-
Bug
-
Resolution: Not an Issue
-
P2
-
None
-
6u5
-
x86
-
linux
OS and Kernel Version:
Linux trcbct1bld8 2.6.18-53.1.14.el5 #1 SMP Tue Feb 19 07:18:46 EST 2008 x86_64 x86_64 x86_64 GNU/Linux
Java Version:
java version "1.6.0_05" Java(TM) SE Runtime Environment (build 1.6.0_05-b13) Java HotSpot(TM) Server VM (build 10.0-b19, mixed mode)
Problem Description:
Java was unable to parse the CRL distribution point extension in a X.509 certificate.
The cerificate is in attachment to this bug report -- jitc-sesm1-cert.pem
This is the actual CDP used in the United States DoD PKI. This certificate was able to be parsed by both Microsoft and Openssl.
To parse using Microsoft: change the .pem extension to .crt and double click.
To parse using openssl: openssl x509 -in <cert file name> -noout -text
chain [0] = [
[
Version: V3
Subject: CN=47.104.13.176, OU=JITC, OU=PKI, OU=DoD, O=U.S. Government, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits
modulus: 134310151229670155472133336804448639761928390128024853585485405490004497348816071137324439756245984532087210941238801755693672773329744928086333386696206966940856218253733623107279892693687139750367253271913095672121937740759451914454890759949675586191902864141700134745487947729523226897275755101090186525859
public exponent: 65537
Validity: [From: Wed Oct 24 10:20:03 CDT 2007,
To: Sun Oct 24 10:20:03 CDT 2010]
Issuer: CN=DOD JITC CA-17, OU=PKI, OU=DoD, O=U.S. Government, C=US
SerialNumber: [ 06c6]
Certificate Extensions: 5
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 2B 4D AD EC A2 57 B4 9F 1D 30 5B 55 2D 1C 9B 8A +M...W...0[U-...
0010: 90 F3 B3 EB ....
]
]
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: C6 EB 4E B4 51 74 BB 0B 3D A7 8D 77 EC 52 B5 67 ..N.Qt..=..w.R.g
0010: 0C 33 51 E7 .3Q.
]
]
[3]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.101.2.1.11.5]
[] ]
]
[4]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
[5]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[accessMethod: 1.3.6.1.5.5.7.48.2
accessLocation: URIName: http://crl.nit.disa.mil/getsign?DOD%20JITC%20CA-17, accessMethod: 1.3.6.1.5.5.7.48.1
accessLocation: URIName: http://ocsp.nsn0.rcvs.nit.disa.mil]
]
Unparseable certificate extensions: 1
[1]: ObjectId: 2.5.29.31 Criticality=false
Unparseable CRLDistributionPoints extension due to
java.io.IOException: invalid URI name: http://crl.nit.disa.mil/getcrl?DOD%20JITC%20CA-17
0000: 30 81 D2 30 38 A0 36 A0 34 86 32 20 68 74 74 70 0..08.6.4.2 http
0010: 3A 2F 2F 63 72 6C 2E 6E 69 74 2E 64 69 73 61 2E ://crl.nit.disa.
0020: 6D 69 6C 2F 67 65 74 63 72 6C 3F 44 4F 44 25 32 mil/getcrl?DOD%2
0030: 30 4A 49 54 43 25 32 30 43 41 2D 31 37 30 81 95 0JITC%20CA-170..
