CR 6958869/6u21 Updated, P2 java/classes_secu regression: PKIXValidator fails when multiple trust anchors have same dn
Weijun Wang
Weijun.Wang at Sun.COM
Fri Jun 11 17:00:55 PDT 2010
On Jun 12, 2010, at 4:22 AM, Joe Darcy wrote:
> Hello Max.
>
> Weijun Wang wrote:
>> Hi Joe
>>
>> This is a last minute fix to 6948803. You've already approved 6948803 to be included in openjdk-6. Now I request 6958869 to be included as well. I've been busy recently so have no time to really push 6948803, I plan to push a combined changeset with both bug IDs in the description.
>>
>> The webrev is here (the changeset for 6u21, I'll add copyright info to test):
>>
>> http://cr.openjdk.java.net/~weijun/6958869/6/webrev.00/
>>
>> Basically the Map<Subject,Certificate> is changed to Map<Subject,List<PublicKey>> so that no one is missing even if there are duplicated subject names. The Certificate->PublicKey change makes coding easy, since we only compares public keys, and a keyList.contains(key) is simpler than
>>
>> for (c in certList)
>> if (c.getPublicKey().equals(key)) return true;
>> else continue;
>> return false
>> Thanks
>> Max
>>
>>
>
> On
>
> 90 } else {
> 91 keys = new ArrayList<PublicKey>();
> 92 trustedSubjects.put(dn, keys);
>
> If you need an unmodifiable empty list, you could use Collections.emptyList().
It cannot be unmodifiable. On line 94, an element is added into it. Line 91 just makes sure the value for key dn in the map is not null.
88 if (trustedSubjects.containsKey(dn)) {
89 keys = trustedSubjects.get(dn);
90 } else {
91 keys = new ArrayList<PublicKey>();
92 trustedSubjects.put(dn, keys);
93 }
94 keys.add(cert.getPublicKey());
>
> Your two bugs are approved for OpenJDK 6 with the following caveats, make sure the license on PKIXValidator.java in OpenJDK 6 is the GPL + CP rather than the TLDA and that, as you're already noted, the test file has a proper Oracle GPL copyright.
>
> Please get this back by COB Monday June 13.
OK.
Thanks
Max
>
> Cheers,
>
> -Joe
>
>
>
More information about the jdk6-dev
mailing list