Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8311546

Certificate name constraints improperly validated with leading period

    XMLWordPrintable

Details

    • b23
    • generic
    • generic
    • Verified

    Description

      A DESCRIPTION OF THE PROBLEM :
      When a CA certificate contains a name constraint that begins with a period, `.`, an end entity certificate will be improperly rejected with `java.security.cert.CertPathValidatorException: name constraints check failed`.

      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      Create a CA certificate with `nameConstraints = critical,permitted;DNS:.example.com`
      Sign a certificate for `demo.example.com` with the CA
      Load CA certificate into keystore / as a TrustAnchor directly
      Attempt to validate end entity certificate

      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      Certificate validates successfully
      ACTUAL -
      `java.security.cert.CertPathValidatorException: name constraints check failed` is thrown

      ---------- BEGIN SOURCE ----------
      See attached zip file.
      ---------- END SOURCE ----------

      FREQUENCY : always


      Attachments

        Issue Links

          Activity

            People

              bperez Ben Perez
              webbuggrp Webbug Group
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: