RFR 8165274: SHA1 certpath constraint check fails with OCSP certificate

Anthony Scarpino anthony.scarpino at oracle.com
Wed Oct 12 17:47:04 UTC 2016


New webrev: http://cr.openjdk.java.net/~ascarpino/8165274/webrev.02/

On 10/12/2016 07:55 AM, Sean Mullan wrote:
> * AlgorithmChecker
>
> Not sure why these changes are necessary or why the check method has
> been made non-static. Isn't the previous code sufficient?
>

Yeah, that change doesn't appear to be necessary anymore..

> * OCSP
>
> 129             responderURI, new OCSPResponse.IssuerInfo(null,
> issuerCert), null,
>
> Passing null to OCSPResponse.IssuerInfo will throw an NPE. (but see
> comment below)
>

You must have loaded the page just before I refreshed the webrev.  I fixed.

I also added some changes in the exception messages to 
DisabledAlgorithmConstraints to give the cert subject, algorithm and/or 
keysize if used..


> * OCSPResponse
>
> For IssuerInfo, you don't always have/know the TrustAnchor, so shouldn't
> it be optional?

RevocationChecker always has a TrustAnchor as PKIXCertPathValidator 
passes it. AlgorithmChecker always needs a TrustAnchor, which 
PKIXCertPathValidator call.  So I don't see a situation where we don't 
always have an TrustAnchor.

>
> 1061                 return anchor;
>
> should be indented 4 spaces
>
> --Sean
>
> On 10/10/2016 02:53 PM, Anthony Scarpino wrote:
>> Hi,
>>
>> I need a review of a fix to JEP 288 were certpath algorithm checking
>> wasn't checking OCSP certs against the jdkCA keyword.
>>
>> http://cr.openjdk.java.net/~ascarpino/8165274/webrev/
>>
>> thanks
>>
>> Tony



More information about the security-dev mailing list