JDK-6238093 : Converting a certificate chain in PKCS7 format to an Ordered CertPath of X509
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 5.0
  • Priority: P2
  • Status: Closed
  • Resolution: Not an Issue
  • OS: windows_xp
  • CPU: x86
  • Submitted: 2005-03-09
  • Updated: 2010-04-02
  • Resolved: 2005-04-15
Description
Java Version:
java version "1.5.0"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0-b64)
Java HotSpot(TM) Client VM (build 1.5.0-b64, mixed mode)

Operating SYSTEM:
Windows XP
-------------------------------------------------------------------------
Cu is trying to use the JDK CertPath API to convert a certificate chain
in PKCS7 format to an ordered CertPath of X509 certificates.
 
We used the SUN X509 CertificateFactory implementation and noticed that
the certificates in the generated CertPath are not ordered.  However,
the JDK CertPath programmer's guide indicates that the SUN X509
CertificateFactory should return an ordered CertPath.
###@###.### 2005-03-09 11:13:37 GMT

Comments
EVALUATION pkcs7 format is not guarantee to be ordered, and the X509Factory only reads from a InputStream or a list of Certificates and never do the sort work. i think this is because the CertPath class accepts an unordered (even unorderable) certificate list as a valid object. maybe we need to add a method like: public CertPath sortAs() throws UnsortableException or do some simple sort inside the constructor. ###@###.### 2005-03-09 15:03:34 GMT ###@###.### 2005-03-10 01:09:13 GMT This is not a bug. PKCS7 does not preserve the ordering of certificates (it is a SET OF). See the warning under CertPath Encodings at: http://java.sun.com/j2se/1.5.0/docs/guide/security/certpath/CertPathProgGuide.html#AppA See the workaround section for a workaround. ###@###.### 2005-03-11 22:47:19 GMT
09-03-2005

WORK AROUND Use the "PkiPath" format, which preserves the order. ###@###.### 2005-03-11 22:47:19 GMT Here is another workaround if the "PkiPath" format cannot be used: Use a "PKIX" CertPathBuilder to reorder and validate the collection of certs contained in the PKCS7 encoded data: byte[] pkcs7 = certPathFromCerts.getEncoded("PKCS7"); Collection certs = factory.generateCertificates(new ByteArrayInputStream(pkcs7)); CollectionCertStore ccs = new CollectionCertStore(certs); CertStore cs = CertStore.getInstance("Collection", ccs); CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX"); X509CertSelector targetConstraints = new X509CertSelector(); targetContstraints.setCertificate(signerCert); PKIXBuilderParameters params = new PKIXBuilderParameters(keyStore, targetConstraints); params.setCertStore(cs); params.setRevocationEnabled(false); //set to true to check revocation CertPathBuilderResult res = cpb.build(params); CertPath cp = result.getCertPath(); ###@###.### 2005-04-15 13:02:10 GMT
09-03-2005