Bug 1818881

Summary:	Add security property (i.e. java.security file) version of jdk.security.allowNonCaAnchor
Product:	Red Hat Enterprise Linux 8	Reporter:	Chris Dolphy <cdolphy>
Component:	java-1.8.0-openjdk	Assignee:	Martin Balao <mbalao>
Status:	CLOSED ERRATA	QA Contact:	OpenJDK QA <java-qa>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	8.4	CC:	ahughes, jvanek
Target Milestone:	rc	Flags:	pm-rhel: mirror+
Target Release:	8.0
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	java-1.8.0-openjdk-1.8.0.272.b10-4.el8	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2021-05-18 15:31:11 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Chris Dolphy 2020-03-30 15:31:31 UTC

Description of problem:
In OpenJDK 8u241/242, JSSE implemented new checks on Trust Anchor Certificates.  Root CA certificates now must have BasicConstraints CA extensions.  A system property jdk.security.allowNonCaAnchor was added to restore old behavior.

However, customer would like to be set as a security property instead of a system property.

Version-Release number of selected component (if applicable):
java-1.8.0-openjdk

How reproducible:
Predictable

Steps to Reproduce:
1. Connect to server using Java client.  Server should have a Root certificate signing the server certificate.  Here's commands to create it:

keytool -genkeypair -keystore ca.jks -alias ca -dname cn=ca,dc=redhat,dc=com -storepass secret -keypass secret -validity 365 -keysize 2048 -keyalg RSA
keytool -exportcert -alias ca -keystore ca.jks -storepass secret -file ca.cer
keytool -genkeypair  -keystore jboss.keystore.jks -storepass secret -keypass secret -dname "cn=jboss.usersys.redhat.com, ou=GSS,dc=redhat,dc=com" -alias jboss -keysize 2048 -keyalg RSA
keytool -certreq -keystore jboss.keystore.jks -storepass secret -alias jboss -file jboss.csr
keytool -gencert -infile jboss.csr -outfile jboss.cer -keystore ca.jks -alias ca -storepass secret -keypass secret -validity 365
keytool -importcert -keystore jboss.keystore.jks -storepass secret -trustcacerts -alias ca -file ca.cer -noprompt
keytool -importcert -keystore jboss.keystore.jks -storepass secret -alias jboss -file jboss.cer -noprompt

2. Client should get error:
sun.security.validator.ValidatorException: TrustAnchor with subject "CN=..." is not a CA certificate

3. Set the new security property and no error should be produced.


Actual results:
No errors.

Expected results:
sun.security.validator.ValidatorException: TrustAnchor with subject "CN=..." is not a CA certificate

Comment 1 Martin Balao 2020-03-31 00:01:46 UTC

Status update:

 * Ticket: https://bugs.openjdk.java.net/browse/JDK-8241888
 * CSR (specification) ticket: https://bugs.openjdk.java.net/browse/JDK-8241893
 * Proposed patch: https://mail.openjdk.java.net/pipermail/security-dev/2020-March/021509.html

Comment 2 Martin Balao 2020-04-08 15:17:38 UTC

Status update:

 * Change pushed to JDK baseline (will be available in JDK-15)
  * http://hg.openjdk.java.net/jdk/jdk/rev/c1ea616a7965

JDK-11 and JDK-8 backports still pending.

Comment 4 Andrew John Hughes 2020-10-26 15:37:21 UTC

Only just seen this bug. The fix is in the latest 8u272 release, packages of which are on their way out.

Comment 5 jiri vanek 2020-10-26 15:40:10 UTC

Is explicit regression test for this requested?

Comment 6 Andrew John Hughes 2020-10-26 15:43:31 UTC

It'd be good to have if easily feasible. The change does get flagged as a modification to java.security so it's definitely in the latest builds.

Comment 7 Andrew John Hughes 2020-10-28 15:50:22 UTC

Looks like this will have to be listed as a RHEL 8.4 bug at this stage, but this issue is fixed across all the new OpenJDK 8 packages that just went out.

Comment 16 errata-xmlrpc 2021-05-18 15:31:11 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (java-1.8.0-openjdk bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1795