1-b21)
      Java HotSpot(TM) Client VM (build 1.4.1-b21, mixed mode)

      FULL OPERATING SYSTEM VERSION :
      Microsoft Windows 2000 [Version 5.00.2195]
      SP3, SP4
      ADDITIONAL OPERATING SYSTEMS :


      A DESCRIPTION OF THE PROBLEM :
      I am calling javax.security.cert.X509Certificate.getInstance
      (InputStream) to read X.509 Version 3 Certificate stored in
      a pem file. When I modify the first character on the second
      line of this file (right after -----BEGIN CERTIFICATE-----)
      X509Certificate.getInstance() does not detect this and
      still returns an instance of X509Certificate. However this
      instance is defective: clients fail to connect over SSL to
      the server with such identity certificate installed because
      they do not like the certificate. When I replace the
      character with the original one everything works fine.
      Certicom SSL implementation installed on my machine detects
      invalid tag in such certificate and throws an exception.

      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      1. Get an X.509 Version 3 Certificate in pem format (base64
      encoded)
      2. Modify the first character on the second line.
      3. Load it with
      javax.security.cert.X509Certificate.getInstance(InputStream)
      4. Note that no exception is throws and the method returns
      an instance of X509Certificate without noticing that
      certificate is invalid.

      EXPECTED VERSUS ACTUAL BEHAVIOR :
      X509Certificate.getInstance() should fail to load the
      certificate and throw an appropriate exception.

      In reality it creates an X509Certificate which is somehow
      defective because the other clients such as IExplorer
      reject it during SSL handshake.

      REPRODUCIBILITY :
      This bug can be reproduced always.

      ---------- BEGIN SOURCE ----------
      import java.io.*;
      import javax.security.cert.*;

      public class Test {
      public static void main(String[] args) throws Exception {
        InputStream inStream = new FileInputStream("democert.pem");
         X509Certificate cert = X509Certificate.getInstance(inStream);
         inStream.close();
        
        inStream = new FileInputStream("invalidcert.pem");
        // this should fail.
        cert = X509Certificate.getInstance(inStream);
      }
      }

      ---------- END SOURCE ----------

      CUSTOMER WORKAROUND :
      set cert.provider.x509v1 property in java.security file to
      point to some other provider implementation class that does
      not have this problem
      (Review ID: 165971)
      ======================================================================

            mullan Sean Mullan
            nthompsosunw Nathanael Thompson (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved:
              Imported:
              Indexed: