Code review request: 7113275, compatibility issue with MD2 trust anchor and old X509TrustManager
Xuelei Fan
xuelei.fan at oracle.com
Mon Nov 21 03:06:00 UTC 2011
webrev: http://cr.openjdk.java.net/~xuelei/7113275/webrev.00/
Bug: http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7113275
Test MD2InTrustAnchor.java is used to test that MD2 in trust anchor is
able to work with the default trust manager (X509ExtendedTrustManager).
Test TrustTrustedCert.java is used to test that MD2 in trust anchor is
able to work with the un-extended trust manager (X509TrustManager).
Some customized trust manages developed in JDK 6 did not know the
features in JDK 7, and may not check algorithm constraints. I think we
need the addition algorithm constraint check for un-extended trust
manager in order to ensure that the TM comply to security constraints
defined by security property, jdk.certpath.disabledAlgorithms.
The algorithm check of certification chain is light weight, so even the
customized trust manager has already managed to check the algorithm
constraints during certification path validation, the performance hurt
is very limited.
Thanks,
Xuelei
More information about the security-dev
mailing list