Bug ID: JDK-4395895 Cannot import certain X.509 certficates with the Sun JCA implementation. Again.

Versions (Unresolved/Resolved/Fixed)

The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.

Other
1.4.0 betaFixed


Name: boT120536			Date: 12/07/2000


C:\out>java -version
java version "1.3.0_01"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.3.0_01)
Java HotSpot(TM) Client VM (build 1.3.0_01, mixed mode)

This is the second time. It wasn't accepted last time, although one of you guys
(###@###.###) told me to report it. What was missing the last time
was the certificate that failed. Since I can't send it through this bug report
mechnaism, please email me to get a copy of it. The guy I emailed with on the
sec_faq (Sean Mullan [###@###.###) also still have a copy of it I
think.

When importing certain X.509 certificates using the default Sun implementation
an exception is thrown. But when I use another vendor's implemenation(E.g.
Baltimore's JCrypt, IAIK) it works fine. Also Windows recognizes it as a valid
certificate. (I have an idea what it might be. Comparing the certs that doesn't
work with the ones that do, I could see the difference that non-functioning had
the extensions: 'Subject Alternative Name' and Issuer Alternative Name', and
they are set to 'No alternative name'. At least Windows says that. Since it is
a nullpointerExc. in the error message, it might be that if "name" isn't
checked for null)

[Source]
 java.io.FileInputStream fi = new java.io.FileInputStream
("c://out//certs//cert.crt");
  java.io.DataInputStream dis = new java.io.DataInputStream(fi);

  byte[] cert = new byte[dis.available()];
  dis.readFully(cert);
  java.io.ByteArrayInputStream bais = new java.io.ByteArrayInputStream( cert );

  java.security.cert.CertificateFactory cf =
  java.security.cert.CertificateFactory.getInstance("X.509");
  java.security.cert.Certificate c = cf.generateCertificate( bais );

[Error message and trace]
java.security.cert.CertificateParsingException: java.io.IOException:
java.lang.NullPointerException:

	at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:161)

	at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1039)

	at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:150)

	at sun.security.provider.X509Factory.engineGenerateCertificate
(X509Factory.java:93)

	at java.security.cert.CertificateFactory.generateCertificate
(CertificateFactory.java:290)
(Review ID: 113307) 
======================================================================

CONVERTED DATA BugTraq+ Release Management Values COMMIT TO FIX: merlin-beta FIXED IN: merlin-beta INTEGRATED IN: merlin-beta
14-06-2004
EVALUATION seema.malkani@Eng 2001-02-20 Fixed implmentation to allow null values for X.509 V3 certificate extensions namely SubjectAlternativeName and IssuerAlternativeName. Also added sanity checks to verify if X.509 certificate was compliant with RFC 2459.
11-06-2004
WORK AROUND Name: boT120536 Date: 12/07/2000 Change implementation. ======================================================================
11-06-2004
SUGGESTED FIX seema.malkani@Eng 2001-02-20 Files updated: File name (sccs revision) ------------------------- src/share/classes/sun/security/x509/IssuerAlternativeNameExtension.java (1.13) src/share/classes/sun/security/x509/SubjectAlternativeNameExtension.java (1.16) src/share/classes/sun/security/x509/SubjectKeyIdentifierExtension.java (1.13) src/share/classes/sun/security/x509/X509CertInfo.java (1.24) src/share/classes/sun/security/provider/X509Factory.java (1.14) src/share/classes/sun/security/tools/KeyTool.java (1.61)
11-06-2004