Do not blacklist serial numbers that are too short

Baseline Requirements say the serial number must have 20-bits of entropy, but some certificates are issued not in compliance. This causes issues where they are falsely marked as blacklisted. Until there is issuer + serial number matching, we can just use the pubkey matching for the certificates that are blacklisted with non-compliant serial numbers. Bug: 21736046 Change-Id: I66b1e94f2c67ddd3b6fe690331f8fb12e16a8bc0
author: Kenny Root <kroot@google.com> 2015-06-10 15:51:41 -0700
committer: Kenny Root <kroot@google.com> 2015-06-10 16:12:17 -0700
commit: 1c380ab9c5d55b5ace5ebefe6969e64d8259c970 (patch)
tree: 183b77cabf6e4ddefd819f855d3413cba2646628
parent: 0d5d3541c94c2fc81d1668bb6b0f4e2d3a666746 (diff)
download: android_external_bouncycastle-1c380ab9c5d55b5ace5ebefe6969e64d8259c970.tar.gz
android_external_bouncycastle-1c380ab9c5d55b5ace5ebefe6969e64d8259c970.tar.bz2
android_external_bouncycastle-1c380ab9c5d55b5ace5ebefe6969e64d8259c970.zip
2 files changed, 22 insertions, 12 deletions
diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/CertBlacklist.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/CertBlacklist.java
index c62966d..1094b3b 100644
--- a/bcprov/src/main/java/org/bouncycastle/jce/provider/CertBlacklist.java
+++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/CertBlacklist.java
@@ -122,7 +122,15 @@ public class CertBlacklist {
 
     private static final Set<BigInteger> readSerialBlackList(String path) {
 
-        // start out with a base set of known bad values
+        /* Start out with a base set of known bad values.
+         *
+         * WARNING: Do not add short serials to this list!
+         *
+         * Since this currently doesn't compare the serial + issuer, you
+         * should only add serials that have enough entropy here. Short
+         * serials may inadvertently match a certificate that was issued
+         * not in compliance with the Baseline Requirements.
+         */
         Set<BigInteger> bl = new HashSet<BigInteger>(Arrays.asList(
             // From http://src.chromium.org/viewvc/chrome/trunk/src/net/base/x509_certificate.cc?revision=78748&view=markup
             // Not a real certificate. For testing only.
@@ -135,10 +143,7 @@ public class CertBlacklist {
             new BigInteger("d7558fdaf5f1105bb213282b707729a3", 16),
             new BigInteger("f5c86af36162f13a64f54f6dc9587c06", 16),
             new BigInteger("392a434f0e07df1f8aa305de34e0c229", 16),
-            new BigInteger("3e75ced46b693021218830ae86a82a71", 16),
-            new BigInteger("864", 16),
-            new BigInteger("827", 16),
-            new BigInteger("31da7", 16)
+            new BigInteger("3e75ced46b693021218830ae86a82a71", 16)
         ));
 
         // attempt to augment it with values taken from gservices
diff --git a/patches/bcprov.patch b/patches/bcprov.patch
index 2d1560c..33940ee 100644
--- a/patches/bcprov.patch
+++ b/patches/bcprov.patch
@@ -7831,8 +7831,8 @@ diff -Naur bcprov-jdk15on-152.orig/org/bouncycastle/jce/provider/BouncyCastlePro
      private void loadAlgorithms(String packageName, String[] names)
 diff -Naur bcprov-jdk15on-152.orig/org/bouncycastle/jce/provider/CertBlacklist.java bcprov-jdk15on-152/org/bouncycastle/jce/provider/CertBlacklist.java
 --- bcprov-jdk15on-152.orig/org/bouncycastle/jce/provider/CertBlacklist.java	1970-01-01 00:00:00.000000000 +0000
-+++ bcprov-jdk15on-152/org/bouncycastle/jce/provider/CertBlacklist.java	2014-05-05 17:28:58.000000000 +0000
-@@ -0,0 +1,228 @@
++++ bcprov-jdk15on-152/org/bouncycastle/jce/provider/CertBlacklist.java	2015-06-10 22:51:41.000000000 +0000
+@@ -0,0 +1,233 @@
 +/*
 + * Copyright (C) 2012 The Android Open Source Project
 + *
@@ -7957,7 +7957,15 @@ diff -Naur bcprov-jdk15on-152.orig/org/bouncycastle/jce/provider/CertBlacklist.j
 +
 +    private static final Set<BigInteger> readSerialBlackList(String path) {
 +
-+        // start out with a base set of known bad values
++        /* Start out with a base set of known bad values.
++         *
++         * WARNING: Do not add short serials to this list!
++         *
++         * Since this currently doesn't compare the serial + issuer, you
++         * should only add serials that have enough entropy here. Short
++         * serials may inadvertently match a certificate that was issued
++         * not in compliance with the Baseline Requirements.
++         */
 +        Set<BigInteger> bl = new HashSet<BigInteger>(Arrays.asList(
 +            // From http://src.chromium.org/viewvc/chrome/trunk/src/net/base/x509_certificate.cc?revision=78748&view=markup
 +            // Not a real certificate. For testing only.
@@ -7970,10 +7978,7 @@ diff -Naur bcprov-jdk15on-152.orig/org/bouncycastle/jce/provider/CertBlacklist.j
 +            new BigInteger("d7558fdaf5f1105bb213282b707729a3", 16),
 +            new BigInteger("f5c86af36162f13a64f54f6dc9587c06", 16),
 +            new BigInteger("392a434f0e07df1f8aa305de34e0c229", 16),
-+            new BigInteger("3e75ced46b693021218830ae86a82a71", 16),
-+            new BigInteger("864", 16),
-+            new BigInteger("827", 16),
-+            new BigInteger("31da7", 16)
++            new BigInteger("3e75ced46b693021218830ae86a82a71", 16)
 +        ));
 +
 +        // attempt to augment it with values taken from gservices
author	Kenny Root <kroot@google.com>	2015-06-10 15:51:41 -0700
committer	Kenny Root <kroot@google.com>	2015-06-10 16:12:17 -0700
commit	1c380ab9c5d55b5ace5ebefe6969e64d8259c970 (patch)
tree	183b77cabf6e4ddefd819f855d3413cba2646628
parent	0d5d3541c94c2fc81d1668bb6b0f4e2d3a666746 (diff)
download	android_external_bouncycastle-1c380ab9c5d55b5ace5ebefe6969e64d8259c970.tar.gz android_external_bouncycastle-1c380ab9c5d55b5ace5ebefe6969e64d8259c970.tar.bz2 android_external_bouncycastle-1c380ab9c5d55b5ace5ebefe6969e64d8259c970.zip