2nd try: certificat path length verification bug ?
Cyril
cgrosjean at janua.fr
Thu Jun 14 10:30:04 EDT 2007
I noticed what looks like a bug in the X509CredentialsAuthenticationHandler.java
source file: the pathLength extracted from the CA certificate is just checked
against the maxPathLength parameter of the deployerConfigContext.xml file .
Instead, I think it should also be checked against "Integer.MAX_VALUE" according
to the Java 1.5 spec. since this value may be returned in case the CA
certificate doesn't have any pathLenConstraint mentioned:
http://java.sun.com/j2se/1.5.0/docs/api/java/security/cert/X509Certificate.html#getBasicConstraints()
So, I would suggest the following change in
X509CredentialsAuthenticationHandler.java :
Replacing:
// check pathLength when CA cert
if (pathLength > this.maxPathLength) {
By:
// check pathLength when CA cert
if (pathLength > this.maxPathLength && pathLength < Integer.MAX_VALUE) {
Also, if it's a confirmed bug and a accepted solution to it, what's the process
to make it part of the next CAS release ? Should have I posted elsewhere ?
I've been able to "hack" the cas-server-x509-3.XXX.jar to check this fix, but I
suppose we're not supposed to proceed this way. The build.xml file doesn't have
any special target in case of changes in the sources of the CAS distribution.
So, building the cas.war with "ant war" also builds a localPlugins.jar file with
the modified class (X509CredentialsAuthenticationHandler), but (the original
version of) this class is also present in the cas-server-x509-3.XXX.jar, and
preceeds localPlugins.jar in the classpath.
So, I've had to update the cas-server-x509-3.XXX.jar with the modified class by
hand and then deploy it in my app. server. (??)...
More information about the cas
mailing list