-
Bug
-
Resolution: Fixed
-
P4
-
1.4.2
-
b08
-
x86
-
linux
Name: js151677 Date: 06/07/2004
FULL PRODUCT VERSION :
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2-p6-root_08_mar_2004_14_42)
ADDITIONAL OS VERSION INFORMATION :
It is generic problem, None platform specialy
A DESCRIPTION OF THE PROBLEM :
Some LDAP entry (for Certificate Authority) has 2 revocation list attribute "AuthorityRevocationList" and "CertificateRevocationList". And Access revocation list by java.security.cert.CertStore with LDAP implementation.
We hope to get 2 CRLs from that LDAP entry. But CertStore.getCRLs() return only 1 CRL.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Create a new instance of java.security.cert.CertStore for LDAP implementation.
2. Get CRLs by getCRLs method from LDAP entry that has Target entry has AutorityRevokcationList attribute.
Ex) ldap://dmz-dir.gpki.go.jp/uo=BridgeCA,o=Japanese Government,c=JP
3. It checks how many there in returned collection.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Entry "uo=BridgeCA,o=Japanese Government,c=JP" has 2 revocation list attribute
"authorityRevocationList" and "certificateRevocationList".
CertStore.getCRLs() MUST return 2 revocation lists, In this case.
ACTUAL -
CertStore.getCRLs() return only 1 list from LDAP server.
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
import java.security.cert.*;
import java.util.*;
import java.io.*;
class CertStoreTest1 {
CertStoreTest1() {
try {
LDAPCertStoreParameters lcsp =
new LDAPCertStoreParameters("dmz-dir.gpki.go.jp", 389);
CertStore cs = CertStore.getInstance("LDAP", lcsp);
X509CRLSelector xcs = new X509CRLSelector() {
public boolean match(CRL crl) {
System.out.println("CRL Object hash code is " + crl.hashCode());
System.out.println("BEGIN CRL: **********************************************");
System.out.println(crl);
System.out.println("END CRL: **********************************************");
boolean result = super.match(crl);
System.out.println("matching result is " + result);
return result;
}
};
xcs.addIssuerName("ou=BridgeCA,o=Japanese Government,c=JP");
System.out.println("CRL for " + xcs.getCertificateChecking());
Collection crls = cs.getCRLs(xcs);
System.out.println("size: "+ crls.size());
Iterator crl = crls.iterator();
while(crl.hasNext()) {
System.out.println(crl.next());
}
} catch(Exception e) {
e.printStackTrace();
}
}
public static void main(String[] args) {
System.out.println("main() called.");
CertStoreTest1 test = new CertStoreTest1();
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Can not bypassing, need to fix for sun/security/provider/certpath/LDAPCertStore.java
And I have a diffs
--- ../../j2se/src/share/classes/sun/security/provider/certpath/LDAPCertStore.java.orig Thu Sep 11 10:52:07 2003
+++ ../../j2se/src/share/classes/sun/security/provider/certpath/LDAPCertStore.java Mon May 31 13:59:38 2004
@@ -759,6 +759,7 @@
}
// If all we want is CA certs, try to get the (probably shorter) ARL
Collection entryCRLs = Collections.EMPTY_LIST;
+ Collection entryARLs = Collections.EMPTY_LIST;
if (certChecking == null || certChecking.getBasicConstraints() != -1) {
LDAPRequest request = new LDAPRequest(issuerName);
request.addRequestedAttribute(CROSS_CERT);
@@ -768,8 +769,8 @@
request.addRequestedAttribute(CRL);
}
try {
- entryCRLs = getCRLs(request, ARL, xsel);
- if (entryCRLs.isEmpty()) {
+ entryARLs = getCRLs(request, ARL, xsel);
+ if (entryARLs.isEmpty()) {
// no ARLs found. We assume that means that there are
// no ARLs on this server at all and prefetch the CRLs.
prefetchCRLs = true;
@@ -785,11 +786,12 @@
// Otherwise, get the CRL
// if certChecking is null, we don't know if we should look in ARL or CRL
// attribute, so check both for matching CRLs.
