Code review request: 7113275, compatibility issue with MD2 trust anchor and old X509TrustManager - approved
Dennis Gu
dennis.gu at oracle.com
Mon Nov 21 14:49:02 UTC 2011
Xuelei Fan wrote:
>webrev: http://cr.openjdk.java.net/~xuelei/7113275/webrev.00/
>Bug: http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7113275
>
>Test MD2InTrustAnchor.java is used to test that MD2 in trust anchor is
>able to work with the default trust manager (X509ExtendedTrustManager).
>
>Test TrustTrustedCert.java is used to test that MD2 in trust anchor is
>able to work with the un-extended trust manager (X509TrustManager).
>
>Some customized trust manages developed in JDK 6 did not know the
>features in JDK 7, and may not check algorithm constraints. I think we
>need the addition algorithm constraint check for un-extended trust
>manager in order to ensure that the TM comply to security constraints
>defined by security property, jdk.certpath.disabledAlgorithms.
>
>The algorithm check of certification chain is light weight, so even the
>customized trust manager has already managed to check the algorithm
>constraints during certification path validation, the performance hurt
>is very limited.
>
>Thanks,
>Xuelei
>
>
More information about the security-dev
mailing list