RFR 8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions

Sean Mullan sean.mullan at oracle.com
Tue Apr 12 19:39:55 UTC 2016

On 04/11/2016 11:59 AM, Anthony Scarpino wrote:
> I believe I have addressed all previous comments and some changes were
> made to rename cacerts to jdkCA and how it works AnchorCertificates.java
> http://cr.openjdk.java.net/~ascarpino/8140422/webrev.03/

* CertConstraintParameters

   31  * This class is a wrapper for keeping state and passing objects 

s/betweenPKIX/between PKIX/

* AnchorCertificates

The comments on lines 40-44 need to be updated now that you have changed 
the implementation. Also you don't really need the surrounding double 


> Tony
> On 02/29/2016 08:55 AM, Anthony Scarpino wrote:
>> I need a code review of this change:
>> http://cr.openjdk.java.net/~ascarpino/8140422/webrev/
>> Currently CertPath algorithm restrictions allow or deny all
>> certificates.  This change adds the ability to reject certificate chains
>> that contain a restricted algorithm and the chain terminates at a root
>> CA; therefore, allowing a self-signed or chain that does not terminate
>> at a root CA.
>> https://bugs.openjdk.java.net/browse/JDK-8140422
>> Thanks
>> Tony

More information about the security-dev mailing list