Details
-
Bug
-
Resolution: Unresolved
-
P4
-
8, 11, 16
-
generic
-
generic
Description
A DESCRIPTION OF THE PROBLEM :
when I connect to a TLS server presenting a self-signed certificate, and the certificate is a trust anchor, TLS connection succeeds even if the certificate declares extensions that do not allow it to be used as a TLS server certificate.
The code responsible for this behavior can be found here:
http://hg.openjdk.java.net/jdk/jdk/file/ee1d592a9f53/src/java.base/share/classes/sun/security/validator/Validator.java#l267
The code wasn't changed since the initial import; I couldn't find any arguments explaining why it was implemented that way, so I'm filing this issue to evaluate if it still makes sense.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
- Create a self-signed certificate with key usage that does not allow it to be used during key exchange
- Start a server with that certificate
- Connect to that server.
Example command that creates a self-signed certificate that cannot be used for handshaking:
keytool -genkeypair -alias ec -keyalg EC -keysize 256 -sigalg SHA256withECDSA -validity 365 -dname "CN=localhost,OU=Unknown,O=Unknown,L=Unknown,S=Unknown,C=Unknown" -storetype JKS -keystore ectest.jks -storepass 123456 -ext KeyUsage:c=keyCertSign
Example code to set up a server and connect to it:
https://gist.github.com/djelinski/b4543a3eb7ea66306044c08b41bba00f
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
TLS handshake should fail
ACTUAL -
TLS handshake succeeds
FREQUENCY : always
when I connect to a TLS server presenting a self-signed certificate, and the certificate is a trust anchor, TLS connection succeeds even if the certificate declares extensions that do not allow it to be used as a TLS server certificate.
The code responsible for this behavior can be found here:
http://hg.openjdk.java.net/jdk/jdk/file/ee1d592a9f53/src/java.base/share/classes/sun/security/validator/Validator.java#l267
The code wasn't changed since the initial import; I couldn't find any arguments explaining why it was implemented that way, so I'm filing this issue to evaluate if it still makes sense.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
- Create a self-signed certificate with key usage that does not allow it to be used during key exchange
- Start a server with that certificate
- Connect to that server.
Example command that creates a self-signed certificate that cannot be used for handshaking:
keytool -genkeypair -alias ec -keyalg EC -keysize 256 -sigalg SHA256withECDSA -validity 365 -dname "CN=localhost,OU=Unknown,O=Unknown,L=Unknown,S=Unknown,C=Unknown" -storetype JKS -keystore ectest.jks -storepass 123456 -ext KeyUsage:c=keyCertSign
Example code to set up a server and connect to it:
https://gist.github.com/djelinski/b4543a3eb7ea66306044c08b41bba00f
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
TLS handshake should fail
ACTUAL -
TLS handshake succeeds
FREQUENCY : always