[9] RFR: 8076117: EndEntityChecker should not process custom extensions after PKIX validation

Jason Uh jason.uh at oracle.com
Fri Apr 10 19:39:37 UTC 2015

Please review this fix, which prevents redundant extension checking in 

When checking extensions in an end entity certificate, if 
sun.security.validator.EndEntityChecker comes across any extensions that 
are critical and unknown, it throws an exception, even if those 
extensions had already been checked by custom PKIXCertPathCheckers 
(specified in the PKIXParameters) earlier in the validation by 
PKIXValidator. This checking is not necessary when path validation is 
performed by a PKIXValidator.

However, if the validation is performed by a SimpleValidator, 
EndEntityChecker should continue to check extensions.

webrev: http://cr.openjdk.java.net/~juh/8076117/00/
bug: https://bugs.openjdk.java.net/browse/JDK-8076117


More information about the security-dev mailing list