code review request: 6968542: keytool -importcert cannot deal with duplicate certs

Weijun Wang Weijun.Wang at Sun.COM
Tue Jul 13 19:20:52 PDT 2010


Hi All

6968542: keytool -importcert cannot deal with duplicate certs

Webrev:
   http://cr.openjdk.java.net/~weijun/6968542/webrev.00/

*Description* ============================================================
keytool does not eliminate duplicate certs when importing a reply. It 
may or may not report an error and the cert chain in keystore is invalid 
after import.

This is a small regression since we decided to generate the whole chain 
in 6937978. Before 6937978, after generate a cert using keytool 
-gencert, we cat the output and all CA certs into keytool -importcert, 
now that the output already contains CA certs, dup entries should be 
removed.

For example, if CA signs INT and INT signs ME. The -gencert output for 
ME now includes certs for ME and INT. If we cat this output and certs 
for INT and CA into "keytool -importcert -alias ME". The final imported 
cert chain will look like (ME, INT, CA, INT, CA).

Thanks
Max



More information about the security-dev mailing list