This discussion is archived
8 Replies Latest reply: Dec 5, 2012 5:27 AM by 910220 RSS

Unrecognized critical extension (1.3.6.1.5.5.7.1.3) in client certificate

910220 Newbie
Currently Being Moderated
Hi all,

I have created a web application that establishes 2-way SSL communication channel. Numerous client certificates have been tested, belonging to various CAs and no problem occurred. These days I'm testing a new certificate managed by a Turkish CA and unfortunately it cannot be validated due to the following error:

<Dec 3, 2012 9:55:18 PM EET> <Warning> <Security> <BEA-090566> <The certificate chain received from XXX contained a V3 certificate with unrecognized critical extension: 1.3.6.1.5.5.7.1.3>
<Dec 3, 2012 9:55:18 PM EET> <Debug> <SecuritySSL> <BEA-000000> <NEW ALERT with Severity: FATAL, Type: 42
java.lang.Exception: New alert stack
at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
at com.certicom.tls.record.handshake.ServerStateSentHelloDone.handle(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown Source)
at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
at javax.net.ssl.impl.SSLSocketImpl.startHandshake(Unknown Source)
at weblogic.server.channels.DynamicSSLListenThread$1.run(DynamicSSLListenThread.java:130)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:207)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:176)

This is a qcStatement extension (1.3.6.1.5.5.7.1.3) and is defined in the IETF RFC 3739 (http://www.faqs.org/rfcs/rfc3739.html). Unfortunately Weblogic seems not to support this RFC and the CertValidators fail to validate this certificate. I've tried many bypasses but nothing really worked, except if I add the certificate to the truststore which is completely out of the question. I can (and do) only add the issuing CA as a trustcacert.

Has anyone faced this problem? Is there any solution to this?

Any assistance will be really appreciated.

Thank you in advance,
Paul.
  • 1. Re: Unrecognized critical extension (1.3.6.1.5.5.7.1.3) in client certificate
    Jeets Journeyer
    Currently Being Moderated
    Hello Paul,

    I did a quick research on this, and observed that this happens to be a bug in weblogic version 9.x and patches are available for the same version.

    Are you on the same version of weblogic?

    Hope this answers your question.

    Regards,
    Jetendra.
  • 2. Re: Unrecognized critical extension (1.3.6.1.5.5.7.1.3) in client certificate
    910220 Newbie
    Currently Being Moderated
    Hi Jetendra,

    we're using weblogic 10.3.4, but I couldn't find anything on the internet regarding this error (and I did a looong search for it). Could you give me some directions?

    Thank you in advance.

    Cheers,
    Paul.
  • 3. Re: Unrecognized critical extension (1.3.6.1.5.5.7.1.3) in client certificate
    Olaf Heimburger Pro
    Currently Being Moderated
    This is easy to fix:-

    1. Update the JRE jurisdication files of the JDK to use the strong jurisdication.
    2. In WLS turn on JSSE.
    3. Start WLS with these system property settings: -Dweblogic.ssl.JSSEEnabled=true -Dweblogic.security.SSL.enableJSSE=true

    HTH,
    --olaf
    PS: In WLS 12c JSSE is used by default.
    PPS: I need to blog this one.
  • 4. Re: Unrecognized critical extension (1.3.6.1.5.5.7.1.3) in client certificate
    910220 Newbie
    Currently Being Moderated
    I'm afraid that the problem persists (I used JSSE previously without the two system properties, but it didn't work). Again, I get an error message on the unrecognized critical extension.

    ...
    <Dec 4, 2012 3:29:18 PM EET> <Notice> <Stdout> <BEA-000000> <ExecuteThread: '2' for queue: 'weblogic.socket.Muxer', fatal error: 46: General SSLEngine problem
    sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: unrecognized critical extension(s)>
    <Dec 4, 2012 3:29:18 PM EET> <Notice> <Stdout> <BEA-000000> <ExecuteThread: '2' for queue: 'weblogic.socket.Muxer', SEND TLSv1 ALERT: fatal, description = certificate_unknown>
    <Dec 4, 2012 3:29:18 PM EET> <Notice> <Stdout> <BEA-000000> <ExecuteThread: '2' for queue: 'weblogic.socket.Muxer', WRITE: TLSv1 Alert, length = 2>
    <Dec 4, 2012 3:29:18 PM EET> <Notice> <Stdout> <BEA-000000> <ExecuteThread: '2' for queue: 'weblogic.socket.Muxer', fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: General SSLEngine problem>
    <Dec 4, 2012 3:29:18 PM EET> <Debug> <SecuritySSL> <BEA-000000> <[Thread[ExecuteThread: '2' for queue: 'weblogic.socket.Muxer',5,Thread Group for Queue: 'weblogic.socket.Muxer']]weblogic.security.SSL.jsseadapter: SSLENGINE: Exception occurred during SSLEngine.wrap(ByteBuffer,ByteBuffer).
    javax.net.ssl.SSLHandshakeException: General SSLEngine problem
    at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Handshaker.java:1015)
    ...

