diff options
| author | Kenny Root <kroot@google.com> | 2015-06-10 15:51:41 -0700 |
|---|---|---|
| committer | Kenny Root <kroot@google.com> | 2015-06-10 16:12:17 -0700 |
| commit | 1c380ab9c5d55b5ace5ebefe6969e64d8259c970 (patch) | |
| tree | 183b77cabf6e4ddefd819f855d3413cba2646628 /bcprov/src/main | |
| parent | 0d5d3541c94c2fc81d1668bb6b0f4e2d3a666746 (diff) | |
| download | android_external_bouncycastle-1c380ab9c5d55b5ace5ebefe6969e64d8259c970.tar.gz android_external_bouncycastle-1c380ab9c5d55b5ace5ebefe6969e64d8259c970.tar.bz2 android_external_bouncycastle-1c380ab9c5d55b5ace5ebefe6969e64d8259c970.zip | |
Do not blacklist serial numbers that are too short
Baseline Requirements say the serial number must have 20-bits of
entropy, but some certificates are issued not in compliance. This causes
issues where they are falsely marked as blacklisted. Until there is
issuer + serial number matching, we can just use the pubkey matching for
the certificates that are blacklisted with non-compliant serial numbers.
Bug: 21736046
Change-Id: I66b1e94f2c67ddd3b6fe690331f8fb12e16a8bc0
Diffstat (limited to 'bcprov/src/main')
| -rw-r--r-- | bcprov/src/main/java/org/bouncycastle/jce/provider/CertBlacklist.java | 15 |
1 files changed, 10 insertions, 5 deletions
diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/CertBlacklist.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/CertBlacklist.java index c62966d..1094b3b 100644 --- a/bcprov/src/main/java/org/bouncycastle/jce/provider/CertBlacklist.java +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/CertBlacklist.java @@ -122,7 +122,15 @@ public class CertBlacklist { private static final Set<BigInteger> readSerialBlackList(String path) { - // start out with a base set of known bad values + /* Start out with a base set of known bad values. + * + * WARNING: Do not add short serials to this list! + * + * Since this currently doesn't compare the serial + issuer, you + * should only add serials that have enough entropy here. Short + * serials may inadvertently match a certificate that was issued + * not in compliance with the Baseline Requirements. + */ Set<BigInteger> bl = new HashSet<BigInteger>(Arrays.asList( // From http://src.chromium.org/viewvc/chrome/trunk/src/net/base/x509_certificate.cc?revision=78748&view=markup // Not a real certificate. For testing only. @@ -135,10 +143,7 @@ public class CertBlacklist { new BigInteger("d7558fdaf5f1105bb213282b707729a3", 16), new BigInteger("f5c86af36162f13a64f54f6dc9587c06", 16), new BigInteger("392a434f0e07df1f8aa305de34e0c229", 16), - new BigInteger("3e75ced46b693021218830ae86a82a71", 16), - new BigInteger("864", 16), - new BigInteger("827", 16), - new BigInteger("31da7", 16) + new BigInteger("3e75ced46b693021218830ae86a82a71", 16) )); // attempt to augment it with values taken from gservices |