code review 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm
Xuelei Fan
xuelei.fan at oracle.com
Thu Jan 13 16:27:51 UTC 2011
On 1/14/2011 12:05 AM, Sean Mullan wrote:
> On 1/13/11 6:38 AM, Xuelei Fan wrote:
>> Hi Sean,
>>
>> Would you please review the fix for CR 7011497?
>>
>> http://cr.openjdk.java.net/~xuelei/7011497/webrev/
>>
>> Thanks,
>> Xuelei
>
> CPValidatorEndEntity.java:
>
> 307 /* coment out useless trust anchor
> 308 is = new
> ByteArrayInputStream(trustAnchor_SHA1withRSA_512.getBytes());
> 309 cert = cf.generateCertificate(is);
> 310 anchor = new TrustAnchor((X509Certificate)cert, null);
> 311 anchors.add(anchor);
> 312 */
>
> Why do you leave this code in with this comment?
>
If I have this block. The cert path validation cannot find the proper
trust anchor. As there are two trusted certificates, they are almost the
same except the key size (one key size is 1024, another one is 512).
In cert path validation, once a trust anchor found, if the signature is
not valid, I think no more effort to test more trust anchors.
I was wondering whether it is worthy to try more trust anchors. It's
expensive!
Thanks for the review.
Xuelei
> Otherwise, looks good.
>
> --Sean
More information about the security-dev
mailing list