bc-java icon indicating copy to clipboard operation
bc-java copied to clipboard
verified publisher icon bcgit

RFC3280CertPathUtilities: Handling of relative names buggy

Open jarnbjo opened this issue 3 years ago • 0 comments

I believe that the handling of relative names in the implementation of RFC 3280/5280 6.3.3(b)(2)(i) in RFC3280CertPathUtilities is incorrect, both when getting the names from the CRL-IDP (line 126) and from the DP itself (line 166) .

If for example the CRL is issued by C=A,ST=B and its IDP has a relative name O=C,OU=D, the implementation:

  • initializes a ASN1EncodableVector vec
  • adds C=A to the vec
  • adds ST=B to the vec
  • adds O=C,OU=D as a single element to the vec: vec.add(dpName.getName())
  • creates a GeneralName from these 3 segments with a printable form C=A,ST=B,O=C+OU=D

If the DP has a name C=A,ST=B,O=C,OU=D, comparing the expanded name from the IDP and the DP's name will not consider them to be equal and the validation will fail.

If the relative name contains multiple segments, woldn't it be necessary to add these segments one by one to obtain a properly expanded full name instead of adding them in one operation as it is implemented now?

jarnbjo avatar Sep 28 '22 09:09 jarnbjo