Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8311546

Certificate name constraints improperly validated with leading period

XMLWordPrintable

    • b23
    • generic
    • generic
    • Verified

        A DESCRIPTION OF THE PROBLEM :
        When a CA certificate contains a name constraint that begins with a period, `.`, an end entity certificate will be improperly rejected with `java.security.cert.CertPathValidatorException: name constraints check failed`.

        STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
        Create a CA certificate with `nameConstraints = critical,permitted;DNS:.example.com`
        Sign a certificate for `demo.example.com` with the CA
        Load CA certificate into keystore / as a TrustAnchor directly
        Attempt to validate end entity certificate

        EXPECTED VERSUS ACTUAL BEHAVIOR :
        EXPECTED -
        Certificate validates successfully
        ACTUAL -
        `java.security.cert.CertPathValidatorException: name constraints check failed` is thrown

        ---------- BEGIN SOURCE ----------
        See attached zip file.
        ---------- END SOURCE ----------

        FREQUENCY : always


              bperez Ben Perez
              webbuggrp Webbug Group
              Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

                Created:
                Updated:
                Resolved: