Fwd: CR 6958869/6u21 Updated, P2 java/classes_secu regression: PKIXValidator fails when multiple trust anchors have same dn

Joe Darcy joe.darcy at oracle.com
Fri Jun 11 13:22:27 PDT 2010


Hello Max.

Weijun Wang wrote:
> Hi Joe
>
> This is a last minute fix to 6948803. You've already approved 6948803 to be included in openjdk-6. Now I request 6958869 to be included as well. I've been busy recently so have no time to really push 6948803, I plan to push a combined changeset with both bug IDs in the description.
>
> The webrev is here (the changeset for 6u21, I'll add copyright info to test):
>
>    http://cr.openjdk.java.net/~weijun/6958869/6/webrev.00/
>
> Basically the Map<Subject,Certificate> is changed to Map<Subject,List<PublicKey>> so that no one is missing even if there are duplicated subject names. The Certificate->PublicKey change makes coding easy, since we only compares public keys, and a keyList.contains(key) is simpler than
>
>     for (c in certList)
>       if (c.getPublicKey().equals(key)) return true;
>       else continue;
>     return false
>  
> Thanks
> Max
>
>   

On

  90             } else {
  91                 keys = new ArrayList<PublicKey>();
  92                 trustedSubjects.put(dn, keys);

If you need an unmodifiable empty list, you could use 
Collections.emptyList().

Your two bugs are approved for OpenJDK 6 with the following caveats, 
make sure the license on PKIXValidator.java in OpenJDK 6 is the GPL + CP 
rather than the TLDA and that, as you're already noted, the test file 
has a proper Oracle GPL copyright.

Please get this back by COB Monday June 13.

Cheers,

-Joe





More information about the jdk6-dev mailing list