[7u40] Request for Phase 2 approval for 8014805: NPE is thrown during certpath validation if certificate does not have AuthorityKeyIdentifier extension
Seán Coffey
sean.coffey at oracle.com
Tue Jun 25 14:53:54 PDT 2013
Thanks for verifying. Approved for jdk7u40-dev.
regards,
Sean.
On 25/06/2013 11:29, Vincent Ryan wrote:
> The testcase to verify the fix:
> jdk/test/closed/java/security/cert/CertPathValidator/OCSP/ValidateUsingOCSPCache.java
>
> I've added a link to a recent JPRT test run to my justification comment:
>
> https://jbs.oracle.com/bugs/browse/JDK-8014805?focusedCommentId=13343010&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13343010
>
>
> On 24 Jun 2013, at 21:50, Seán Coffey wrote:
>
>> Vinnie,
>>
>> likewise - what testing was performed ?
>>
>> regards,
>> Sean.
>>
>> On 24/06/13 12:41, Vincent Ryan wrote:
>>> Hello all,
>>>
>>> Please approve the following fix for 7u40:
>>>
>>> Bug: http://bugs.sun.com/view_bug.do?bug_id=8014805
>>> Webrev: http://cr.openjdk.java.net/~vinnie/8014805/webrev.00/
>>> Code review: http://mail.openjdk.java.net/pipermail/security-dev/2013-June/007886.html
>>>
>>> This simple fix corrects the way an Authority Key Identifier (AKID) X.509 certificate extension is
>>> handled during OCSP certificate validation. Two forms of AKID are permitted: hash-based and
>>> name/serial number based. The fix for 7168191 (7u6) added a check to match AKIDs when
>>> distinguishing certificates with the same subject name. This fix corrects that check to handle the
>>> rare case when a certificate contains a non-hash-based AKID.
>>>
>>> This problem does not occur in JDK 8 (because a different code path is used).
>>>
>>> Thanks.
>>>
>>>
More information about the jdk7u-dev
mailing list