Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handle incorrectly versioned certificates in system truststore #178

Merged
merged 2 commits into from
Mar 28, 2023
Merged

Handle incorrectly versioned certificates in system truststore #178

merged 2 commits into from
Mar 28, 2023

Conversation

CRogers
Copy link
Contributor

@CRogers CRogers commented Mar 28, 2023
edited
Loading

Before this PR

Similar to #168. Someone internally has this x509 cert in their system truststore issued by StrongLoop. The cert uses v3 extensions but only lists itself as being v1. Java is very strict on this:

Caused by: java.security.cert.CertificateParsingException: no more data allowed for version 1 certificate
	at java.base/sun.security.x509.X509CertInfo.parse(X509CertInfo.java:679)

The printed form of the cert:

$ openssl x509 -in gradle-jdks/src/test/resources/strongloop-cert-with-v3-extensions-but-v1-version.pem -text
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 6606 (0x19ce)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=CA, L=San Francisco, O=StrongLoop, Inc., OU=StrongOps, CN=ca.strongloop.com
        Validity
            Not Before: Dec  8 23:35:33 2015 GMT
            Not After : Apr 24 23:35:33 2043 GMT
        Subject: CN=strongloop.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    // snip
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                IP Address:0.0.0.0, IP Address:127.0.0.1

After this PR

==COMMIT_MSG==
Fix errors of the form no more data allowed for version 1 certificate when the system truststore has incorrectly versioned X.509 certs in it.
==COMMIT_MSG==

We just ignore these ones - they are not going to be the Palantir CA.

Possible downsides?

@changelog-app
Copy link

changelog-app bot commented Mar 28, 2023
edited by CRogers
Loading

Generate changelog in changelog/@unreleased

Type

  • Feature
  • Improvement
  • Fix
  • Break
  • Deprecation
  • Manual task
  • Migration

Description

Fix errors of the form no more data allowed for version 1 certificate when the system truststore has incorrectly versioned X.509 certs in it.

Check the box to generate changelog(s)

  • Generate changelog entry

@bulldozer-bot bulldozer-bot bot merged commit 37c98d9 into develop Mar 28, 2023
@bulldozer-bot bulldozer-bot bot deleted the callumr/fix-another-truststore-issue branch March 28, 2023 15:57
@svc-autorelease
Copy link
Collaborator

Released 0.32.0

carterkozak
carterkozak reviewed Mar 28, 2023
View reviewed changes
gradle-jdks/src/main/java/com/palantir/gradle/jdks/PalantirCaPlugin.java
@@ -173,6 +173,10 @@ static List<Certificate> parseCerts(byte[] multipleCertificateBytes) {
continue;
}

if (e.getMessage().contains("no more data allowed for version 1 certificate")) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we may want to check that e.getMessage() doesn't return null prior to the .contains invocation

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@carterkozak carterkozak carterkozak left review comments

@felixdesouza felixdesouza felixdesouza approved these changes

Assignees
No one assigned
Labels
autorelease merge when ready
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@CRogers @svc-autorelease @carterkozak @felixdesouza @svc-changelog