Certificate Path Length Verification bug in client authentication ?

Scott Battaglia scott.battaglia at gmail.com
Tue Jun 12 12:32:26 EDT 2007 

Velpi,

Can you take a look at this and file a JIRA issue if its a bug?

Thanks!
-Scott

On 6/12/07, Cyril <cgrosjean at janua.fr> wrote:
>
>
> I noticed what looks like a bug in the
> X509CredentialsAuthenticationHandler.java
> source file: the pathLength extracted from the CA certificate is just
> checked
> against the maxPathLength parameter of the deployerConfigContext.xml file
> .
>
> Instead, I think it should also be checked against "Integer.MAX_VALUE"
> according
> to the Java 1.5 spec. since this value may be returned in case the CA
> certificate doesn't have any pathLenConstraint mentioned:
>
>
> http://java.sun.com/j2se/1.5.0/docs/api/java/security/cert/X509Certificate.html#getBasicConstraints()
>
> So, I would suggest the following change in
> X509CredentialsAuthenticationHandler.java :
>
> Replacing:
>
>   // check pathLength when CA cert
>   if (pathLength > this.maxPathLength) {
>
> By:
>   // check pathLength when CA cert
>   if (pathLength > this.maxPathLength && pathLength < Integer.MAX_VALUE) {
>
>
> Also, if it's a confirmed bug and a accepted solution to it, what's the
> process
> to make it part of the next CAS release ? Should have I posted elsewhere ?
>
> I've been able to "hack" the cas-server-x509-3.XXX.jar to check this fix,
> but I
> suppose we're not supposed to proceed this way. The build.xml file doesn't
> have
> any special target in case of changes in the sources of the CAS
> distribution.
> So, building the cas.war with "ant war" also builds a localPlugins.jarfile with
> the modified class (X509CredentialsAuthenticationHandler), but (the
> original
> version of) this class is also present in the cas-server-x509-3.XXX.jar
> ,  and
> preceeds localPlugins.jar in the classpath.
>
> So, I've had to update the cas-server-x509-3.XXX.jar with the modified
> class by
> hand and then deploy it in my app. server. (??)...
>
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>



-- 
-Scott Battaglia

LinkedIn: http://www.linkedin.com/in/scottbattaglia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20070612/addabe66/attachment.html

More information about the cas mailing list