Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8267617

Certificate's IP x509 NameConstraints raises ArrayIndexOutOfBoundsException

    XMLWordPrintable

Details

    • b27
    • Verified

    Description

      ADDITIONAL SYSTEM INFORMATION :
      Ubuntu 18.04.5 LTS
      jdk1.8.0_191 / jdk1.8.0_291 / jdk-11.0.11

      A DESCRIPTION OF THE PROBLEM :
      Server chain certificate with MORE THAN ONE intermediate CA whose certificates have x509v3 Name Constraints extension of IP type (one for ipv4 and ohter one for ipv6):

      X509v3 Name Constraints:
        Excluded:
          IP:0.0.0.0/0.0.0.0
          IP:0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0

      raises "java.lang.ArrayIndexOutOfBoundsException: 8" when Java HTTP Client is trying to verify server certificate by using truststore.jks which contains only root CA, because of java.security libraries are trying to minimize/merge the constraints to apply, matching ipv4 name constraint of one intermediate CA with ipv6 name constraint of another intermediate CA, in a bad way.

      In essence, it finishes executing code similar to "Source code for an executable test case" attached.

      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      1. Create server chain certificate with at least two intermediate CA's having x509v3 Name Constraints extensions of both IPv4 and IPv6 type.
      2. Boot web server using certificate created in previous step
      3. Create truststore.jks including only root CA of server certificate.
      4. Send secure https request from java client using truststore created in previous step

      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      Server Response --> 200 OK
      ACTUAL -
      Caused by: java.lang.ArrayIndexOutOfBoundsException: 8
      at sun.security.x509.IPAddressName.constrains(IPAddressName.java:452) ~[?:1.8.0_275]
      at sun.security.x509.GeneralSubtrees.minimize(GeneralSubtrees.java:201) ~[?:1.8.0_275]
      at sun.security.x509.GeneralSubtrees.union(GeneralSubtrees.java:484) ~[?:1.8.0_275]
      at sun.security.x509.NameConstraintsExtension.merge(NameConstraintsExtension.java:357) ~[?:1.8.0_275]
      at sun.security.provider.certpath.ConstraintsChecker.mergeNameConstraints(ConstraintsChecker.java:208) ~[?:1.8.0_275]

      ---------- BEGIN SOURCE ----------
      byte[] ipv4 = new byte[8];
      for (int i=0;i<8;i++) ipv4[i]=0;
      IPAddressName ip1 = new IPAddressName(ipv4);

      byte[] ipv6 = new byte[32];
      for (int i=0;i<32;i++) ipv6[i]=0;
      IPAddressName ip2 = new IPAddressName(ipv6);

      ip1.constrains(ip2);
      ---------- END SOURCE ----------

      CUSTOMER SUBMITTED WORKAROUND :
      Insert intermediate CA's into truststore.jks

      FREQUENCY : always


      Attachments

        1. truststoreRootCA.jks
          1 kB
        2. server.pem
          7 kB
        3. server.key
          2 kB
        4. server.crt
          7 kB
        5. rootca.crt
          2 kB
        6. nginx.conf
          1 kB
        7. NameConstraints.java
          1 kB
        8. ca-bundle.pem
          2 kB

        Issue Links

          Activity

            People

              djelinski Daniel Jelinski
              webbuggrp Webbug Group
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: