[9] request for review 8062548: Support duplicate Extended Key Usage certificate extensions
Sean Mullan
sean.mullan at oracle.com
Fri Oct 31 19:25:09 UTC 2014
Well, sorry, but this is not a bug so we should not fix it. The
certificate is not compliant with RFC 5280. See Section 4.2: "A
certificate MUST NOT include more than one instance of a particular
extension." The EKU extension is already designed to specify more than
one key purpose, so it doesn't make any sense to add more than one
extension.
I would report this as a bug to the CA (Apple?) who is issuing
certificates like this.
--Sean
On 10/30/2014 11:21 AM, Vincent Ryan wrote:
> Please review this fix that adds support for X.509 certificates that contain more than one Extended Key Usage extension.
> The certificate parser now merges duplicate EKU objects into a single one.
>
> Webrev: http://cr.openjdk.java.net/~vinnie/8062548/webrev.00/
> Bug: https://bugs.openjdk.java.net/browse/JDK-8062548
>
> Thanks.
>
More information about the security-dev
mailing list