[7u] code review request: 8014805: NPE is thrown during certpath validation if certificate does not have AuthorityKeyIdentifier extension

Sean Mullan sean.mullan at oracle.com
Mon Jun 24 12:28:05 PDT 2013


Looks good.

--Sean

On 06/24/2013 02:33 PM, Vincent Ryan wrote:
> I've updated the webrev to address your comments:
>    http://cr.openjdk.java.net/~vinnie/8014805/webrev.02/
>
> Thanks.
>
>
> On 24 Jun 2013, at 16:24, Sean Mullan wrote:
>
>> On 06/24/2013 10:38 AM, Vincent Ryan wrote:
>>> Hello all,
>>>
>>> The fix to handle Authority Key IDs also applies to Subject Key IDs so I've duplicated the changes:
>>>    http://cr.openjdk.java.net/~vinnie/8014805/webrev.01
>>
>>
>> 1211                         subjectKeyId = id.getIdentifier();
>>
>> Should "id" be "ki"?
>
> Yes.
>
>
>>
>> Also, these 2 methods are not thread-safe, which could cause issues if the same certificates are used in multiple threads. This is an existing issue with the methods, but unless this is a demonstrable performance issue, I think you should change them to not cache the subject/authKeyIds and just generate them each time the methods are invoked.
>
> Agreed.
>
>
>>
>> --Sean
>>
>>>
>>> Thanks.
>>>
>>>
>>> On 24 Jun 2013, at 12:42, Vincent Ryan wrote:
>>>
>>>> Thanks.
>>>>
>>>> On 22 Jun 2013, at 01:19, Xuelei Fan wrote:
>>>>
>>>>> Looks fine to me.
>>>>>
>>>>> Xuelei
>>>>>
>>>>> On 6/21/2013 11:46 PM, Vincent Ryan wrote:
>>>>>> Please review this fix for 7u:
>>>>>>
>>>>>> http://cr.openjdk.java.net/~vinnie/8014805/webrev.00/
>>>>>> http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=8014805
>>>>>>
>>>>>> It corrects the NPE that occurs when verifying an X.509 cert that has an Authority Key ID extension
>>>>>> present but it is not in the hash-based format.
>>>>>>
>>>>>> This problem does not occur in JDK 8.
>>>>>>
>>>>>> Thanks.
>>>>>>
>>>>>
>>>>
>>>
>>
>



More information about the security-dev mailing list