- if (entryCRLs.isEmpty() || certChecking == null) {
+ if (entryARLs.isEmpty() || certChecking == null) {
LDAPRequest request = new LDAPRequest(issuerName);
request.addRequestedAttribute(CRL);
entryCRLs = getCRLs(request, CRL, xsel);
}
+ crls.addAll(entryARLs);
crls.addAll(entryCRLs);
}
return crls;
(Incident Review ID: 275715)
======================================================================
###@###.### 10/8/04 16:16 GMT
FULL PRODUCT VERSION :
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2-p6-root_08_mar_2004_14_42)
ADDITIONAL OS VERSION INFORMATION :
It is generic problem, None platform specialy
A DESCRIPTION OF THE PROBLEM :
Some LDAP entry (for Certificate Authority) has 2 revocation list attribute "AuthorityRevocationList" and "CertificateRevocationList". And Access revocation list by java.security.cert.CertStore with LDAP implementation.
We hope to get 2 CRLs from that LDAP entry. But CertStore.getCRLs() return only 1 CRL.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Create a new instance of java.security.cert.CertStore for LDAP implementation.
2. Get CRLs by getCRLs method from LDAP entry that has Target entry has AutorityRevokcationList attribute.
Ex) ldap://dmz-dir.gpki.go.jp/uo=BridgeCA,o=Japanese Government,c=JP
3. It checks how many there in returned collection.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Entry "uo=BridgeCA,o=Japanese Government,c=JP" has 2 revocation list attribute
"authorityRevocationList" and "certificateRevocationList".
CertStore.getCRLs() MUST return 2 revocation lists, In this case.
ACTUAL -
CertStore.getCRLs() return only 1 list from LDAP server.
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
import java.security.cert.*;
import java.util.*;
import java.io.*;
class CertStoreTest1 {
CertStoreTest1() {
try {
LDAPCertStoreParameters lcsp =
new LDAPCertStoreParameters("dmz-dir.gpki.go.jp", 389);
CertStore cs = CertStore.getInstance("LDAP", lcsp);
X509CRLSelector xcs = new X509CRLSelector() {
public boolean match(CRL crl) {
System.out.println("CRL Object hash code is " + crl.hashCode());
System.out.println("BEGIN CRL: **********************************************");
System.out.println(crl);
System.out.println("END CRL: **********************************************");
boolean result = super.match(crl);
System.out.println("matching result is " + result);
return result;
}
};
xcs.addIssuerName("ou=BridgeCA,o=Japanese Government,c=JP");
System.out.println("CRL for " + xcs.getCertificateChecking());
Collection crls = cs.getCRLs(xcs);
System.out.println("size: "+ crls.size());
Iterator crl = crls.iterator();
while(crl.hasNext()) {
System.out.println(crl.next());
}
} catch(Exception e) {
e.printStackTrace();
}
}
public static void main(String[] args) {
System.out.println("main() called.");
CertStoreTest1 test = new CertStoreTest1();
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Can not bypassing, need to fix for sun/security/provider/certpath/LDAPCertStore.java
And I have a diffs
--- ../../j2se/src/share/classes/sun/security/provider/certpath/LDAPCertStore.java.orig Thu Sep 11 10:52:07 2003
+++ ../../j2se/src/share/classes/sun/security/provider/certpath/LDAPCertStore.java Mon May 31 13:59:38 2004
@@ -759,6 +759,7 @@
}
// If all we want is CA certs, try to get the (probably shorter) ARL
Collection entryCRLs = Collections.EMPTY_LIST;
+ Collection entryARLs = Collections.EMPTY_LIST;
if (certChecking == null || certChecking.getBasicConstraints() != -1) {
LDAPRequest request = new LDAPRequest(issuerName);
request.addRequestedAttribute(CROSS_CERT);
@@ -768,8 +769,8 @@
request.addRequestedAttribute(CRL);
}
try {
- entryCRLs = getCRLs(request, ARL, xsel);
- if (entryCRLs.isEmpty()) {
+ entryARLs = getCRLs(request, ARL, xsel);
+ if (entryARLs.isEmpty()) {
// no ARLs found. We assume that means that there are
// no ARLs on this server at all and prefetch the CRLs.
prefetchCRLs = true;
@@ -785,11 +786,12 @@
// Otherwise, get the CRL
// if certChecking is null, we don't know if we should look in ARL or CRL
// attribute, so check both for matching CRLs.
- if (entryCRLs.isEmpty() || certChecking == null) {
+ if (entryARLs.isEmpty() || certChecking == null) {
LDAPRequest request = new LDAPRequest(issuerName);
request.addRequestedAttribute(CRL);
entryCRLs = getCRLs(request, CRL, xsel);
}
+ crls.addAll(entryARLs);
crls.addAll(entryCRLs);
}
return crls;
(Incident Review ID: 275715)
======================================================================
###@###.### 10/8/04 16:16 GMT