RFR 8165274: SHA1 certpath constraint check fails with OCSP certificate
sean.mullan at oracle.com
Thu Oct 13 15:27:39 UTC 2016
On 10/13/2016 01:29 AM, Anthony Scarpino wrote:
> On 10/12/2016 01:41 PM, Sean Mullan wrote:
>> On 10/12/2016 04:06 PM, Anthony Scarpino wrote:
>>> Later in the verify(), AlgorithmChecker needs a TrustAnchor object. In
>>> this case, because it's the old method that deploy is using, I have to
>>> manufacture a TrustAnchor until they can use the new method with the
>>> real TrustAnchor. Either way, if I pass null for the trust anchor,
>>> IssuerInfo will need to create a TrustAnchor from the same data. Do you
>>> want me to add a comment what the TrustAnchor object is?
>> So, I think what you should do is skip the constraints check if it
>> contains the jdkCA constraint and the trust anchor is null, because you
>> need the trust anchor in order to do the check. I would also log a
>> warning with a debug message in this case.
> I believe this is what you're looking for. I changed AlgorithmChecker
> to allow a null TrustAnchor and undid much of the other code to protect
> against nulls.
> webrev: http://cr.openjdk.java.net/~ascarpino/8165274/webrev.03/
Right, that's more along the lines I was thinking.
More information about the security-dev