RFR 8036709: Java 7 jarsigner displays warning about cert policy tree

Wang Weijun weijun.wang at oracle.com
Thu May 22 23:42:07 UTC 2014


On May 23, 2014, at 2:15, Sean Mullan <sean.mullan at oracle.com> wrote:

> Hi Max,
> 
> Did you consider using a CertPathBuilder instead? This should essentially do the same thing (find a matching trust anchor, and build a validated path).

I thought about it but anyway the certchain is still a chain. If I just treat them as an unordered set of certs, it seems too tolerant.

--Max

> 
> --Sean
> 
> On 05/21/2014 08:20 PM, Wang Weijun wrote:
>> Hi All
>> 
>> Please review the code change at
>> 
>>    http://cr.openjdk.java.net/~weijun/8036709/webrev.01/
>> 
>> Before this change, jarsigner simply put a cert chain into a CertPath and validate it. If the CertPath contains a trust anchor inside, the validation could fail even if it should not. This fix searches for a trust anchor in the cert chain, if truncate at the position if one is found. If the first certificate is already a trust anchor, we don't do validation at all.
>> 
>> Thanks
>> Max
>> 




More information about the security-dev mailing list