JDK-8072463 : Remove requirement that AKID and SKID have to match when building certificate chain
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 7,8,9
  • Priority: P3
  • Status: Closed
  • Resolution: Fixed
  • OS: generic
  • CPU: generic
  • Submitted: 2015-01-30
  • Updated: 2018-12-14
  • Resolved: 2015-11-13
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 7 JDK 8 JDK 9
7u121Fixed 8u102Fixed 9 b94Fixed
Related Reports
Relates :  
JDK-8027249 - JDK 7 Certpathbuilder.build throws SunCertPathBuilderException when JDK 6 works
Relates :  
JDK-6852744 - PIT b61: PKI test suite fails because self signed certificates are being rejected
Sub Tasks
JDK-8155743 :  
Release Note: Modify requirements on Authority Key Identifier extension field during X509 certificate chain building - Closed
Description
FULL PRODUCT VERSION :
All 7.x and 8.x version

ADDITIONAL OS VERSION INFORMATION :
Generic OS

A DESCRIPTION OF THE PROBLEM :
This bug is heavily related to JDK-8027249 (JDK 7 Certpathbuilder.build throws SunCertPathBuilderException when JDK 6 works ).
Since JDK 7 checking of serial number and Key Identifier from Authority Key Identifier extension was added to certificate chain building process. 

Sean Mullan said that 

"In JDK 7 we enhanced our PKIX CertPathBuilder implementation to discover certificate chains using the Authority Key Identifier extension (as specified in section 4.2.1.1 of RFC 5280), which allows you to find the correct certificate when a CA has more than one certificate with different keypairs. This is quite common, for example when you rollover the key of a CA but you want to keep the same subject name. 

The certificates that are used in this test case do not have a correct AKID that allow a path to be found. In particular, the authorityCertSerialNumber field of the end entity certificate is set to 3130323032353433323531. The key identifier and issuer are correct, but not the serial number. We match on all fields when looking for a matching CA. This should match the serial number of the issuing CA certificate.
"

According to RFC5280 (Internet X.509 Public Key Infrastructure Certificate
             and Certificate Revocation List (CRL) Profile )
"
   The authority key identifier extension provides a means of 
   identifying the public key corresponding to the private key used to 
   sign a certificate. This extension is used where an issuer has 
   multiple signing keys (either due to multiple concurrent key pairs or 
   due to changeover). The identification MAY be based on either the 
   key identifier (the subject key identifier in the issuer's 
   certificate) or the issuer name and serial number. "

this checks looks correct. If fields from Authority Key Identifier do not match fields from Subject Key Identifier we may not accept this certificate for chain building.

But in RFC4158 (  Internet X.509 Public Key Infrastructure: Certification Path Building )

From 3.5.12.  Matching Key Identifiers (KIDs)

"NOTE:  Although required to be present by [RFC3280], it is extremely
   important that KIDs be used only as sorting criteria or as hints
   during certification path building.  KIDs are not required to match
   during certification path validation and cannot be used to eliminate
   certificates.  This is of critical importance for interoperating
   across domains and multi-vendor implementations where the KIDs may
   not be calculated in the same fashion."

explicitly noted that matching Key Identifiers must be used only as hints to chain building process but not to reject such certificates. 
With this checks JDK is unable to build certificate chains using "CROSS certificates" when a certificate have Authority KID with serial number. In that case serial number will be matched to ROOT certificate and not match CROSS certificate.  

REGRESSION.  Last worked in version 6u45


ERROR MESSAGES/STACK TRACES THAT OCCUR :
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
        at
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuild
er.java:196)
        at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
...

REPRODUCIBILITY :
This bug can be reproduced always.

---------- BEGIN SOURCE ----------
Test case is available at bug JDK-8027249 (JDK 7 Certpathbuilder.build throws SunCertPathBuilderException when JDK 6 works ).
---------- END SOURCE ----------
Comments
I will be removing the requirement that the AKID and SKID have to match when building a certificate chain. The PKIX CertPathBuilder implementation uses a Comparator to decide which certificate should be tried first when building a path. I will enhance that so that if the AKID/SKID match, it will try that certificate first. However, it will try other certificates even if the AKID/SKID do not match. This seems to be the right balance and is more aligned with the RFC 4158 text mentioned in the description above.
05-11-2015
The regression was introduced by the fix for JDK-6852744. In that fix, a check was made to require the AKID and SKID to match when building a certificate chain.
05-11-2015
Triaging for now, but needs more investigation to see if we should make any changes. We have never claimed to support RFC 4158.
13-02-2015