code review 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm
Xuelei Fan
xuelei.fan at oracle.com
Fri Jan 14 17:32:41 UTC 2011
On 1/15/2011 1:30 AM, Xuelei Fan wrote:
> Hi Sean,
>
> webrev:
http://cr.openjdk.java.net/~xuelei/7011497/webrev/
> Would you please review the update again. I integrate the fix for
> 7011497 and 7012357 together.
>
> Comparing with previous webrev, the following updates are unchanged:
> src/share/classes/java/security/cert/CertPathValidatorException.java
> src/share/classes/sun/security/provider/certpath/AlgorithmChecker.java
> src/share/classes/sun/security/validator/SimpleValidator.java
> other test files.
>
>
> The following are new changes for CR 7012357:
> src/share/classes/sun/security/provider/certpath/ForwardBuilder.java
> src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java
> test/sun/security/provider/certpath/DisabledAlgorithms/CPValidatorEndEntity.java
>
>
> Thanks,
> Xuelei
>
> On 1/14/2011 11:10 AM, Xuelei Fan wrote:
>> We don't checking the SKID and AKID during searching for the trust anchor.
>>
>> I have filled a new CR for the issue, 7012357, Improve trust anchor
>> searching method during cert path validation.
>>
>> I will have this commented out block in CPValidatorEndEntity.java. I
>> will use this test case for CR 7012357.
>>
>> Thanks,
>> Xuelei
>>
>> On 1/14/2011 12:44 AM, Xuelei Fan wrote:
>>> I just realized, if subject KID and issuer KID works, the cert path
>>> validation should be able to find the proper trust anchor. I will look
>>> into the issue tomorrow.
>>>
>>> Xuelei
>>>
>>> On 1/14/2011 12:27 AM, Xuelei Fan wrote:
>>>> On 1/14/2011 12:05 AM, Sean Mullan wrote:
>>>>> On 1/13/11 6:38 AM, Xuelei Fan wrote:
>>>>>> Hi Sean,
>>>>>>
>>>>>> Would you please review the fix for CR 7011497?
>>>>>>
>>>>>> http://cr.openjdk.java.net/~xuelei/7011497/webrev/
>>>>>>
>>>>>> Thanks,
>>>>>> Xuelei
>>>>>
>>>>> CPValidatorEndEntity.java:
>>>>>
>>>>> 307 /* coment out useless trust anchor
>>>>> 308 is = new
>>>>> ByteArrayInputStream(trustAnchor_SHA1withRSA_512.getBytes());
>>>>> 309 cert = cf.generateCertificate(is);
>>>>> 310 anchor = new TrustAnchor((X509Certificate)cert, null);
>>>>> 311 anchors.add(anchor);
>>>>> 312 */
>>>>>
>>>>> Why do you leave this code in with this comment?
>>>>>
>>>> If I have this block. The cert path validation cannot find the proper
>>>> trust anchor. As there are two trusted certificates, they are almost the
>>>> same except the key size (one key size is 1024, another one is 512).
>>>>
>>>> In cert path validation, once a trust anchor found, if the signature is
>>>> not valid, I think no more effort to test more trust anchors.
>>>>
>>>> I was wondering whether it is worthy to try more trust anchors. It's
>>>> expensive!
>>>>
>>>> Thanks for the review.
>>>>
>>>> Xuelei
>>>>
>>>>> Otherwise, looks good.
>>>>>
>>>>> --Sean
>>>>
>>>
>>
>
More information about the security-dev
mailing list