JDK-7018897 : CertPath validation cannot handle self-signed cert with bad KeyUsage
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 7
  • Priority: P3
  • Status: Closed
  • Resolution: Fixed
  • OS: generic
  • CPU: generic
  • Submitted: 2011-02-11
  • Updated: 2014-10-03
  • Resolved: 2011-06-07
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 7
7 b132Fixed
Description
b130 JCG PIT test failure.

In this build, we change the code about how to find the proper certificate issuer and the trust anchor. Yes, the update does impact the test.

The cause for the failure is that the keyUsage of the self-signed cert exists but does not contain keyCertSign. This was allowed before but rejected now.

The test should be updated to accomodate this behavior change.

>
> The case looks like this:
>
> 1. A self-signed cert with keyUsage Crl_Sign. It's added as a trust anchor.
>
> 2. Itself is also a single-length CertPath
>
> 3. This CertPath cannot be validated now.
>
> Exception in thread "main" java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
>     at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:208)
>     at java.security.cert.CertPathValidator.validate(CertPathValidator.java:279)
>     at A5.main(A5.java:32)
>
> It could be validated in jdk7b128.
>
> Test program and cert included below.
>
> --------------------------------------------------------------------------------
>
> $ cat /tmp/badku
> -----BEGIN CERTIFICATE-----
> MIICijCCAkigAwIBAgIEL+/4OjALBgcqhkjOOAQDBQAwEDEOMAwGA1UEAxMFYmFka3UwHhcNMTEw
> MjExMDEzMDE3WhcNMTIwMjExMDEzMDE3WjAQMQ4wDAYDVQQDEwViYWRrdTCCAbgwggEsBgcqhkjO
> OAQBMIIBHwKBgQD9f1OBHXUSKVLfSpwu7OTn9hG3UjzvRADDHj+AtlEmaUVdQCJR+1k9jVj6v8X1
> ujD2y5tVbNeBO4AdNG/yZmC3a5lQpaSfn+gEexAiwk+7qdf+t8Yb+DtX58aophUPBPuD9tPFHsMC
> NVQTWhaRMvZ1864rYdcq7/IiAxmd0UgBxwIVAJdgUI8VIwvMspK5gqLrhAvwWBz1AoGBAPfhoIXW
> mz3ey7yrXDa4V7l5lK+7+jrqgvlXTAs9B4JnUVlXjrrUWU/mcQcQgYC0SRZxI+hMKBYTt88JMozI
> puE8FnqLVHyNKOCjrh4rs6Z1kW6jfwv6ITVi8ftiegEkO8yk8b6oUZCJqIPf4VrlnwaSi2ZegHtV
> JWQBTDv+z0kqA4GFAAKBgQDHLNiVIpcJCfKXBi+WZpwjLHqD02Cw25l+eFyLFmWDCZnNPUkEol72
> OqxzxD8jjqL9IaCPYs5g8+jsKVmNvK+pkP5g81o0IM4fa/Zs1SBBsrs+sEB8Jcrx9fWqd7zjzSkq
> S7TXRKxKES8tDjtYU591vnVgQe2bIcbomXSVhCZe06MuMCwwHQYDVR0OBBYEFAugl1vU8x5Ebay8
> 6IestTZBtjwKMAsGA1UdDwQEAwIBAjALBgcqhkjOOAQDBQADLwAwLAIUQWFg/hPbiMaNzKgH1i7x
> vjiTaU0CFDhmp3+Y1/1crKtJ3ZxnQdX1sRZw
> -----END CERTIFICATE-----
>
>
> import java.io.FileInputStream;
> import java.security.cert.*;
> import java.util.*;
>
> public class A5 {
>
>     public static void main(String[] args) throws Exception {
>         CertificateFactory cf = CertificateFactory.getInstance("X509");
>         CertPathValidator validator = CertPathValidator.getInstance("PKIX");
>         List<Certificate> certs = new ArrayList<>();
>         for (Certificate c: cf.generateCertificates(new FileInputStream("/tmp/badku"))) {
>             certs.add(c);
>         };
>         CertPath cp = cf.generateCertPath(certs);
>         PKIXParameters pkixParameters;
>         Set<TrustAnchor> tas = new HashSet<>();
>         tas.add(new TrustAnchor((X509Certificate) (certs.get(0)), null));
>         pkixParameters = new PKIXParameters(tas);
>         pkixParameters.setRevocationEnabled(false);
>         validator.validate(cp, pkixParameters);
>     }
> }

Comments
SUGGESTED FIX Remove the checker of KeyUsage of trust anchor.
13-02-2011

EVALUATION The keyUsage does not has keyCertSign because it's not a CA cert and is not used to sign another cert. Is it illegal to put an end-entity cert into trust anchors directly?
11-02-2011