[9] Request for Review: 8021804: Certpath validation fails if validity period of root cert does not include validity period of intermediate cert
Sean Mullan
sean.mullan at oracle.com
Mon Mar 10 19:00:41 UTC 2014
Hi Jason,
Sorry for the delay in reviewing this.
On 02/28/2014 02:54 PM, Jason Uh wrote:
> Hi Sean,
>
> Could I please get a review of this change? This fix allows a certpath
> to be validated when a certificate issued by a version 1 trusted cert
> has a validity period that doesn't fall within the validity of the
> issuer. Trust anchors whose validity do contain the issued cert's
> validity period will be prioritized above those that do not.
>
> webrev: http://cr.openjdk.java.net/~juh/8021804/webrev.00/
> bug: http://bugs.openjdk.java.net/browse/JDK-8021804
In PKIXCertPathValidator, I would remove the call to
X509CertSelector.setValidityPeriod on line 98 and just match on the
subject and SKID when trying to find a matching trust anchor. Most of
the other changes are not necessary I think. At this point you are just
trying to find a matching root. In most cases there will only be one
possible choice, so unless there are 2 V1 roots with the same subject
name and a different public key (ex: due to key rollover). Maybe trying
to match on the validity period would help select the right root in the
key rollover case, but I'm not sure the extra code is worth it for this
rare case (and V1 roots are becoming much less common). And even if it
does select the wrong root the first time, the code should fail quickly
(when the signature on the cert issued by the root fails), and then
proceed to try the next one (and then succeed).
--Sean
More information about the security-dev
mailing list