code review request: 6968542: keytool -importcert cannot deal with duplicate certs
Weijun Wang
Weijun.Wang at Sun.COM
Wed Jul 14 02:20:52 UTC 2010
Hi All
6968542: keytool -importcert cannot deal with duplicate certs
Webrev:
http://cr.openjdk.java.net/~weijun/6968542/webrev.00/
*Description* ============================================================
keytool does not eliminate duplicate certs when importing a reply. It
may or may not report an error and the cert chain in keystore is invalid
after import.
This is a small regression since we decided to generate the whole chain
in 6937978. Before 6937978, after generate a cert using keytool
-gencert, we cat the output and all CA certs into keytool -importcert,
now that the output already contains CA certs, dup entries should be
removed.
For example, if CA signs INT and INT signs ME. The -gencert output for
ME now includes certs for ME and INT. If we cat this output and certs
for INT and CA into "keytool -importcert -alias ME". The final imported
cert chain will look like (ME, INT, CA, INT, CA).
Thanks
Max
More information about the security-dev
mailing list