[7u] code review request: 8014805: NPE is thrown during certpath validation if certificate does not have AuthorityKeyIdentifier extension

Vincent Ryan Vincent.X.Ryan at Oracle.Com
Mon Jun 24 11:33:39 PDT 2013


I've updated the webrev to address your comments:
  http://cr.openjdk.java.net/~vinnie/8014805/webrev.02/

Thanks.


On 24 Jun 2013, at 16:24, Sean Mullan wrote:

> On 06/24/2013 10:38 AM, Vincent Ryan wrote:
>> Hello all,
>> 
>> The fix to handle Authority Key IDs also applies to Subject Key IDs so I've duplicated the changes:
>>   http://cr.openjdk.java.net/~vinnie/8014805/webrev.01
> 
> 
> 1211                         subjectKeyId = id.getIdentifier();
> 
> Should "id" be "ki"?

Yes. 


> 
> Also, these 2 methods are not thread-safe, which could cause issues if the same certificates are used in multiple threads. This is an existing issue with the methods, but unless this is a demonstrable performance issue, I think you should change them to not cache the subject/authKeyIds and just generate them each time the methods are invoked.

Agreed. 


> 
> --Sean
> 
>> 
>> Thanks.
>> 
>> 
>> On 24 Jun 2013, at 12:42, Vincent Ryan wrote:
>> 
>>> Thanks.
>>> 
>>> On 22 Jun 2013, at 01:19, Xuelei Fan wrote:
>>> 
>>>> Looks fine to me.
>>>> 
>>>> Xuelei
>>>> 
>>>> On 6/21/2013 11:46 PM, Vincent Ryan wrote:
>>>>> Please review this fix for 7u:
>>>>> 
>>>>> http://cr.openjdk.java.net/~vinnie/8014805/webrev.00/
>>>>> http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=8014805
>>>>> 
>>>>> It corrects the NPE that occurs when verifying an X.509 cert that has an Authority Key ID extension
>>>>> present but it is not in the hash-based format.
>>>>> 
>>>>> This problem does not occur in JDK 8.
>>>>> 
>>>>> Thanks.
>>>>> 
>>>> 
>>> 
>> 
> 



More information about the security-dev mailing list