[9] RFR: 8076117: EndEntityChecker should not process custom extensions after PKIX validation

Thomas Lußnig openjdk at suche.org
Mon Apr 13 14:57:52 UTC 2015


even if i am new in this list i looked at the solution and have an question.
Why there is an switch to turn off check for unknown critical extensions ?
>From my point of view as an developer i would say an more secure solution
would be instead of an boolean switch, make an Set<String> checkedOids as
new parameter, so it is possible to tell what is already been checked.
That mean if the "non SimpleValidator" checks only part of the critical
the EndEntityChecker  would still throw an Exception.

Gruß Thomas

On 10.04.2015 21:39, Jason Uh wrote:
> Please review this fix, which prevents redundant extension checking in
> EndEntityChecker.
> When checking extensions in an end entity certificate, if
> sun.security.validator.EndEntityChecker comes across any extensions
> that are critical and unknown, it throws an exception, even if those
> extensions had already been checked by custom PKIXCertPathCheckers
> (specified in the PKIXParameters) earlier in the validation by
> PKIXValidator. This checking is not necessary when path validation is
> performed by a PKIXValidator.
> However, if the validation is performed by a SimpleValidator,
> EndEntityChecker should continue to check extensions.
> webrev: http://cr.openjdk.java.net/~juh/8076117/00/
> bug: https://bugs.openjdk.java.net/browse/JDK-8076117
> Thanks,
> Jason

More information about the security-dev mailing list