code review 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm

Xuelei Fan xuelei.fan at oracle.com
Fri Jan 14 17:30:27 UTC 2011 

Hi Sean,

webrev:
Would you please review the update again. I integrate the fix for
7011497 and 7012357 together.

Comparing with previous webrev, the following updates are unchanged:
src/share/classes/java/security/cert/CertPathValidatorException.java
src/share/classes/sun/security/provider/certpath/AlgorithmChecker.java
src/share/classes/sun/security/validator/SimpleValidator.java
other test files.


The following are new changes for CR 7012357:
src/share/classes/sun/security/provider/certpath/ForwardBuilder.java
src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java
test/sun/security/provider/certpath/DisabledAlgorithms/CPValidatorEndEntity.java


Thanks,
Xuelei

On 1/14/2011 11:10 AM, Xuelei Fan wrote:
> We don't checking the SKID and AKID during searching for the trust anchor.
> 
> I have filled a new CR for the issue, 7012357, Improve trust anchor
> searching method during cert path validation.
> 
> I will have this commented out block in CPValidatorEndEntity.java. I
> will use this test case for CR 7012357.
> 
> Thanks,
> Xuelei
> 
> On 1/14/2011 12:44 AM, Xuelei Fan wrote:
>> I just realized, if subject KID and issuer KID works, the cert path
>> validation should be able to find the proper trust anchor.  I will look
>> into the issue tomorrow.
>>
>> Xuelei
>>
>> On 1/14/2011 12:27 AM, Xuelei Fan wrote:
>>> On 1/14/2011 12:05 AM, Sean Mullan wrote:
>>>> On 1/13/11 6:38 AM, Xuelei Fan wrote:
>>>>> Hi Sean,
>>>>>
>>>>> Would you please review the fix for CR 7011497?
>>>>>
>>>>> http://cr.openjdk.java.net/~xuelei/7011497/webrev/
>>>>>
>>>>> Thanks,
>>>>> Xuelei
>>>>
>>>> CPValidatorEndEntity.java:
>>>>
>>>>  307         /* coment out useless trust anchor
>>>>  308         is = new
>>>> ByteArrayInputStream(trustAnchor_SHA1withRSA_512.getBytes());
>>>>  309         cert = cf.generateCertificate(is);
>>>>  310         anchor = new TrustAnchor((X509Certificate)cert, null);
>>>>  311         anchors.add(anchor);
>>>>  312         */
>>>>
>>>> Why do you leave this code in with this comment?
>>>>
>>> If I have this block. The cert path validation cannot find the proper
>>> trust anchor. As there are two trusted certificates, they are almost the
>>> same except the key size (one key size is 1024, another one is 512).
>>>
>>> In cert path validation, once a trust anchor found, if the signature is
>>> not valid, I think no more effort to test more trust anchors.
>>>
>>> I was wondering whether it is worthy to try more trust anchors. It's
>>> expensive!
>>>
>>> Thanks for the review.
>>>
>>> Xuelei
>>>
>>>> Otherwise, looks good.
>>>>
>>>> --Sean
>>>
>>
>

More information about the security-dev mailing list