Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8033776

SunCertPathBuilder failing due to errant X509CertSelector (with AKI value) reuse

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: P3 P3
    • None
    • 7u51, 9
    • security-libs

      FULL PRODUCT VERSION :
      java version "1.7.0_51"
      Java(TM) SE Runtime Environment (build 1.7.0_51-b13)
      Java HotSpot(TM) 64-Bit Server VM (build 24.51-b03, mixed mode)


      ADDITIONAL OS VERSION INFORMATION :
      Microsoft Windows [Version 6.1.7601]
      (tested on Windows, but bug is platform independent)

      A DESCRIPTION OF THE PROBLEM :
      The SunCertPathBuilder throws an exception when trying to build a cert path from a valid cert chain under the following conditions:

      1. there exists (at least) a 3 level chain
      2. an intermediate CA (e.g. the middle cert in the 3 level chain) contains an AuthorityKeyIdentifier extension which does NOT contain the authorityCertSerialNumber field (e.g. it only contains the keyIdentifier field)
      2. a child cert of the intermediate CA from #2 (e.g. the end-entity in the 3 level chain) has an AuthorityKeyIdentifier extension which DOES include the authorityCertSerialNumber field

      Such a chain causes the following exception when running CertPathBuilder.build():

      Exception in thread "main" sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
      at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
              ...

      The problem is that the SunCertPathBuilder is reusing an X509CertSelector as it tries to build the cert path, but it is not resetting all of the fields between searches for each certificate. In the above scenario, the builder finds the end-entity certificate. Then it uses the AKI fields (keyIdentifier, authorityCertIssuer, and authorityCertSerialNumber) and sets the corresponding properties on the X509CertSelector to find the intermediate CA cert. However, when it reads the same fields again from the intermediate CA certificate to update the X509CertSelector to find the root certificate, it does not overwrite the serial number property on the X509CertSelector because the corresponding fields in the AKI extension are blank (as they are allowed to per RFC 3280 and RFC 5280). So, it leaves the serial number of the intermediate CA cert and includes the issuer and subjectkeyidentifier of the root certificate. No certificates match that description, so it fails to find the root certificate and throws the exception.

      REGRESSION. Last worked in version 6u45

      ADDITIONAL REGRESSION INFORMATION:
      java version "1.6.0_45"
      Java(TM) SE Runtime Environment (build 1.6.0_45-b06)
      Java HotSpot(TM) 64-Bit Server VM (build 20.45-b01, mixed mode)


      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      1. compile and run the source code attached with the command line argument "testKeyIdAki" (e.g. "java TestCertPathBuilder testKeyIdAki")



      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      The CertPathBuilder.build() succeeds the the resultant CertPath is printed to stdout.
      ACTUAL -
      The CertPathBuilder.build() method throws a SunCertPathBuilderException with the message "unable to find valid certification path to requested target"

      ERROR MESSAGES/STACK TRACES THAT OCCUR :
      Exception in thread "main" sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
      at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
      at TestCertPathBuilder.buildCertPath(TestCertPathBuilder.java:268)
      at TestCertPathBuilder.testKeyIdAki(TestCertPathBuilder.java:231)
      at TestCertPathBuilder.main(TestCertPathBuilder.java:171)

      REPRODUCIBILITY :
      This bug can be reproduced always.

      ---------- BEGIN SOURCE ----------
      EDIT - source attached to bug : TestCertPathBuilder.java

      ---------- END SOURCE ----------

            mullan Sean Mullan
            webbuggrp Webbug Group
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: