Certificate Path Length Verification bug in client authentication ?

Scott Battaglia scott.battaglia at gmail.com
Tue Jun 12 12:32:52 EDT 2007 

I won't complain if you attach a patch to it too ;-)

Thanks
-Scott

On 6/12/07, Scott Battaglia <scott.battaglia at gmail.com> wrote:
>
> Velpi,
>
> Can you take a look at this and file a JIRA issue if its a bug?
>
> Thanks!
> -Scott
>
> On 6/12/07, Cyril < cgrosjean at janua.fr> wrote:
> >
> >
> > I noticed what looks like a bug in the
> > X509CredentialsAuthenticationHandler.java
> > source file: the pathLength extracted from the CA certificate is just
> > checked
> > against the maxPathLength parameter of the deployerConfigContext.xmlfile .
> >
> > Instead, I think it should also be checked against " Integer.MAX_VALUE"
> > according
> > to the Java 1.5 spec. since this value may be returned in case the CA
> > certificate doesn't have any pathLenConstraint mentioned:
> >
> >
> > http://java.sun.com/j2se/1.5.0/docs/api/java/security/cert/X509Certificate.html#getBasicConstraints()<http://java.sun.com/j2se/1.5.0/docs/api/java/security/cert/X509Certificate.html#getBasicConstraints%28%29>
> >
> > So, I would suggest the following change in
> > X509CredentialsAuthenticationHandler.java :
> >
> > Replacing:
> >
> >   // check pathLength when CA cert
> >   if (pathLength > this.maxPathLength) {
> >
> > By:
> >   // check pathLength when CA cert
> >   if (pathLength > this.maxPathLength && pathLength < Integer.MAX_VALUE) {
> >
> >
> > Also, if it's a confirmed bug and a accepted solution to it, what's the
> > process
> > to make it part of the next CAS release ? Should have I posted elsewhere
> > ?
> >
> > I've been able to "hack" the cas-server-x509-3.XXX.jar to check this
> > fix, but I
> > suppose we're not supposed to proceed this way. The build.xml file
> > doesn't have
> > any special target in case of changes in the sources of the CAS
> > distribution.
> > So, building the cas.war with "ant war" also builds a localPlugins.jarfile with
> > the modified class (X509CredentialsAuthenticationHandler), but (the
> > original
> > version of) this class is also present in the cas-server-x509-3.XXX.jar
> > ,  and
> > preceeds localPlugins.jar in the classpath.
> >
> > So, I've had to update the cas-server-x509-3.XXX.jar with the modified
> > class by
> > hand and then deploy it in my app. server. (??)...
> >
> >
> > _______________________________________________
> > Yale CAS mailing list
> > cas at tp.its.yale.edu
> > http://tp.its.yale.edu/mailman/listinfo/cas
> >
>
>
>
> --
> -Scott Battaglia
>
> LinkedIn: http://www.linkedin.com/in/scottbattaglia




-- 
-Scott Battaglia

LinkedIn: http://www.linkedin.com/in/scottbattaglia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20070612/c4f72f83/attachment.html

More information about the cas mailing list