[9] Request for Review: 8021804: Certpath validation fails if validity period of root cert does not include validity period of intermediate cert

Sean Mullan sean.mullan at oracle.com
Mon Mar 10 19:00:41 UTC 2014


Hi Jason,

Sorry for the delay in reviewing this.

On 02/28/2014 02:54 PM, Jason Uh wrote:
> Hi Sean,
>
> Could I please get a review of this change? This fix allows a certpath
> to be validated when a certificate issued by a version 1 trusted cert
> has a validity period that doesn't fall within the validity of the
> issuer. Trust anchors whose validity do contain the issued cert's
> validity period will be prioritized above those that do not.
>
> webrev: http://cr.openjdk.java.net/~juh/8021804/webrev.00/
> bug: http://bugs.openjdk.java.net/browse/JDK-8021804

In PKIXCertPathValidator, I would remove the call to 
X509CertSelector.setValidityPeriod on line 98 and just match on the 
subject and SKID when trying to find a matching trust anchor. Most of 
the other changes are not necessary I think. At this point you are just 
trying to find a matching root. In most cases there will only be one 
possible choice, so unless there are 2 V1 roots with the same subject 
name and a different public key (ex: due to key rollover). Maybe trying 
to match on the validity period would help select the right root in the 
key rollover case, but I'm not sure the extra code is worth it for this 
rare case (and V1 roots are becoming much less common). And even if it 
does select the wrong root the first time, the code should fail quickly 
(when the signature on the cert issued by the root fails), and then 
proceed to try the next one (and then succeed).

--Sean








More information about the security-dev mailing list