CR 6939248/7 Created, P4 java/classes_secu Jarsigner can't extract Extended Key Usage from Timestamp Reply currectly

Xuelei Fan Xuelei.Fan at Sun.COM
Mon Apr 12 20:13:54 PDT 2010


Looks fine to me.

Xuelei

On 4/13/2010 10:47 AM, Weijun Wang wrote:
> Hi Xuelei and Sean
> 
> Please take a review on the fix for OpenJDK:
> 
>    http://cr.openjdk.java.net/~weijun/6939248/webrev.00
> 
> Note that I've added some check:
> 
> 1. response cert null check
> 2. extension isCritical check
> 
> About the test:
> 
> 1. Since keytool can now generate extensions, binary keystore is changed to scripts and now moved from closed test to open
> 2. -J-Djava.security.egd=file:/dev/./urandom is added to jarsigner so that it does not hang on linux
> 
> Thanks
> Max
> 
>> *Synopsis*: Jarsigner can't extract Extended Key Usage from Timestamp Reply currectly
>>
>> *Change Request ID*: 6939248/7
>>
>> === *Description* ============================================================
>> PKCS #7 block includes a set of certificates and several signerinfos. To locate the certificate for a given signer, one should first look for a reference in the signerinfo, and then try to locate one in the certificates set.
>>
>> Currently, jarsigner, when validating certificate for a timestamping service, simply looks for a non-CA cert inside the certificate set. This is not correct.
>>
>> *** (#1 of 1): 2010-04-12 07:04:14 GMT+00:00 weijun.wang at sun.com
> 




More information about the security-dev mailing list