Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8025708

Certificate Path Building problem with AKI serial number

    XMLWordPrintable

    Details

    • Subcomponent:
    • Resolved In Build:
      b04
    • OS:
      generic
    • Verification:
      Verified

      Backports

        Description

        FULL PRODUCT VERSION :
        java version " 1.7.0_17 "
        Java(TM) SE Runtime Environment (build 1.7.0_17-b02)
        Java HotSpot(TM) Client VM (build 23.7-b01, mixed mode)


        ADDITIONAL OS VERSION INFORMATION :
        Microsoft Windows [Version 6.1.7601]

        A DESCRIPTION OF THE PROBLEM :
        If an end entity certificate has an AKI extension with a key identifier and serial number and the issuing (subordinate, untrusted) certificate does not have a serial number in its AKI extension, just the key identifier, then the default cert path builder cannot build a path to the trusted root certificate.

        STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
        Create a 3 tier PKI Hierarchy (Root, Subordinate, EndEntity). Give the EndEntity certificates a AKI extension with a key identifier and the Serial number of the Subordinate. Give the subordinate an AKI extension with a key identifier but do not include the serial number (of the root) in it. Place the Root in a KeyStore (therefore trusted). Place the Subordinate in a cert store. Try and build a certfication path for the EndEntity using CertPathBuilder (with default provider type).

        EXPECTED VERSUS ACTUAL BEHAVIOR :
        EXPECTED -
        A certification Path should be built.
        ACTUAL -
         It will fail. Enabling debugging seems to indicate that the reason that the path is not built is that the serial number on the subordinate does not match what is expected.

        ERROR MESSAGES/STACK TRACES THAT OCCUR :
        Failure case:

        certpath: ForwardBuilder.getMatchingCerts()...
        certpath: ForwardBuilder.getMatchingCACerts()...
        certpath: X509CertSelector.match(SN: 1
          Issuer: CN=Test Root Certification Authority, O=GOV, C=AU
          Subject: CN=Test Root Certification Authority, O=GOV, C=AU)
        certpath: X509CertSelector.match: serial numbers don't match

        Using an End Entity cert that does not have the serial number is its AKI:
        certpath: SunCertPathBuilder.depthFirstSearchForward(CN=Test Root Certification Authority, O=GOV, C=AU, State [
          issuerDN of last cert: CN=Test Root Certification Authority, O=GOV, C=AU
          traversedCACerts: 1
          init: false
          keyParamsNeeded: false
          subjectNamesTraversed:

        certpath: ForwardBuilder.getMatchingCerts()...
        certpath: ForwardBuilder.getMatchingCACerts()...
        certpath: X509CertSelector.match(SN: 1
          Issuer: CN=Test Root Certification Authority, O=GOV, C=AU
          Subject: CN=Test Root Certification Authority, O=GOV, C=AU)
        certpath: X509CertSelector.match returning: true

        REPRODUCIBILITY :
        This bug can be reproduced always.

        CUSTOMER SUBMITTED WORKAROUND :
        If the subordinate is put into the keystore (i.e. trusted) then the problem does not occur

          Attachments

            Issue Links

              Activity

                People

                Assignee:
                mullan Sean Mullan
                Reporter:
                coffeys Sean Coffey
                Votes:
                1 Vote for this issue
                Watchers:
                5 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved: