code review 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm
Xuelei Fan
xuelei.fan at oracle.com
Fri Jan 14 03:10:49 UTC 2011
We don't checking the SKID and AKID during searching for the trust anchor.
I have filled a new CR for the issue, 7012357, Improve trust anchor
searching method during cert path validation.
I will have this commented out block in CPValidatorEndEntity.java. I
will use this test case for CR 7012357.
Thanks,
Xuelei
On 1/14/2011 12:44 AM, Xuelei Fan wrote:
> I just realized, if subject KID and issuer KID works, the cert path
> validation should be able to find the proper trust anchor. I will look
> into the issue tomorrow.
>
> Xuelei
>
> On 1/14/2011 12:27 AM, Xuelei Fan wrote:
>> On 1/14/2011 12:05 AM, Sean Mullan wrote:
>>> On 1/13/11 6:38 AM, Xuelei Fan wrote:
>>>> Hi Sean,
>>>>
>>>> Would you please review the fix for CR 7011497?
>>>>
>>>> http://cr.openjdk.java.net/~xuelei/7011497/webrev/
>>>>
>>>> Thanks,
>>>> Xuelei
>>>
>>> CPValidatorEndEntity.java:
>>>
>>> 307 /* coment out useless trust anchor
>>> 308 is = new
>>> ByteArrayInputStream(trustAnchor_SHA1withRSA_512.getBytes());
>>> 309 cert = cf.generateCertificate(is);
>>> 310 anchor = new TrustAnchor((X509Certificate)cert, null);
>>> 311 anchors.add(anchor);
>>> 312 */
>>>
>>> Why do you leave this code in with this comment?
>>>
>> If I have this block. The cert path validation cannot find the proper
>> trust anchor. As there are two trusted certificates, they are almost the
>> same except the key size (one key size is 1024, another one is 512).
>>
>> In cert path validation, once a trust anchor found, if the signature is
>> not valid, I think no more effort to test more trust anchors.
>>
>> I was wondering whether it is worthy to try more trust anchors. It's
>> expensive!
>>
>> Thanks for the review.
>>
>> Xuelei
>>
>>> Otherwise, looks good.
>>>
>>> --Sean
>>
>
More information about the security-dev
mailing list