Review Request for JDK-8025708 : Certificate Path Building problem with AKI serial number
Xuelei Fan
xuelei.fan at oracle.com
Sat Feb 15 01:52:46 UTC 2014
AdaptableX509CertSelector.java
==============================
1. for boolean value checking, I normally use
if (boolean-value) or if (!boolean-value)
2. AdaptableX509CertSelector.match(Certificate)
KID can be used to facilitate the path building. I would suggest
check the SKID and SN at first, and then call super.match().
3. AdaptableX509CertSelector.clone()
Also want to clone "serial" variabl?
4. absence of SKID
Per section 4.2.1.2, RFC 5280:
To facilitate certification path construction, this extension MUST
appear in all conforming CA certificates, that is, all certificates
including the basic constraints extension (Section 4.2.1.9) where the
value of cA is TRUE. In conforming CA certificates, the value of the
subject key identifier MUST be the value placed in the key identifier
field of the authority key identifier extension (Section 4.2.1.1) of
certificates issued by the subject of this certificate.
Not a big concerns, I was just wondering we may still want to check
KID although the serial number checking may be optional. This update
allow the absence of subject key ID extension.
Otherwise, looks fine to me.
Xuelei
On 2/13/2014 9:04 PM, Sean Mullan wrote:
> See: http://cr.openjdk.java.net/~mullan/webrevs/8025708/webrev/
>
> This fixes a problem with the PKIX CertPathBuilder where it wasn't able
> to build a path when the Authority Key Identifier extension of an
> intermediate CA cert did not contain a serial number field, and the end
> entity cert did.
>
> The problem was in the AdaptableX509CertSelector class. It was reusing
> this selector without re-initializing certain fields. I changed the
> implementation of this class so that it doesn't have this issue anymore.
>
> Thanks,
> Sean
More information about the security-dev
mailing list