-
Enhancement
-
Resolution: Unresolved
-
P4
-
None
-
None
-
generic
-
generic
A DESCRIPTION OF THE PROBLEM :
allows empty DirectoryString (e.g., " ") in Distinguished name structures of Issuer and Subject name. (RFC 5280 non-compliant)
You should not allow 0 (zero) as certificate serial number. RFC 5280 says, "The serial number MUST be a positive integer assigned by the CA to each cer- tificate...CAs MUST force the serial Number to be a non-negative integer...Non- conforming CAs may issue certificates with serial numbers that are negative or zero. Certificate users SHOULD be prepared to gracefully handle such certificates."
When the input list of certificate do not have the certificate of trust anchor, this library fails to find the trusted path. However, we expect that in such scenarios chain building must prioritize finding a certificate for an issuing CA in the trusted root store.
permits random bytes for certain extensions (e.g., certificate policy, subject alternative name)
allows empty DirectoryString (e.g., " ") in Distinguished name structures of Issuer and Subject name. (RFC 5280 non-compliant)
You should not allow 0 (zero) as certificate serial number. RFC 5280 says, "The serial number MUST be a positive integer assigned by the CA to each cer- tificate...CAs MUST force the serial Number to be a non-negative integer...Non- conforming CAs may issue certificates with serial numbers that are negative or zero. Certificate users SHOULD be prepared to gracefully handle such certificates."
When the input list of certificate do not have the certificate of trust anchor, this library fails to find the trusted path. However, we expect that in such scenarios chain building must prioritize finding a certificate for an issuing CA in the trusted root store.
permits random bytes for certain extensions (e.g., certificate policy, subject alternative name)
- relates to
-
JDK-8054537 sun.security.x509.SerialNumber constructor should not accept negative numbers
-
- Closed
-