[9] RFR: 8076117: EndEntityChecker should not process custom extensions after PKIX validation

Xuelei Fan xuelei.fan at oracle.com
Fri Apr 10 22:41:54 UTC 2015

Looks fine to me except a few minor comments.

Would you mind add a comment about why only check extension for TYPE_SIMPLE?

line 26-28:
We normally use bug tag before other tags.

line 52-55, and similar places:
Normally, a "*" character is expected for each comment line.  As is
easier to read.

Binary file is not preferred in Mercurial.  Would you mind use string
key store as what you did for CA and EE certs in


On 4/11/2015 3:39 AM, Jason Uh wrote:
> Please review this fix, which prevents redundant extension checking in
> EndEntityChecker.
> When checking extensions in an end entity certificate, if
> sun.security.validator.EndEntityChecker comes across any extensions that
> are critical and unknown, it throws an exception, even if those
> extensions had already been checked by custom PKIXCertPathCheckers
> (specified in the PKIXParameters) earlier in the validation by
> PKIXValidator. This checking is not necessary when path validation is
> performed by a PKIXValidator.
> However, if the validation is performed by a SimpleValidator,
> EndEntityChecker should continue to check extensions.
> webrev: http://cr.openjdk.java.net/~juh/8076117/00/
> bug: https://bugs.openjdk.java.net/browse/JDK-8076117
> Thanks,
> Jason

More information about the security-dev mailing list