RFR: 8076117: EndEntityChecker should not process custom extensions after PKIX validation
xuelei.fan at oracle.com
Fri Apr 10 23:34:24 UTC 2015
Looks fine to me.
> I'm not aware of a way to export an entire keystore as an
> encoded string. (Is there a way?)
A keystore can be defined as BASE64 code string, and then load keystore
from a stream. More generally, declare the private key and cert string,
and then add them to a KeyStore instance.
On 4/11/2015 7:18 AM, Jason Uh wrote:
> Thanks, Xuelei.
> On 04/10/2015 03:41 PM, Xuelei Fan wrote:
>> Looks fine to me except a few minor comments.
>> Would you mind add a comment about why only check extension for
>> line 26-28:
>> We normally use bug tag before other tags.
> Moved @bug before @summary. @test still needs to be first for jtreg.
>> line 52-55, and similar places:
>> Normally, a "*" character is expected for each comment line. As is
>> easier to read.
>> Binary file is not preferred in Mercurial. Would you mind use string
>> key store as what you did for CA and EE certs in
> Just changed it to setCertificateEntry from the already constructed CA
> cert, which is definitely better than using the binary. I'm not aware of
> a way to export an entire keystore as an encoded string. (Is there a way?)
> Revised webrev: http://cr.openjdk.java.net/~juh/8076117/01/
>> On 4/11/2015 3:39 AM, Jason Uh wrote:
>>> Please review this fix, which prevents redundant extension checking in
>>> When checking extensions in an end entity certificate, if
>>> sun.security.validator.EndEntityChecker comes across any extensions that
>>> are critical and unknown, it throws an exception, even if those
>>> extensions had already been checked by custom PKIXCertPathCheckers
>>> (specified in the PKIXParameters) earlier in the validation by
>>> PKIXValidator. This checking is not necessary when path validation is
>>> performed by a PKIXValidator.
>>> However, if the validation is performed by a SimpleValidator,
>>> EndEntityChecker should continue to check extensions.
>>> webrev: http://cr.openjdk.java.net/~juh/8076117/00/
>>> bug: https://bugs.openjdk.java.net/browse/JDK-8076117
More information about the security-dev