code review 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm

[Xuelei Fan]

webrev: http://cr.openjdk.java.net/~xuelei/7011497/webrev/

Changed to use X509CertSelector to select the trust certificate.
Comparing with the previous webrev, the following files are updated to
use X509CertSelector:
DistributionPointFetcher.java
ForwardBuilder.java
PKIXCertPathValidator.java
AdaptableX509CertSelector.java

You can only review the above updates.

Thanks,
Xuelei

On 1/15/2011 5:37 AM, Sean Mullan wrote:
> Hi Andrew,
> 
> Did you consider using the existing X509CertSelector class to match on
> the authority key identifier? I actually think this should work, and it
> will avoid having to create the AKIDMatchState class. Take a look at the
> ForwardBuilder.getMatchingCACerts method towards the end, where it gets
> the AuthorityKeyIdentifierExtension. Can you create a similar
> X509CertSelector to select the proper trust anchor?
> 
> --Sean
> 
> 
> On 1/14/11 12:32 PM, Xuelei Fan wrote:
>> On 1/15/2011 1:30 AM, Xuelei Fan wrote:
>>> Hi Sean,
>>>
>>> webrev:
>> http://cr.openjdk.java.net/~xuelei/7011497/webrev/
>>
>>> Would you please review the update again. I integrate the fix for
>>> 7011497 and 7012357 together.
>>>
>>> Comparing with previous webrev, the following updates are unchanged:
>>> src/share/classes/java/security/cert/CertPathValidatorException.java
>>> src/share/classes/sun/security/provider/certpath/AlgorithmChecker.java
>>> src/share/classes/sun/security/validator/SimpleValidator.java
>>> other test files.
>>>
>>>
>>> The following are new changes for CR 7012357:
>>> src/share/classes/sun/security/provider/certpath/ForwardBuilder.java
>>> src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java
>>>
>>> test/sun/security/provider/certpath/DisabledAlgorithms/CPValidatorEndEntity.java
>>>
>>>
>>>
>>> Thanks,
>>> Xuelei
>>>
>>> On 1/14/2011 11:10 AM, Xuelei Fan wrote:
>>>> We don't checking the SKID and AKID during searching for the trust
>>>> anchor.
>>>>
>>>> I have filled a new CR for the issue, 7012357, Improve trust anchor
>>>> searching method during cert path validation.
>>>>
>>>> I will have this commented out block in CPValidatorEndEntity.java. I
>>>> will use this test case for CR 7012357.
>>>>
>>>> Thanks,
>>>> Xuelei
>>>>
>>>> On 1/14/2011 12:44 AM, Xuelei Fan wrote:
>>>>> I just realized, if subject KID and issuer KID works, the cert path
>>>>> validation should be able to find the proper trust anchor.  I will
>>>>> look
>>>>> into the issue tomorrow.
>>>>>
>>>>> Xuelei
>>>>>
>>>>> On 1/14/2011 12:27 AM, Xuelei Fan wrote:
>>>>>> On 1/14/2011 12:05 AM, Sean Mullan wrote:
>>>>>>> On 1/13/11 6:38 AM, Xuelei Fan wrote:
>>>>>>>> Hi Sean,
>>>>>>>>
>>>>>>>> Would you please review the fix for CR 7011497?
>>>>>>>>
>>>>>>>> http://cr.openjdk.java.net/~xuelei/7011497/webrev/
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> Xuelei
>>>>>>>
>>>>>>> CPValidatorEndEntity.java:
>>>>>>>
>>>>>>>   307         /* coment out useless trust anchor
>>>>>>>   308         is = new
>>>>>>> ByteArrayInputStream(trustAnchor_SHA1withRSA_512.getBytes());
>>>>>>>   309         cert = cf.generateCertificate(is);
>>>>>>>   310         anchor = new TrustAnchor((X509Certificate)cert, null);
>>>>>>>   311         anchors.add(anchor);
>>>>>>>   312         */
>>>>>>>
>>>>>>> Why do you leave this code in with this comment?
>>>>>>>
>>>>>> If I have this block. The cert path validation cannot find the proper
>>>>>> trust anchor. As there are two trusted certificates, they are
>>>>>> almost the
>>>>>> same except the key size (one key size is 1024, another one is 512).
>>>>>>
>>>>>> In cert path validation, once a trust anchor found, if the
>>>>>> signature is
>>>>>> not valid, I think no more effort to test more trust anchors.
>>>>>>
>>>>>> I was wondering whether it is worthy to try more trust anchors. It's
>>>>>> expensive!
>>>>>>
>>>>>> Thanks for the review.
>>>>>>
>>>>>> Xuelei
>>>>>>
>>>>>>> Otherwise, looks good.
>>>>>>>
>>>>>>> --Sean
>>>>>>
>>>>>
>>>>
>>>
>>