JDK 8 Review Request for 6854712 (JEP 124), 6637288 and 7126011

Xuelei Fan xuelei.fan at oracle.com
Fri May 25 01:05:44 UTC 2012 

On 5/24/2012 3:26 AM, Sean Mullan wrote:
>> I will try to look into other update tomorrow.
A. Can I extend a PKIXRevocationChecker?
   Both the cert path builder and validator depends on CertPathParameters.
   CertPathBuilder.build(CertPathParameters params)
   CertPathValidator.validate(CertPath, CertPathParameters params)

   However, the checker is independent from CertPathParameters. The
check method only has one parameter, the certificate to be checked.
   CertPathChecker.check(Certificate)

   When I want to implement a customized checker by extending
PKIXRevocationChecker, the impl of check() may need to access the CRLs
in the cert store specified by CertPathParameters.  I was wondering we
may need to add a new method to have the checker know the
CertPathParameters.
   CertPathChecker.check(Certificate, CertPathParameters)

B. Can I extend a PKIXRevocationChecker (another aspect)?

   In the implementation of PKIXCertPathValidator, when the revocation
checker in CertPathParameters is instance of *PKIXRevocationChecker*,
the checker will be cast to RevocationChecker, and the default
revocation checking mechanisms will not be used any more.

   if (checker instanceof PKIXRevocationChecker) {
       // initialize it
      ((RevocationChecker)checker).init(anchor, params);
      revCheckerAdded = true;
   }

   In the implementation of SunCertPathBuilder, when the revocation
checker in CertPathParameters is instance of *RevocationChecker*, the
checker will be used to replace of the default revocation checking
mechanisms.

   if (ckr instanceof RevocationChecker) {
       // initialize it
       ((RevocationChecker)ckr).init(builder.trustAnchor, buildParams);
       revCheckerAdded = true;
   }

   I don't see the reason why one checks the instance of
PKIXRevocationChecker, while another one of RevocationChecker. Maybe a typo.

   I think the user may extend PKIXRevocationChecker as:
   public class MyPKIXRevocationChecker extends PKIXRevocationChecker {
       ...
   }

   I think there may be two problems here. The 1st one is that the
object of the extended class cannot be cast to RevocationChecker. The
2nd problem is the question whether the extended checker should override
the default revocation checking mechanisms, or not.

C. PKIXRevocationChecker.java
   //@@@ FIXME need to deep-copy the extensions
   I think you may want to fix it before integration the code.

That's my comment on specification.  I may look into the implementation
update next Monday.

Thanks,
Xuelei

More information about the security-dev mailing list