-
Type:
Bug
-
Resolution: Duplicate
-
Priority:
P4
-
None
-
Affects Version/s: None
-
Component/s: security-libs
-
None
There are some duplicate checks in sun.security.provider.certpath.AlgorithmChecker.check():
Consider 2 certs in a chain, intCA, and EE.
The 2nd time AlgorithmChecker.check is called and it is passed the EE cert in the chain, it checks the signature algorithm on
the certificate twice, first here:
// Check the current signature algorithm
if (!constraints.permits(
SIGNATURE_PRIMITIVE_SET,
currSigAlg, currSigAlgParams)) {
throw new CertPathValidatorException(
"Algorithm constraints check failed: " + currSigAlg,
null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
}
Then again here:
if (prevPubKey != null) {
if (currSigAlg != null) {
if (!constraints.permits(
SIGNATURE_PRIMITIVE_SET,
currSigAlg, prevPubKey, currSigAlgParams)) {
throw new CertPathValidatorException(
"Algorithm constraints check failed: " + currSigAlg,
null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
}
}
The call to constraints.permits above also checks the key algorithm and size of the intCA cert's key (prevPubKey) twice. It was already checked the first time AlgorithmChecker.check was called with the intCA cert, and now it checks it again. I don't see anything that it does that hasn't already been done, but a careful review should be done to make sure.
Consider 2 certs in a chain, intCA, and EE.
The 2nd time AlgorithmChecker.check is called and it is passed the EE cert in the chain, it checks the signature algorithm on
the certificate twice, first here:
// Check the current signature algorithm
if (!constraints.permits(
SIGNATURE_PRIMITIVE_SET,
currSigAlg, currSigAlgParams)) {
throw new CertPathValidatorException(
"Algorithm constraints check failed: " + currSigAlg,
null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
}
Then again here:
if (prevPubKey != null) {
if (currSigAlg != null) {
if (!constraints.permits(
SIGNATURE_PRIMITIVE_SET,
currSigAlg, prevPubKey, currSigAlgParams)) {
throw new CertPathValidatorException(
"Algorithm constraints check failed: " + currSigAlg,
null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
}
}
The call to constraints.permits above also checks the key algorithm and size of the intCA cert's key (prevPubKey) twice. It was already checked the first time AlgorithmChecker.check was called with the intCA cert, and now it checks it again. I don't see anything that it does that hasn't already been done, but a careful review should be done to make sure.
- duplicates
-
-
- Resolved
-