-
Bug
-
Resolution: Fixed
-
P3
-
8, 11, 17, 20, 21
-
b23
-
generic
-
generic
-
Verified
Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
---|---|---|---|---|---|---|
JDK-8350054 | 21.0.8-oracle | Konanki Sreenath | P3 | Open | Unresolved | |
JDK-8348065 | 21.0.7 | Aleksey Shipilev | P3 | Resolved | Fixed | b01 |
JDK-8350055 | 17.0.16-oracle | Konanki Sreenath | P3 | Open | Unresolved | |
JDK-8348062 | 17.0.15 | Aleksey Shipilev | P3 | Resolved | Fixed | b01 |
When a CA certificate contains a name constraint that begins with a period, `.`, an end entity certificate will be improperly rejected with `java.security.cert.CertPathValidatorException: name constraints check failed`.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Create a CA certificate with `nameConstraints = critical,permitted;DNS:.example.com`
Sign a certificate for `demo.example.com` with the CA
Load CA certificate into keystore / as a TrustAnchor directly
Attempt to validate end entity certificate
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Certificate validates successfully
ACTUAL -
`java.security.cert.CertPathValidatorException: name constraints check failed` is thrown
---------- BEGIN SOURCE ----------
See attached zip file.
---------- END SOURCE ----------
FREQUENCY : always
- backported by
-
JDK-8350054 Certificate name constraints improperly validated with leading period
-
- Open
-
-
JDK-8350055 Certificate name constraints improperly validated with leading period
-
- Open
-
-
JDK-8348062 Certificate name constraints improperly validated with leading period
-
- Resolved
-
-
JDK-8348065 Certificate name constraints improperly validated with leading period
-
- Resolved
-
- duplicates
-
JDK-8317848 Check "name constraint" returns false for valid sub-domain
-
- Closed
-
-
JDK-8315975 Adopt de-facto standards on x509 Name Constraints with leading dot
-
- Closed
-
- relates to
-
JDK-8347424 Fix and rewrite sun/security/x509/DNSName/LeadingPeriod.java test
-
- Resolved
-
-
JDK-8320372 test/jdk/sun/security/x509/DNSName/LeadingPeriod.java validity check failed
-
- Resolved
-
- links to
-
Commit openjdk/jdk/bfaf5704
-
Commit(master) openjdk/jdk17u-dev/d2fb8c27
-
Commit(master) openjdk/jdk21u-dev/99a92991
-
Review openjdk/jdk/16295
-
Review(master) openjdk/jdk17u-dev/3149
-
Review(master) openjdk/jdk21u-dev/1268