[9] RFR: 8076117: EndEntityChecker should not process custom extensions after PKIX validation

Sean Mullan sean.mullan at oracle.com
Mon Apr 13 19:59:18 UTC 2015

On 04/10/2015 07:18 PM, Jason Uh wrote:
> Revised webrev: http://cr.openjdk.java.net/~juh/8076117/01/

Hi Jason,

Just a few comments:

* Validator

272: I would name this flag checkUnresolvedCritExts, since we only care 
about them if they are critical and unresolved.

273: You should only ignore the extensions if the type is PKIX, so line 
273 should be "(type == TYPE_PKIX) ? false : true;" This way if we ever 
add another type in the JDK implementation, we won't accidentally ignore 
extensions when we shouldn't have.

* EndEntityChecker

127: don't make this a field of the class, as this can cause concurrency 
issues if EndEntityChecker is shared by threads and used with different 
certificates. Just create and pass in the extensions, ex line 163:


and change the other check methods to have a 2nd parameter for the 
extensions, ex:

     checkTLSClient(X509Certificate cert, Set<String> exts)

* EndEntityExtensionCheck

Set the validity date using PKIXParameters.setDate to a time within the 
certificate's validity so the test won't start failing when the 
certificates expire. See other chain validation tests for examples.


More information about the security-dev mailing list