-
Bug
-
Resolution: Cannot Reproduce
-
P4
-
None
-
5.0
-
x86
-
windows_xp
FULL PRODUCT VERSION :
java version "1.5.0_13"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_13-b05)
Java HotSpot(TM) Client VM (build 1.5.0_13-b05, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Not platform specific
A DESCRIPTION OF THE PROBLEM :
With self-signed certificates, certificate verification does not work on the Sun JCE (but does on BouncyCastle, which appears to be in the right).
The simplest case of this is asking a certificate to verify itself with its own public key. Under the JCE this will fail. Under BouncyCastle, it will not.
(This of course is trivial - if you are testing identity, you would compare it to a locally stored copy of the public key, however, it should still work regardless)
This issue is discussed briefly here:
http://osdir.com/ml/encryption.bouncy-castle.devel/2004-07/msg00059.html
I was surprised I could find no reference to it in the Bug Database.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Retrieve any X509 certificate (such as, for instance, from a digital signature).
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Certificate check should pass
ACTUAL -
Code throws a SignatureException
java.security.SignatureException: Signature does not match.
ERROR MESSAGES/STACK TRACES THAT OCCUR :
java.security.SignatureException: Signature does not match.
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
X509Certificate cert = ...;
cert.verify(cert.getPublicKey());
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
There must be some workaround, as mutual authentication works in for instance the Sun SSL implementation.
The only one I'm aware of is byte-wise comparison of certificates, which is substantially lacking in finesse, and requires custom code when dealing with self-signing versus trust anchors.
java version "1.5.0_13"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_13-b05)
Java HotSpot(TM) Client VM (build 1.5.0_13-b05, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Not platform specific
A DESCRIPTION OF THE PROBLEM :
With self-signed certificates, certificate verification does not work on the Sun JCE (but does on BouncyCastle, which appears to be in the right).
The simplest case of this is asking a certificate to verify itself with its own public key. Under the JCE this will fail. Under BouncyCastle, it will not.
(This of course is trivial - if you are testing identity, you would compare it to a locally stored copy of the public key, however, it should still work regardless)
This issue is discussed briefly here:
http://osdir.com/ml/encryption.bouncy-castle.devel/2004-07/msg00059.html
I was surprised I could find no reference to it in the Bug Database.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Retrieve any X509 certificate (such as, for instance, from a digital signature).
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Certificate check should pass
ACTUAL -
Code throws a SignatureException
java.security.SignatureException: Signature does not match.
ERROR MESSAGES/STACK TRACES THAT OCCUR :
java.security.SignatureException: Signature does not match.
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
X509Certificate cert = ...;
cert.verify(cert.getPublicKey());
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
There must be some workaround, as mutual authentication works in for instance the Sun SSL implementation.
The only one I'm aware of is byte-wise comparison of certificates, which is substantially lacking in finesse, and requires custom code when dealing with self-signing versus trust anchors.