JDK-4414036 : X509 V3 Certificate Implementation missing
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Affected Version: 1.0.2
  • Priority: P3
  • Status: Closed
  • Resolution: Duplicate
  • OS: generic
  • CPU: generic
  • Submitted: 2001-02-10
  • Updated: 2001-03-22
  • Resolved: 2001-03-22
Related Reports
Duplicate :  
JDK-4322643 - keytool requires certificate reply to be terminated by newline
Description

Name: krC82822			Date: 02/09/2001


9 Feb 2001, eval1127@eng -- there are several bugs this
could be a duplicate of, but am filing a new one for reference
(see Comments section)
-----------
java version "1.2.2"
Classic VM (build JDK-1.2.2-001, native threads, symcjit)

The JSSE1.0.2 implementation is not able to use a CA certificate created by
iPlanet/Netscape Certificate Management System (CMS). I think the problem is
that there is only an implementation for V1 certificates (with no extensions),
and the certificate that I have is a CA's V3 certificate with extensions. It is
necessary to create my own TrustManager from a KeyStore that contains my CA's
root certificate (that was generated by the Netscape CMS), but I am unable to
create a X509 Certificate object from the certificate file. I get the error
"unsupported encoding" from this code:

   InputStream inStream = new FileInputStream(caCertsFilename);
   java.security.cert.CertificateFactory cf =
       java.security.cert.CertificateFactory.getInstance("X.509");
   java.security.cert.X509Certificate serverCACertProd =
     (java.security.cert.X509Certificate)cf.generateCertificate(inStream);
   inStream.close();

Where caCertsFilename is the filename of the CA certificate that signed the web
server certificate that I want to trust (in the correct base-64 format).

Again, I think this error is caused by the fact there there is no Implementation
for the V3 X509 Certificate (I could only find the class that implements V1,
X509V1CertImpl.class). The CA certificate that was created by the Netscape CMS
has 4 X509V3 extensions: Netscape Cert Type, X509V3 Basic Constraints, X509v3
Authority Key identifier, and Subject Key Identifier. I'm guessing that the X509
class is choking on these extensions instead of just ignoring them.

Please let me know if this is the problem and when a V3 X509 Cert implementation
will be available.
(Review ID: 111101) 
======================================================================
Comments
WORK AROUND Name: krC82822 Date: 02/09/2001 none. ======================================================================
02-09-2004
EVALUATION JSSE 1.0.2 depends on the X.509 certificate support from the underlying JDK so any problems parsing certificates are likely due to either application error, misunderstanding of the JDK certificate api, or bugs in the basic JDK certificate support. This is supported by the description source code example using the JDK CertificateFactory api which is reported to throw exception reporting "unsupported encoding". I can't make any further prgress on evaluating this bug report unless the customer can send us the "caCertsFilename" file mentioned in the description source code example. If this is added as an attachment to the bug report then we can try running the sample code and understand why the generateCertificate() call on CertificateFactory is failing. jeff.nisewanger@Eng 2001-02-09 I have verified that this bug is not present in Merlin. I suspect it might be due to some bug fixes related to parsing base64 encoded certificates. If true, there may be workarounds on older releases. I will update again with more info. jeff.nisewanger@Eng 2001-03-22 I have verified that the customer-supplied base64 encoded CA certificate can be read by 1.3 as well as 1.2.2. I suspect this bug report is really a duplicate of 4322643. As such there should be a workaround in 1.2.2 and 1.3 as documented in that bug and in 4416807. jeff.nisewanger@Eng 2001-03-22
22-03-2001