[security-dev 00971]: Re: code review request 6852744: PIT b61: PKI test suite fails because self signed certificates are being rejected
Xuelei Fan
Xuelei.Fan at Sun.COM
Wed Jul 8 22:37:09 UTC 2009
Sean Mullan wrote:
> Some additional comments in the new tests describing what path
> building scenarios are being tested would be very useful.
>
OK, I will add some comments on the certification path structure.
> A few comments below. Everything else looks good.
>
> Xuelei Fan wrote:
>> new webrev: http://cr.openjdk.java.net/~xuelei/6852744/webrev.01/
>>
>> Sean Mullan wrote:
>>> Hi Andrew,
>>>
>>> Here are some comments -
>>>
>>> ForwardBuilder:
>>>
>>> line 864:
>>>
>>> typo: s/abchor/anchor
>>>
>> yes, a typo.
>>> In this block of code:
>>>
>>> 858 if (principal != null && publicKey != null &&
>>> 859
>>> principal.equals(cert.getSubjectX500Principal())) {
>>> 860 if (publicKey.equals(cert.getPublicKey())) {
>>> 861 this.trustAnchor = anchor;
>>> 862 return true;
>>> 863 }
>>> 864 // else, it is a self-issued certificate of
>>> the abchor
>>> 865 }
>>>
>>> you never check if the trust anchor name is equal to the issuer of
>>> the cert before returning true. That seems to violate RFC 5280.
>>>
>> At line 859, when the cert's "subject" equals to the trust anchor
>
> Why not match it with the cert's issuer? That would then be compliant
> with 5280.
>
Above codes are used to check whether the target cert is a trust anchor,
so we need to compare the "subject" of both. If the cert is not a trust
anchor, we need to check its issuer.
The follows codes are used to check whether the target cert is issued by
the trust anchor:
-------------
868 // Check subject/issuer name chaining
869 if (principal == null ||
870
!principal.equals(cert.getIssuerX500Principal())) {
871 continue;
872 }
------------
If it is a cert issued by a trust anchor, the method will then check the
revocation and signature. I think that is your expected behaviors, right?
Thanks,
Andrew
More information about the security-dev
mailing list