Review Request for JDK-8025708 : Certificate Path Building problem with AKI serial number

Jason Uh jason.uh at
Thu Feb 13 19:04:41 PST 2014

Hi Sean,

Looks good to me, but I'm not an official Reviewer.

I have a couple of questions, though.

1. This isn't a part of your change, but shouldn't the comment on line 
200 of read "As for version 3,..." and 
not "As for version 2,..."?

2. Just curious, any reason why this wasn't just fixed with

     void parseAuthorityKeyIdentifierExtension(
             AuthorityKeyIdentifierExtension akidext) throws IOException {
       + super.setSubjectKeyIdentifier(null);
       + super.setSerialNumber(null);

         if (akidext != null) { ... }




On 2/13/14 5:04 AM, Sean Mullan wrote:
> See:
> This fixes a problem with the PKIX CertPathBuilder where it wasn't able
> to build a path when the Authority Key Identifier extension of an
> intermediate CA cert did not contain a serial number field, and the end
> entity cert did.
> The problem was in the AdaptableX509CertSelector class. It was reusing
> this selector without re-initializing certain fields. I changed the
> implementation of this class so that it doesn't have this issue anymore.
> Thanks,
> Sean

More information about the security-dev mailing list