JDK-7113275 : compatibility issue with MD2 trust anchor and old X509TrustManager
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Affected Version: 7
  • Priority: P3
  • Status: Closed
  • Resolution: Fixed
  • OS: generic
  • CPU: generic
  • Submitted: 2011-11-18
  • Updated: 2016-04-29
  • Resolved: 2011-11-29
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
6u115Fixed 7u4Fixed 8 b15Fixed
Related Reports
Relates :  
In JDK 7, we have two types of trust managers, X509TrustManager and X509ExtendedTrustManager.  X509ExtendedTrustManager is introduced in JDK 7 in order to support TLS 1.2.  Oracle provider will use X509ExtendedTrustManager in JDK 7.  Applications may still use X509TrustManager as the super class as their customized trust manager. For compatibility, we have to wrap these trust managers into X509ExtendedTrustManager so that they can work with TLS 1.2.

Additional constraints checks may be performed by the customized trust manager. But some other customized trust managers may not perform the constraints check in their implementation. So we may need the additional checking to ensure the wrapped trust manager also do the constraints checking properly, although it may have been done in the customized trust manager.

The issue here is that for customized trust manager, we also check the constraints for trust anchors. So when a trust anchor is MD2 algorithm signed, it will be denied by the wrapped trust manager.

passed verification based on the 8 promoted tests results sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/MD2InTrustAnchor.java passed in all build sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/TrustTrustedCert.java failed in B14 and before, passed in B15 and after.

EVALUATION This error message will now be seen under these conditions. "Certificates does not conform to algorithm constraints" In practice you may see something like this: javax.script.ScriptException: sun.org.mozilla.javascript.internal.WrappedException: Wrapped javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints (*******#89) in ******* at line number 89

EVALUATION Do not checking the constraints for trust anchors.