Details
-
Bug
-
Resolution: Fixed
-
P4
-
1.2.0
-
1.2beta2
-
sparc
-
solaris_2.5.1
-
Not verified
Description
Due to several problems with extended attributes, sun.security.x509.X509CertImpl and its helper classes cannot parse Versign certificates, which occur in Netscape signed jar signatures. There are similar problems parsing Nortel certificates.
The problems are:
1. Constructor BasicConstraints(Boolean, Object) throws an exception when
both (optional) fields of a BasicConstraints extended attribute are missing.
(Field val.data of DerValue val is unexpectedly null.)
2. KeyUsageExtension(Boolean, Object) rejects a KeyUsage extension if it is
marked noncritical. Similarly for one case of a BasicConstraints extended
extended attribute. (The latest PKIX draft recommends that KeyUsage be
marked critical and requires that BasicConstraints be marked critical.)
3. A number of noncritical extended attributes with unrecognized OIDs are
rejected. Some of these are Netscape or Microsoft
4. Parsing a KeyUsage extended attribute containing a BIT
STRING whose length is not a multiple of 8 returns an unexpected null.
(See bug 4081538).
The Nortel certificate also failed to parse because it contained several extended attributes with unrecognized OIDs, one of them marked critical. These OIDs were all in the id-ce (2.5.29.xxx) OID class used in X.509 revision documents, so probably we should recognize them.
The problems are:
1. Constructor BasicConstraints(Boolean, Object) throws an exception when
both (optional) fields of a BasicConstraints extended attribute are missing.
(Field val.data of DerValue val is unexpectedly null.)
2. KeyUsageExtension(Boolean, Object) rejects a KeyUsage extension if it is
marked noncritical. Similarly for one case of a BasicConstraints extended
extended attribute. (The latest PKIX draft recommends that KeyUsage be
marked critical and requires that BasicConstraints be marked critical.)
3. A number of noncritical extended attributes with unrecognized OIDs are
rejected. Some of these are Netscape or Microsoft
4. Parsing a KeyUsage extended attribute containing a BIT
STRING whose length is not a multiple of 8 returns an unexpected null.
(See bug 4081538).
The Nortel certificate also failed to parse because it contained several extended attributes with unrecognized OIDs, one of them marked critical. These OIDs were all in the id-ce (2.5.29.xxx) OID class used in X.509 revision documents, so probably we should recognize them.