-
Enhancement
-
Resolution: Duplicate
-
P4
-
None
-
None
-
generic
-
generic
A DESCRIPTION OF THE PROBLEM :
A CA Certificate may include name constraints as per rfc5280, section-4.2.1.10. The RFC does however leave the subject of leading dots undefined which has led major browsers, OpenSSL, testssl and other X509 implementations to extend/adopt a de-facto standard to allow constraints with leading dots. This way a CA can be more specific in being valid for *.example.com subdomains yet still not match example.com itself.
I believe Java would need to adjust
https://github.com/openjdk/jdk/blob/master/src/java.base/share/classes/sun/security/x509/DNSName.java#L245
to check either, and only either, charAt(ndx-1) or charAt(ndx) to be a '.'
Similar fix and good discussion:
https://github.com/golang/go/issues/16347 (this links to OpenSSL fix too)
Leading dot examples, good comments by Adam and Vadim @2022-06-22
https://www.sysadmins.lv/blog-en/x509-name-constraints-certificate-extension-all-you-should-know.aspx
I'm able to assist with testing or provide signed test cert+CAs, if you find that convenient.
A CA Certificate may include name constraints as per rfc5280, section-4.2.1.10. The RFC does however leave the subject of leading dots undefined which has led major browsers, OpenSSL, testssl and other X509 implementations to extend/adopt a de-facto standard to allow constraints with leading dots. This way a CA can be more specific in being valid for *.example.com subdomains yet still not match example.com itself.
I believe Java would need to adjust
https://github.com/openjdk/jdk/blob/master/src/java.base/share/classes/sun/security/x509/DNSName.java#L245
to check either, and only either, charAt(ndx-1) or charAt(ndx) to be a '.'
Similar fix and good discussion:
https://github.com/golang/go/issues/16347 (this links to OpenSSL fix too)
Leading dot examples, good comments by Adam and Vadim @2022-06-22
https://www.sysadmins.lv/blog-en/x509-name-constraints-certificate-extension-all-you-should-know.aspx
I'm able to assist with testing or provide signed test cert+CAs, if you find that convenient.
- duplicates
-
JDK-8311546 Certificate name constraints improperly validated with leading period
-
- Closed
-