[security-dev 00683]: Re: keytool: -import reply different when length is different
Xuelei Fan
Xuelei.Fan at Sun.COM
Tue Mar 10 17:16:24 UTC 2009
Weijun Wang wrote:
> Hi
>
> In keytool's installReply(), there is:
>
> if (replyCerts.length == 1) {
> // single-cert reply
> newChain = establishCertChain(userCert, replyCerts[0]);
> } else {
> // cert-chain reply (e.g., PKCS#7)
> newChain = validateReply(alias, userCert, replyCerts);
> }
>
> If the trust cannot be setup with a known trust anchor, in
> establishCertChain(), the import simply fails; in validateReply(), a
> prompt is displayed, and if you type yes, it's imported.
>
> This means the user experience is different between directly applying
> for a cert from a root CA (in which the reply is a single cert) and from
> an intermediate CA (in which the reply includes the user's cert and the
> CA's cert), when the root CA is not in user's cacerts.
>
> Is this rational? Why isn't validateReply() always be called?
>
>
I don't know why, but the behaviors of establishCertChain() and
validateReply() for trust is differ. establishCertChain() will try to
build a *full* cert chain from key store or trust ca cert store;
validateReply() would only try to find "ONE" cert that could verify the
last cert in chain. I don't know the underlying stories.
Andrew
> Thanks
> Max
>
More information about the security-dev
mailing list