0040: A0 81 92 A0 81 8F 86 81 8C 20 6C 64 61 70 3A 2F ......... ldap:/
0050: 2F 63 72 6C 2E 67 64 73 2E 6E 69 74 2E 64 69 73 /crl.gds.nit.dis
0060: 61 2E 6D 69 6C 2F 63 6E 25 33 64 44 4F 44 25 32 a.mil/cn%3dDOD%2
0070: 30 4A 49 54 43 25 32 30 43 41 2D 31 37 25 32 63 0JITC%20CA-17%2c
0080: 6F 75 25 33 64 50 4B 49 25 32 63 6F 75 25 33 64 ou%3dPKI%2cou%3d
0090: 44 6F 44 25 32 63 6F 25 33 64 55 2E 53 2E 25 32 DoD%2co%3dU.S.%2
00A0: 30 47 6F 76 65 72 6E 6D 65 6E 74 25 32 63 63 25 0Government%2cc%
00B0: 33 64 55 53 3F 63 65 72 74 69 66 69 63 61 74 65 3dUS?certificate
00C0: 72 65 76 6F 63 61 74 69 6F 6E 6C 69 73 74 3B 62 revocationlist;b
00D0: 69 6E 61 72 79 inary
]
Algorithm: [SHA1withRSA]
Signature:
0000: 56 F0 B9 36 22 F1 89 59 2A 09 8A 29 4D B5 A4 E3 V..6"..Y*..)M...
0010: 76 07 CC 78 DC 19 03 35 E1 37 44 BD 06 AE 65 9A v..x...5.7D...e.
0020: 9B 43 E7 0F 48 F2 D0 8F B6 B9 FF 80 C8 D1 9B FD .C..H...........
0030: 7A BF 02 B2 75 B8 71 22 F6 EB 79 6B B6 64 41 4E z...u.q"..yk.dAN
0040: 84 5E 31 9B 27 D2 57 19 E0 00 93 E2 E3 7A 03 AB .^1.'.W......z..
0050: F7 9D B1 85 38 66 C1 A5 DD EE E7 37 AB A4 16 09 ....8f.....7....
0060: F6 F0 76 24 8F 0C A5 D9 A0 27 3D AF 35 BA AD DB ..v$.....'=.5...
0070: 42 00 07 D8 97 AA 7C F6 18 D9 1F 82 CF B4 21 DE B.............!.
]
Steps to reproduce the problem:
Import certificate in keystore.
Load up keystore and start SSL handshake.
Enable -Djavax.net.debug=ssl
Linux trcbct1bld8 2.6.18-53.1.14.el5 #1 SMP Tue Feb 19 07:18:46 EST 2008 x86_64 x86_64 x86_64 GNU/Linux
Java Version:
java version "1.6.0_05" Java(TM) SE Runtime Environment (build 1.6.0_05-b13) Java HotSpot(TM) Server VM (build 10.0-b19, mixed mode)
Problem Description:
Java was unable to parse the CRL distribution point extension in a X.509 certificate.
The cerificate is in attachment to this bug report -- jitc-sesm1-cert.pem
This is the actual CDP used in the United States DoD PKI. This certificate was able to be parsed by both Microsoft and Openssl.
To parse using Microsoft: change the .pem extension to .crt and double click.
To parse using openssl: openssl x509 -in <cert file name> -noout -text
chain [0] = [
[
Version: V3
Subject: CN=47.104.13.176, OU=JITC, OU=PKI, OU=DoD, O=U.S. Government, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits
modulus: 134310151229670155472133336804448639761928390128024853585485405490004497348816071137324439756245984532087210941238801755693672773329744928086333386696206966940856218253733623107279892693687139750367253271913095672121937740759451914454890759949675586191902864141700134745487947729523226897275755101090186525859
public exponent: 65537
Validity: [From: Wed Oct 24 10:20:03 CDT 2007,
To: Sun Oct 24 10:20:03 CDT 2010]
Issuer: CN=DOD JITC CA-17, OU=PKI, OU=DoD, O=U.S. Government, C=US
SerialNumber: [ 06c6]
Certificate Extensions: 5
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 2B 4D AD EC A2 57 B4 9F 1D 30 5B 55 2D 1C 9B 8A +M...W...0[U-...
0010: 90 F3 B3 EB ....
