-
Bug
-
Resolution: Fixed
-
P4
-
8, 11, 17
-
b27
-
Verified
ADDITIONAL SYSTEM INFORMATION :
Ubuntu 18.04.5 LTS
jdk1.8.0_191 / jdk1.8.0_291 / jdk-11.0.11
A DESCRIPTION OF THE PROBLEM :
Server chain certificate with MORE THAN ONE intermediate CA whose certificates have x509v3 Name Constraints extension of IP type (one for ipv4 and ohter one for ipv6):
X509v3 Name Constraints:
Excluded:
IP:0.0.0.0/0.0.0.0
IP:0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0
raises "java.lang.ArrayIndexOutOfBoundsException: 8" when Java HTTP Client is trying to verify server certificate by using truststore.jks which contains only root CA, because of java.security libraries are trying to minimize/merge the constraints to apply, matching ipv4 name constraint of one intermediate CA with ipv6 name constraint of another intermediate CA, in a bad way.
In essence, it finishes executing code similar to "Source code for an executable test case" attached.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Create server chain certificate with at least two intermediate CA's having x509v3 Name Constraints extensions of both IPv4 and IPv6 type.
2. Boot web server using certificate created in previous step
3. Create truststore.jks including only root CA of server certificate.
4. Send secure https request from java client using truststore created in previous step
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Server Response --> 200 OK
ACTUAL -
Caused by: java.lang.ArrayIndexOutOfBoundsException: 8
at sun.security.x509.IPAddressName.constrains(IPAddressName.java:452) ~[?:1.8.0_275]
at sun.security.x509.GeneralSubtrees.minimize(GeneralSubtrees.java:201) ~[?:1.8.0_275]
at sun.security.x509.GeneralSubtrees.union(GeneralSubtrees.java:484) ~[?:1.8.0_275]
at sun.security.x509.NameConstraintsExtension.merge(NameConstraintsExtension.java:357) ~[?:1.8.0_275]
at sun.security.provider.certpath.ConstraintsChecker.mergeNameConstraints(ConstraintsChecker.java:208) ~[?:1.8.0_275]
---------- BEGIN SOURCE ----------
byte[] ipv4 = new byte[8];
for (int i=0;i<8;i++) ipv4[i]=0;
IPAddressName ip1 = new IPAddressName(ipv4);
byte[] ipv6 = new byte[32];
for (int i=0;i<32;i++) ipv6[i]=0;
IPAddressName ip2 = new IPAddressName(ipv6);
ip1.constrains(ip2);
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Insert intermediate CA's into truststore.jks
FREQUENCY : always
Ubuntu 18.04.5 LTS
jdk1.8.0_191 / jdk1.8.0_291 / jdk-11.0.11
A DESCRIPTION OF THE PROBLEM :
Server chain certificate with MORE THAN ONE intermediate CA whose certificates have x509v3 Name Constraints extension of IP type (one for ipv4 and ohter one for ipv6):
X509v3 Name Constraints:
Excluded:
IP:0.0.0.0/0.0.0.0
IP:0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0
raises "java.lang.ArrayIndexOutOfBoundsException: 8" when Java HTTP Client is trying to verify server certificate by using truststore.jks which contains only root CA, because of java.security libraries are trying to minimize/merge the constraints to apply, matching ipv4 name constraint of one intermediate CA with ipv6 name constraint of another intermediate CA, in a bad way.
In essence, it finishes executing code similar to "Source code for an executable test case" attached.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Create server chain certificate with at least two intermediate CA's having x509v3 Name Constraints extensions of both IPv4 and IPv6 type.
2. Boot web server using certificate created in previous step
3. Create truststore.jks including only root CA of server certificate.
4. Send secure https request from java client using truststore created in previous step
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Server Response --> 200 OK
ACTUAL -
Caused by: java.lang.ArrayIndexOutOfBoundsException: 8
at sun.security.x509.IPAddressName.constrains(IPAddressName.java:452) ~[?:1.8.0_275]
at sun.security.x509.GeneralSubtrees.minimize(GeneralSubtrees.java:201) ~[?:1.8.0_275]
at sun.security.x509.GeneralSubtrees.union(GeneralSubtrees.java:484) ~[?:1.8.0_275]
at sun.security.x509.NameConstraintsExtension.merge(NameConstraintsExtension.java:357) ~[?:1.8.0_275]
at sun.security.provider.certpath.ConstraintsChecker.mergeNameConstraints(ConstraintsChecker.java:208) ~[?:1.8.0_275]
---------- BEGIN SOURCE ----------
byte[] ipv4 = new byte[8];
for (int i=0;i<8;i++) ipv4[i]=0;
IPAddressName ip1 = new IPAddressName(ipv4);
byte[] ipv6 = new byte[32];
for (int i=0;i<32;i++) ipv6[i]=0;
IPAddressName ip2 = new IPAddressName(ipv6);
ip1.constrains(ip2);
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Insert intermediate CA's into truststore.jks
FREQUENCY : always
