How to whitelist certificate extension in java

67 Views Asked by Logan At 04 January 2024 at 22:50

While ssl handshake, I get the following error:

Certificate contains unsupported critical extensions.

This exception is thrown by sun.security.validator.EndEntityChecker class

    private void checkRemainingExtensions(Set<String> exts)
            throws CertificateException {
        // basic constraints irrelevant in EE certs
        exts.remove(SimpleValidator.OID_BASIC_CONSTRAINTS);

        // If the subject field contains an empty sequence, the subjectAltName
        // extension MUST be marked critical.
        // We do not check the validity of the critical extension, just mark
        // it recognizable here.
        exts.remove(OID_SUBJECT_ALT_NAME);

        if (!exts.isEmpty()) {
            throw new CertificateException("Certificate contains unsupported "
                + "critical extensions: " + exts);
        }
    }

It turns out that extension, which causes the error is the only one not removed during the validation process. Removing this extension from CA is not an option. How can I whitelist this extension?

Original Q&A

There are 1 best solutions below

Sean Mullan On 05 January 2024 at 19:41

You can write a PKIXCertPathChecker that processes and removes this extension, and then add that as a checker using the PKIXParameters.addCertPathChecker method, and then set those parameters using the TrustManagerFactory.init method.

How to whitelist certificate extension in java

There are 1 best solutions below

Related Questions in JAVA

Related Questions in SSL

Related Questions in TLS1.2

Related Questions in JAVA-SECURITY

Trending Questions

Popular # Hahtags

Popular Questions