JDK-6668231 : Presence of a critical subjectAltName causes JSSE's SunX509 to fail trusted checks
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Affected Version: 7
  • Priority: P2
  • Status: Closed
  • Resolution: Fixed
  • OS: generic
  • CPU: generic
  • Submitted: 2008-02-27
  • Updated: 2011-03-07
  • Resolved: 2011-03-07
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
Other JDK 6 JDK 7 Other
5.0u17Fixed 6u10Fixed 7 b26Fixed OpenJDK6Fixed
Related Reports
Relates :  
Description
We should probably do something more intelligent with the presence of critical subjectAltName's.  Although if the subject is really empty, we may not be able to do chaining correctly anyway.  Need to check and see what we're really doing here.

The email thread is below:


Brad, what about using the PKIX TrustManagerFactory?

--Sean

V B Kumar Jayanti wrote:
> Hi Brad,
>
>    While interacting more with the Forum user he finally said i worked around it and  so i asked him what was the workaround and the reply was not so pleasing :
>
> "I succeded trying certificate authentication on IMB WebSphere AS Community Edition using IBM Java5, so the bug I suppose is in Sun JSSE provider"
>
> http://forums.java.net/jive/thread.jspa?messageID=260939
>
> thanks.
>
> Brad Wetmore wrote:
>
>> cc'ing current JSSE team.
>>
>> I'm not 100% sure what our current behaviour on this is, but a quick glance at the code sure looks like even though we do understand/parse the subjectAltname in the X509 code, we just don't allow for critical subjectaltnames for TLS client authentications.  I don't recall why offhand, nor see a bug (open or closed).  If the subject field is empty and there is a Subjectaltname, the extension does need to be marked critical.
>>
>> Gang, do you offhand remember why it was done this way?
>>
>> If this is indeed the current behaviour, then best workaround is to provider your own X509TrustManager as was discussed in the thread you referenced, although I would suggest providing some actual code in the X509TrustManager, and not just returning on any input!  ;)
>>
>> brad
>>
>>
>>> V B Kumar Jayanti wrote:
>>>
>>>> Hi   Sean,
>>>>
>>>>   It appears the X509TrustManager in  JDK does not support the   SubjectAlternativeName  Extension ?.   I have seen mailing list threads  dating back to 2003 where this issue was reported by some user.  Do we have some plan of supporting this or is this really a low priority item.   Is there any workaround we can suggest to this user.
>>>>
>>>> regards,
>>>> kumar
>>>>
>>>>
>>>> ------------------------------------------------------------------------
>>>>
>>>> Subject:
>>>> Re: Client Certificate authentication
>>>> From:
>>>> ###@###.###
>>>> Date:
>>>> Wed, 13 Feb 2008 01:20:40 -0800 (PST)
>>>> To:
>>>> ###@###.###
>>>>
>>>> To:
>>>> ###@###.###
>>>>
>>>>
>>>> Hi,
>>>>  Your reply seems to have the root cause info :
>>>>
>>>> java.security.cert.CertificateException: Certificate contains unsupported critical extensions : [2.5.29.17]
>>>>
>>>> I checked out that extension  2.5.29.17 stands for : SubjectAlternativeName.
>>>>
>>>> now the  JavaDoc for X509Extension : (http://java.sun.com/j2se/1.4.2/docs/api/java/security/cert/X509Extension.html)  says :
>>>>
>>>> "Each extension in a certificate/CRL may be designated as critical or non-critical. A certificate/CRL-using system (an application validating a certificate/CRL) must reject the certificate/CRL if it encounters a critical extension it does not recognize. A non-critical extension may be ignored if it is not recognized."
>>>>
>>>> Since the extension in your cert is marked  critical and since it does not understand the extension it rejected the cert.
>>>>
>>>> When i googled around i found the following link where the person is talking about downloading the  CA cert from a different  location in order to obtain the CA cert without the extension.
>>>>
>>>> http://forum.springframework.org/showthread.php?t=42510
>>>>
>>>> Can you try this workaround ?.
>>>>
>>>> Meantime i will investigate why the particular extension is unrecognized.
>>>> [Message sent by forum member 'kumarjayanti' (kumarjayanti)]
>>>>
>>>> http://forums.java.net/jive/thread.jspa?messageID=258670
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: ###@###.###
>>>> For additional commands, e-mail: ###@###.###
>>>>
>>>
>

Comments
EVALUATION the SubjectAltName critical extension should be supported by validator.
28-03-2008