[security-dev 00975]: Re: code review request 6852744: PIT b61: PKI test suite fails because self signed certificates are being rejected

[Sean Mullan]

Xuelei Fan wrote:
> webrev updated, adding comments to tests:  
> http://cr.openjdk.java.net/~xuelei/6852744/webrev.02/

In DisableRevocation.java, why do you add CRLs to the CertStore if revocation is 
disabled?


> I think I understand what are your concerns now. If I'm right, you think 
> that the target cert of the method is expected to be the first 
> certificate in a certificate chain, which should be directly issued by a 
> trust anchor. By my understand of the method, 
> ForwardBuilder.isPathCompleted(X509Certificate cert), it would return 
> true if the "cert" parameter is a trust anchor, which means we have got 
> the first certificate in the certification path, now we are working on 
> the cert that issues the first certificate in the path, the issuer could 
> be a trust anchor.

You're right, though now I'm kind of wondering if that's a bug because it 
requires the CertStores passed to CertPathBuilder to include the trust anchor. 
That shouldn't really be required, since you have already specified them in the 
TrustAnchors parameter. Ok, if its been that way for a long time and nobody has 
complained, lets leave it for now.

> For example, the expected path is EE->subca->trust anchor, and the 
> previous step has verified "subca", and got the path EE->subca, here we 
> don't know it is a complete path or not, we need one more step. We need 
> to look for the issuer of "subca" now, get the "trust anchor cert", then 
> we call ForwardBuilder.isPathCompleted("trust anchor cert"). In the 
> method, we firstly check whether the "trust anchor cert" is a trust 
> anchor or not, if itself is a trust anchor, return true immediately, and 
> cert will not be added to the path by the builder. Then we get the 
> conclusion that the path EE->subca is a complete certification path.
> 
> Does I make myself understood?

Yes, the fix looks good.

--Sean

> 
> Thanks,
> Andrew
> 
>> Thanks,
>> Sean
>>>
>>> The follows codes are used to check whether the target cert is issued 
>>> by the trust anchor:
>>> -------------
>>> 868                 // Check subject/issuer name chaining
>>> 869                 if (principal == null ||
>>> 870                         
>>> !principal.equals(cert.getIssuerX500Principal())) {
>>>
>>> 871                     continue;
>>> 872                 }
>>>
>>> ------------
>>>
>>> If it is a cert issued by a trust anchor, the method will then check 
>>> the revocation and signature. I think that is your expected 
>>> behaviors, right?
>>>
>>> Thanks,
>>> Andrew
>>
>