From 9957083a77da8e80b016b43a2579320232492947 Mon Sep 17 00:00:00 2001 From: J2ObjC Team Date: Fri, 19 Jun 2026 22:15:42 -0700 Subject: [PATCH] Remove permitted.reduce(excluded) optimization in X.509 NameConstraints. A logic flaw in the Sun PKIX CertPathValidator X.509 NameConstraints validation allows an attacker with a constrained intermediate CA to craft unauthorized certificates for arbitrary domains and perform TLS Man-in-the-Middle (MITM) attacks. Specifically, an optional optimization using permitted.reduce(excluded) could remove the last permitted subtree of a specific type. This caused the verify() method to incorrectly short-circuit and approve the certificate, effectively dropping the name constraint. To resolve this issue, this commit removes the permitted.reduce(excluded) optimization from NameConstraintsExtension.java and Builder.java. Because this step was strictly an optimization and not required for algorithmic correctness, removing it ensures that constraints are properly retained and correctly enforced during certificate path validation. Test: built and verified locally FEATURE: N/A RELNOTES: Remove permitted.reduce(excluded) optimization in X.509 NameConstraints path validation to prevent constraint bypass. PiperOrigin-RevId: 935167126 --- .../security/provider/certpath/Builder.java | 10 +++---- .../x509/NameConstraintsExtension.java | 28 +++++++++---------- 2 files changed, 18 insertions(+), 20 deletions(-) diff --git a/jre_emul/android/platform/libcore/ojluni/src/main/java/sun/security/provider/certpath/Builder.java b/jre_emul/android/platform/libcore/ojluni/src/main/java/sun/security/provider/certpath/Builder.java index b4a225dbd2..5bf4fd6150 100644 --- a/jre_emul/android/platform/libcore/ojluni/src/main/java/sun/security/provider/certpath/Builder.java +++ b/jre_emul/android/platform/libcore/ojluni/src/main/java/sun/security/provider/certpath/Builder.java @@ -26,15 +26,13 @@ package sun.security.provider.certpath; import java.io.IOException; -import java.security.AccessController; import java.security.GeneralSecurityException; import java.security.cert.*; import java.util.*; - import sun.security.provider.certpath.PKIX.BuilderParams; import sun.security.util.Debug; -import sun.security.x509.GeneralNames; import sun.security.x509.GeneralNameInterface; +import sun.security.x509.GeneralNames; import sun.security.x509.GeneralSubtrees; import sun.security.x509.NameConstraintsExtension; import sun.security.x509.SubjectAlternativeNameExtension; @@ -344,9 +342,9 @@ static int targetDistance(NameConstraintsExtension constraints, constraints.get(NameConstraintsExtension.PERMITTED_SUBTREES); GeneralSubtrees excluded = constraints.get(NameConstraintsExtension.EXCLUDED_SUBTREES); - if (permitted != null) { - permitted.reduce(excluded); - } + if (permitted != null) { + // permitted.reduce(excluded); // VULNERABILITY FIX: b/514770851 + } if (debug != null) { debug.println("Builder.targetDistance() reduced constraints: " + permitted); diff --git a/jre_emul/android/platform/libcore/ojluni/src/main/java/sun/security/x509/NameConstraintsExtension.java b/jre_emul/android/platform/libcore/ojluni/src/main/java/sun/security/x509/NameConstraintsExtension.java index f043183b95..d3b97c0e2e 100644 --- a/jre_emul/android/platform/libcore/ojluni/src/main/java/sun/security/x509/NameConstraintsExtension.java +++ b/jre_emul/android/platform/libcore/ojluni/src/main/java/sun/security/x509/NameConstraintsExtension.java @@ -30,11 +30,9 @@ import java.security.cert.CertificateException; import java.security.cert.X509Certificate; import java.util.*; - import javax.security.auth.x500.X500Principal; - -import sun.security.util.*; import sun.security.pkcs.PKCS9Attribute; +import sun.security.util.*; /** * This class defines the Name Constraints Extension. @@ -383,18 +381,20 @@ public void merge(NameConstraintsExtension newConstraints) } } - // Optional optimization: remove permitted subtrees that are excluded. - // This is not necessary for algorithm correctness, but it makes - // subsequent operations on the NameConstraints faster and require - // less space. - if (permitted != null) { - permitted.reduce(excluded); - } - - // The NameConstraints have been changed, so re-encode them. Methods in - // this class assume that the encodings have already been done. - encodeThis(); + // Optional optimization: remove permitted subtrees that are excluded. + // This is not necessary for algorithm correctness, but it makes + // subsequent operations on the NameConstraints faster and require + // less space. + // VULNERABILITY FIX: b/514770851 + /* + if (permitted != null) { + permitted.reduce(excluded); + } + */ + // The NameConstraints have been changed, so re-encode them. Methods in + // this class assume that the encodings have already been done. + encodeThis(); } /**