]
]
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: C6 EB 4E B4 51 74 BB 0B 3D A7 8D 77 EC 52 B5 67 ..N.Qt..=..w.R.g
0010: 0C 33 51 E7 .3Q.
]
]
[3]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.101.2.1.11.5]
[] ]
]
[4]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
[5]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[accessMethod: 1.3.6.1.5.5.7.48.2
accessLocation: URIName: http://crl.nit.disa.mil/getsign?DOD%20JITC%20CA-17, accessMethod: 1.3.6.1.5.5.7.48.1
accessLocation: URIName: http://ocsp.nsn0.rcvs.nit.disa.mil]
]
Unparseable certificate extensions: 1
[1]: ObjectId: 2.5.29.31 Criticality=false
Unparseable CRLDistributionPoints extension due to
java.io.IOException: invalid URI name: http://crl.nit.disa.mil/getcrl?DOD%20JITC%20CA-17
0000: 30 81 D2 30 38 A0 36 A0 34 86 32 20 68 74 74 70 0..08.6.4.2 http
0010: 3A 2F 2F 63 72 6C 2E 6E 69 74 2E 64 69 73 61 2E ://crl.nit.disa.
0020: 6D 69 6C 2F 67 65 74 63 72 6C 3F 44 4F 44 25 32 mil/getcrl?DOD%2
0030: 30 4A 49 54 43 25 32 30 43 41 2D 31 37 30 81 95 0JITC%20CA-170..
0040: A0 81 92 A0 81 8F 86 81 8C 20 6C 64 61 70 3A 2F ......... ldap:/
0050: 2F 63 72 6C 2E 67 64 73 2E 6E 69 74 2E 64 69 73 /crl.gds.nit.dis
0060: 61 2E 6D 69 6C 2F 63 6E 25 33 64 44 4F 44 25 32 a.mil/cn%3dDOD%2
0070: 30 4A 49 54 43 25 32 30 43 41 2D 31 37 25 32 63 0JITC%20CA-17%2c
0080: 6F 75 25 33 64 50 4B 49 25 32 63 6F 75 25 33 64 ou%3dPKI%2cou%3d
0090: 44 6F 44 25 32 63 6F 25 33 64 55 2E 53 2E 25 32 DoD%2co%3dU.S.%2
00A0: 30 47 6F 76 65 72 6E 6D 65 6E 74 25 32 63 63 25 0Government%2cc%
00B0: 33 64 55 53 3F 63 65 72 74 69 66 69 63 61 74 65 3dUS?certificate
00C0: 72 65 76 6F 63 61 74 69 6F 6E 6C 69 73 74 3B 62 revocationlist;b
00D0: 69 6E 61 72 79 inary
]
Algorithm: [SHA1withRSA]
Signature:
0000: 56 F0 B9 36 22 F1 89 59 2A 09 8A 29 4D B5 A4 E3 V..6"..Y*..)M...
0010: 76 07 CC 78 DC 19 03 35 E1 37 44 BD 06 AE 65 9A v..x...5.7D...e.
0020: 9B 43 E7 0F 48 F2 D0 8F B6 B9 FF 80 C8 D1 9B FD .C..H...........
0030: 7A BF 02 B2 75 B8 71 22 F6 EB 79 6B B6 64 41 4E z...u.q"..yk.dAN
0040: 84 5E 31 9B 27 D2 57 19 E0 00 93 E2 E3 7A 03 AB .^1.'.W......z..
0050: F7 9D B1 85 38 66 C1 A5 DD EE E7 37 AB A4 16 09 ....8f.....7....
0060: F6 F0 76 24 8F 0C A5 D9 A0 27 3D AF 35 BA AD DB ..v$.....'=.5...
0070: 42 00 07 D8 97 AA 7C F6 18 D9 1F 82 CF B4 21 DE B.............!.
]
Steps to reproduce the problem:
Import certificate in keystore.
Load up keystore and start SSL handshake.
Enable -Djavax.net.debug=ssl