[9] RFR: 8076117: EndEntityChecker should not process custom extensions after PKIX validation

Xuelei Fan xuelei.fan at oracle.com
Fri Apr 10 23:34:24 UTC 2015


Looks fine to me.

> I'm not aware of a way to export an entire keystore as an
> encoded string. (Is there a way?)
>
A keystore can be defined as BASE64 code string, and then load keystore
from a stream.  More generally, declare the private key and cert string,
and then add them to a KeyStore instance.

Xuelei

On 4/11/2015 7:18 AM, Jason Uh wrote:
> Thanks, Xuelei.
> 
> On 04/10/2015 03:41 PM, Xuelei Fan wrote:
>> Looks fine to me except a few minor comments.
>>
>> Validator.java
>> --------------
>> Would you mind add a comment about why only check extension for
>> TYPE_SIMPLE?
> 
> Added.
> 
>> EndEntityExtensionCheck.java
>> ----------------------------
>> line 26-28:
>> We normally use bug tag before other tags.
> 
> Moved @bug before @summary. @test still needs to be first for jtreg.
> 
>> line 52-55, and similar places:
>> Normally, a "*" character is expected for each comment line.  As is
>> easier to read.
>>
>> eeextensioncheck.jks
>> --------------------
>> Binary file is not preferred in Mercurial.  Would you mind use string
>> key store as what you did for CA and EE certs in
>> EndEntityExtensionCheck.java?
> 
> Just changed it to setCertificateEntry from the already constructed CA
> cert, which is definitely better than using the binary. I'm not aware of
> a way to export an entire keystore as an encoded string. (Is there a way?)
> 
> Revised webrev: http://cr.openjdk.java.net/~juh/8076117/01/
> 
> Thanks,
> Jason
> 
>> Xuelei
>>
>> On 4/11/2015 3:39 AM, Jason Uh wrote:
>>> Please review this fix, which prevents redundant extension checking in
>>> EndEntityChecker.
>>>
>>> When checking extensions in an end entity certificate, if
>>> sun.security.validator.EndEntityChecker comes across any extensions that
>>> are critical and unknown, it throws an exception, even if those
>>> extensions had already been checked by custom PKIXCertPathCheckers
>>> (specified in the PKIXParameters) earlier in the validation by
>>> PKIXValidator. This checking is not necessary when path validation is
>>> performed by a PKIXValidator.
>>>
>>> However, if the validation is performed by a SimpleValidator,
>>> EndEntityChecker should continue to check extensions.
>>>
>>> webrev: http://cr.openjdk.java.net/~juh/8076117/00/
>>> bug: https://bugs.openjdk.java.net/browse/JDK-8076117
>>>
>>> Thanks,
>>> Jason
>>



More information about the security-dev mailing list