CR 6939248/7 Created, P4 java/classes_secu Jarsigner can't extract Extended Key Usage from Timestamp Reply currectly

Weijun Wang Weijun.Wang at Sun.COM
Mon Apr 12 19:47:24 PDT 2010


Hi Xuelei and Sean

Please take a review on the fix for OpenJDK:

   http://cr.openjdk.java.net/~weijun/6939248/webrev.00

Note that I've added some check:

1. response cert null check
2. extension isCritical check

About the test:

1. Since keytool can now generate extensions, binary keystore is changed to scripts and now moved from closed test to open
2. -J-Djava.security.egd=file:/dev/./urandom is added to jarsigner so that it does not hang on linux

Thanks
Max

> *Synopsis*: Jarsigner can't extract Extended Key Usage from Timestamp Reply currectly
> 
> *Change Request ID*: 6939248/7
> 
> === *Description* ============================================================
> PKCS #7 block includes a set of certificates and several signerinfos. To locate the certificate for a given signer, one should first look for a reference in the signerinfo, and then try to locate one in the certificates set.
> 
> Currently, jarsigner, when validating certificate for a timestamping service, simply looks for a non-CA cert inside the certificate set. This is not correct.
> 
> *** (#1 of 1): 2010-04-12 07:04:14 GMT+00:00 weijun.wang at sun.com




More information about the security-dev mailing list