    Anyway, I appreciate your assistance.

    Best Regards,
    Paul.
  • 5. Re: Unrecognized critical extension (1.3.6.1.5.5.7.1.3) in client certificate
    Olaf Heimburger Pro
    Currently Being Moderated
    Sorry for being persistent, did you update your JDK with the "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6" (this is the correct wording)?

    You can find it here http://www.oracle.com/technetwork/java/javase/downloads/index.html (at the very end).

    --olaf                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           
  • 6. Re: Unrecognized critical extension (1.3.6.1.5.5.7.1.3) in client certificate
    910220 Newbie
    Currently Being Moderated
    Yes I have installed the jurisdiction policy files. Actually, I'm working on security issues for some time now but I've never encountered a certificate with an V3 extensions with oid 1.3.6.1.5.5.7.1.3 (which causes the problem).


    update
    I've tried switching on/off JSSE, using Bouncy Castle as the security provider, jdk 6 (_37) and jdk7, but still nothing.

    Edited by: PaulP on Dec 4, 2012 6:59 AM
  • 7. Re: Unrecognized critical extension (1.3.6.1.5.5.7.1.3) in client certificate
    Mohammed Rayan-Oracle Journeyer
    Currently Being Moderated
    Paul,

    I checked the RFC and it states QC as an OPTIONAL extension only.
    So why not try to update the certificate extension from critical to non-critical and check it.


    *3.2.6. Qualified Certificate Statements*

    This section defines an OPTIONAL extension for the inclusion of
    statements defining explicit properties of the certificate.

    Each statement SHALL include an object identifier for the statement
    and MAY also include optional qualifying data contained in the
    statementInfo parameter.

    If the statementInfo parameter is included, then the object
    identifier of the statement SHALL define the syntax and SHOULD define
    the semantics of this parameter.  If the object identifier does not
    define the semantics, a relying party may have to consult a relevant
    certificate policy or CPS to determine the exact semantics.

    This extension may be critical or non-critical.  If the extension is
    critical, this means that all statements included in the extension
    are regarded as critical.

    *qcStatements  EXTENSION ::= {*
    SYNTAX             QCStatements
    IDENTIFIED BY      id-pe-qcStatements }




    -ext option is available in the keytool starting from JDK7

    It is only possible with JDK 7.

    -ext {name{:critical}{=value}}
    Denotes an X.509 certificate extension. The option can be used in -genkeypair and -gencert to embed extensions into the certificate generated, or in -certreq to show what extensions are requested in the certificate request. The option can appear multiple times. name can be a supported extension name (see below) or an arbitrary OID number. value, if provided, denotes the parameter for the extension; if omitted, denotes the default value (if defined) of the extension or the extension requires no parameter. The :critical modifier, if provided, means the extension's isCritical attribute is true; otherwise, false. You may use :c in place of :critical.

    Reference:
    http://docs.oracle.com/javase/7/docs/technotes/tools/solaris/keytool.html



    Regards,
    MR
  • 8. Re: Unrecognized critical extension (1.3.6.1.5.5.7.1.3) in client certificate
    910220 Newbie
    Currently Being Moderated
    Hello there,

    first of all, I deeply appreciate your contribution.

    Your comment is 100% correct. This statement should be optional but it is critical instead. The problem is that this is not a certificate that I control, but instead an official qualified personal certificate (actually it refers to a dummy person, but the structure is the same) placed in a gemalto-based smart card and managed by a Turkish CA.

    In any case, I realize that this may not be the correct forum to send my question since it has to do with Java security and not WebLogic.

    Nevertheless, I'll keep the post in case someone has faced and solved this problem.

    Thank you all again for your assistance,

    Best Regards,
    Paul.

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points