RFR 8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions

Anthony Scarpino anthony.scarpino at oracle.com
Mon Apr 18 19:15:00 UTC 2016


Comments addressed in:

http://cr.openjdk.java.net/~ascarpino/webrev.04/

Tony

On 04/12/2016 12:39 PM, Sean Mullan wrote:
> On 04/11/2016 11:59 AM, Anthony Scarpino wrote:
>> I believe I have addressed all previous comments and some changes were
>> made to rename cacerts to jdkCA and how it works AnchorCertificates.java
>>
>> http://cr.openjdk.java.net/~ascarpino/8140422/webrev.03/
>
> * CertConstraintParameters
>
>    31  * This class is a wrapper for keeping state and passing objects
> betweenPKIX,
>
> s/betweenPKIX/between PKIX/
>
> * AnchorCertificates
>
> The comments on lines 40-44 need to be updated now that you have changed
> the implementation. Also you don't really need the surrounding double
> quotes.
>
> --Sean
>
>
>>
>> Tony
>>
>> On 02/29/2016 08:55 AM, Anthony Scarpino wrote:
>>> I need a code review of this change:
>>>
>>> http://cr.openjdk.java.net/~ascarpino/8140422/webrev/
>>>
>>> Currently CertPath algorithm restrictions allow or deny all
>>> certificates.  This change adds the ability to reject certificate chains
>>> that contain a restricted algorithm and the chain terminates at a root
>>> CA; therefore, allowing a self-signed or chain that does not terminate
>>> at a root CA.
>>>
>>> https://bugs.openjdk.java.net/browse/JDK-8140422
>>>
>>> Thanks
>>>
>>> Tony
>>>
>>



More information about the security-dev mailing list