-
Bug
-
Resolution: Fixed
-
P3
-
7u17
-
b04
-
generic
-
Verified
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-8045510 | 8u25 | Sean Mullan | P3 | Resolved | Fixed | b01 |
| JDK-8035356 | 8u20 | Sean Mullan | P3 | Resolved | Fixed | b03 |
| JDK-8053745 | emb-8u26 | Sean Mullan | P3 | Resolved | Fixed | b17 |
| JDK-8155027 | 7u121 | Sean Coffey | P3 | Resolved | Fixed | b01 |
| JDK-8155038 | 7u111 | Sean Coffey | P3 | Closed | Won't Fix |
FULL PRODUCT VERSION :
java version " 1.7.0_17 "
Java(TM) SE Runtime Environment (build 1.7.0_17-b02)
Java HotSpot(TM) Client VM (build 23.7-b01, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows [Version 6.1.7601]
A DESCRIPTION OF THE PROBLEM :
If an end entity certificate has an AKI extension with a key identifier and serial number and the issuing (subordinate, untrusted) certificate does not have a serial number in its AKI extension, just the key identifier, then the default cert path builder cannot build a path to the trusted root certificate.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Create a 3 tier PKI Hierarchy (Root, Subordinate, EndEntity). Give the EndEntity certificates a AKI extension with a key identifier and the Serial number of the Subordinate. Give the subordinate an AKI extension with a key identifier but do not include the serial number (of the root) in it. Place the Root in a KeyStore (therefore trusted). Place the Subordinate in a cert store. Try and build a certfication path for the EndEntity using CertPathBuilder (with default provider type).
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
A certification Path should be built.
ACTUAL -
It will fail. Enabling debugging seems to indicate that the reason that the path is not built is that the serial number on the subordinate does not match what is expected.
ERROR MESSAGES/STACK TRACES THAT OCCUR :
Failure case:
certpath: ForwardBuilder.getMatchingCerts()...
certpath: ForwardBuilder.getMatchingCACerts()...
certpath: X509CertSelector.match(SN: 1
Issuer: CN=Test Root Certification Authority, O=GOV, C=AU
Subject: CN=Test Root Certification Authority, O=GOV, C=AU)
certpath: X509CertSelector.match: serial numbers don't match
Using an End Entity cert that does not have the serial number is its AKI:
certpath: SunCertPathBuilder.depthFirstSearchForward(CN=Test Root Certification Authority, O=GOV, C=AU, State [
issuerDN of last cert: CN=Test Root Certification Authority, O=GOV, C=AU
traversedCACerts: 1
init: false
keyParamsNeeded: false
subjectNamesTraversed:
certpath: ForwardBuilder.getMatchingCerts()...
certpath: ForwardBuilder.getMatchingCACerts()...
certpath: X509CertSelector.match(SN: 1
Issuer: CN=Test Root Certification Authority, O=GOV, C=AU
Subject: CN=Test Root Certification Authority, O=GOV, C=AU)
certpath: X509CertSelector.match returning: true
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
If the subordinate is put into the keystore (i.e. trusted) then the problem does not occur
java version " 1.7.0_17 "
Java(TM) SE Runtime Environment (build 1.7.0_17-b02)
Java HotSpot(TM) Client VM (build 23.7-b01, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows [Version 6.1.7601]
A DESCRIPTION OF THE PROBLEM :
If an end entity certificate has an AKI extension with a key identifier and serial number and the issuing (subordinate, untrusted) certificate does not have a serial number in its AKI extension, just the key identifier, then the default cert path builder cannot build a path to the trusted root certificate.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Create a 3 tier PKI Hierarchy (Root, Subordinate, EndEntity). Give the EndEntity certificates a AKI extension with a key identifier and the Serial number of the Subordinate. Give the subordinate an AKI extension with a key identifier but do not include the serial number (of the root) in it. Place the Root in a KeyStore (therefore trusted). Place the Subordinate in a cert store. Try and build a certfication path for the EndEntity using CertPathBuilder (with default provider type).
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
A certification Path should be built.
ACTUAL -
It will fail. Enabling debugging seems to indicate that the reason that the path is not built is that the serial number on the subordinate does not match what is expected.
ERROR MESSAGES/STACK TRACES THAT OCCUR :
Failure case:
certpath: ForwardBuilder.getMatchingCerts()...
certpath: ForwardBuilder.getMatchingCACerts()...
certpath: X509CertSelector.match(SN: 1
Issuer: CN=Test Root Certification Authority, O=GOV, C=AU
Subject: CN=Test Root Certification Authority, O=GOV, C=AU)
certpath: X509CertSelector.match: serial numbers don't match
Using an End Entity cert that does not have the serial number is its AKI:
certpath: SunCertPathBuilder.depthFirstSearchForward(CN=Test Root Certification Authority, O=GOV, C=AU, State [
issuerDN of last cert: CN=Test Root Certification Authority, O=GOV, C=AU
traversedCACerts: 1
init: false
keyParamsNeeded: false
subjectNamesTraversed:
certpath: ForwardBuilder.getMatchingCerts()...
certpath: ForwardBuilder.getMatchingCACerts()...
certpath: X509CertSelector.match(SN: 1
Issuer: CN=Test Root Certification Authority, O=GOV, C=AU
Subject: CN=Test Root Certification Authority, O=GOV, C=AU)
certpath: X509CertSelector.match returning: true
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
If the subordinate is put into the keystore (i.e. trusted) then the problem does not occur
- backported by
-
JDK-8035356 Certificate Path Building problem with AKI serial number
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Closed
-
- duplicates
-
-
- Closed
-
(1 duplicates)