[9] request for review 8062548: Support duplicate Extended Key Usage certificate extensions

Sean Mullan sean.mullan at oracle.com
Fri Oct 31 19:25:09 UTC 2014

Well, sorry, but this is not a bug so we should not fix it. The 
certificate is not compliant with RFC 5280. See Section 4.2: "A 
certificate MUST NOT include more than one instance of a particular 
extension." The EKU extension is already designed to specify more than 
one key purpose, so it doesn't make any sense to add more than one 

I would report this as a bug to the CA (Apple?) who is issuing 
certificates like this.


On 10/30/2014 11:21 AM, Vincent Ryan wrote:
> Please review this fix that adds support for X.509 certificates that contain more than one Extended Key Usage extension.
> The certificate parser now merges duplicate EKU objects into a single one.
> Webrev: http://cr.openjdk.java.net/~vinnie/8062548/webrev.00/
> Bug: https://bugs.openjdk.java.net/browse/JDK-8062548
> Thanks.

More information about the security-dev mailing list