Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-6923697

SimpleValidator doesn't allow intermediate CA certificate with PathLen:1'

    XMLWordPrintable

Details

    Description

      FULL PRODUCT VERSION :
      java version "1.6.0_18"
      Java(TM) SE Runtime Environment (build 1.6.0_18-b07)
      Java HotSpot(TM) Client VM (build 16.0-b13, mixed mode, sharing)

      ADDITIONAL OS VERSION INFORMATION :
      Microsoft Windows XP [Version 5.1.2600]

      A DESCRIPTION OF THE PROBLEM :
      The following chain returns a ValidatorException with the message "Violated path length constraints" in 1.6.0_18.

      2010-01-29 13:49:20,219 INFO [http-127.0.0.1-8080-1] STDOUT:152 chain [0] = [
      ...
      [8]: ObjectId: 2.5.29.19 Criticality=false
      BasicConstraints:[
        CA:false
        PathLen: undefined
      ]


      2010-01-29 13:49:20,266 INFO [http-127.0.0.1-8080-1] STDOUT:152 chain [1] = [
      ...
      [6]: ObjectId: 2.5.29.19 Criticality=false
      BasicConstraints:[
        CA:true
        PathLen:2147483647
      ]


      2010-01-29 13:49:20,329 INFO [http-127.0.0.1-8080-1] STDOUT:152 chain [2] = [
      ...
      [8]: ObjectId: 2.5.29.19 Criticality=true
      BasicConstraints:[
        CA:true
        PathLen:1
      ]


      2010-01-29 13:49:20,360 INFO [http-127.0.0.1-8080-1] STDOUT:152 chain [3] = [
      ...
      [8]: ObjectId: 2.5.29.19 Criticality=false
      BasicConstraints:[
        CA:true
        PathLen:2147483647
      ]

      The problem occurs because the PathLen constraint in chain[2] has the value 1 and there is a CA certificate (chain[1]) that follows this certificate in the chain.

      The specification says the following about the PathLen constraint: "it gives the maximum number of CA certificates that may follow this certificate in a certification path", so the chain should be accepted.

      The problem only occurs in update 18.


      REPRODUCIBILITY :
      This bug can be reproduced always.

      Release Regression From : 6u17
      The above release value was the last known release where this
      bug was not reproducible. Since then there has been a regression.

      Attachments

        Issue Links

          Activity

            People

              xuelei Xuelei Fan
              ndcosta Nelson Dcosta (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                Imported:
                Indexed: