7, 8, 9
|Issue||Fix Version||Assignee||Priority||Status||Resolution||Resolved In Build|
|JDK-8155040||7u111||Sean Coffey||P3||Closed||Won't Fix|
All 7.x and 8.x version
ADDITIONAL OS VERSION INFORMATION :
A DESCRIPTION OF THE PROBLEM :
This bug is heavily related to
Since JDK 7 checking of serial number and Key Identifier from Authority Key Identifier extension was added to certificate chain building process.
Sean Mullan said that
"In JDK 7 we enhanced our PKIX CertPathBuilder implementation to discover certificate chains using the Authority Key Identifier extension (as specified in section 188.8.131.52 of RFC 5280), which allows you to find the correct certificate when a CA has more than one certificate with different keypairs. This is quite common, for example when you rollover the key of a CA but you want to keep the same subject name.
The certificates that are used in this test case do not have a correct AKID that allow a path to be found. In particular, the authorityCertSerialNumber field of the end entity certificate is set to 3130323032353433323531. The key identifier and issuer are correct, but not the serial number. We match on all fields when looking for a matching CA. This should match the serial number of the issuing CA certificate.
According to RFC5280 (Internet X.509 Public Key Infrastructure Certificate
and Certificate Revocation List (CRL) Profile )
The authority key identifier extension provides a means of
identifying the public key corresponding to the private key used to
sign a certificate. This extension is used where an issuer has
multiple signing keys (either due to multiple concurrent key pairs or
due to changeover). The identification MAY be based on either the
key identifier (the subject key identifier in the issuer's
certificate) or the issuer name and serial number. "
this checks looks correct. If fields from Authority Key Identifier do not match fields from Subject Key Identifier we may not accept this certificate for chain building.
But in RFC4158 ( Internet X.509 Public Key Infrastructure: Certification Path Building )
From 3.5.12. Matching Key Identifiers (KIDs)
"NOTE: Although required to be present by [RFC3280], it is extremely
important that KIDs be used only as sorting criteria or as hints
during certification path building. KIDs are not required to match
during certification path validation and cannot be used to eliminate
certificates. This is of critical importance for interoperating
across domains and multi-vendor implementations where the KIDs may
not be calculated in the same fashion."
explicitly noted that matching Key Identifiers must be used only as hints to chain building process but not to reject such certificates.
With this checks JDK is unable to build certificate chains using "CROSS certificates" when a certificate have Authority KID with serial number. In that case serial number will be matched to ROOT certificate and not match CROSS certificate.
REGRESSION. Last worked in version 6u45
ERROR MESSAGES/STACK TRACES THAT OCCUR :
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
Test case is available at bug
---------- END SOURCE ----------
- backported by
JDK-8142944 Remove requirement that AKID and SKID have to match when building certificate chain
JDK-8156372 Remove requirement that AKID and SKID have to match when building certificate chain
JDK-8162209 Remove requirement that AKID and SKID have to match when building certificate chain
JDK-8142945 Remove requirement that AKID and SKID have to match when building certificate chain
JDK-8155040 Remove requirement that AKID and SKID have to match when building certificate chain
- relates to
JDK-6852744 PIT b61: PKI test suite fails because self signed certificates are being rejected
JDK-8027249 JDK 7 Certpathbuilder.build throws SunCertPathBuilderException when JDK 6 works