[9] RFR: 8076117: EndEntityChecker should not process custom extensions after PKIX validation
Xuelei Fan
xuelei.fan at oracle.com
Fri Apr 10 22:41:54 UTC 2015
Looks fine to me except a few minor comments.
Validator.java
--------------
Would you mind add a comment about why only check extension for TYPE_SIMPLE?
EndEntityExtensionCheck.java
----------------------------
line 26-28:
We normally use bug tag before other tags.
line 52-55, and similar places:
Normally, a "*" character is expected for each comment line. As is
easier to read.
eeextensioncheck.jks
--------------------
Binary file is not preferred in Mercurial. Would you mind use string
key store as what you did for CA and EE certs in
EndEntityExtensionCheck.java?
Xuelei
On 4/11/2015 3:39 AM, Jason Uh wrote:
> Please review this fix, which prevents redundant extension checking in
> EndEntityChecker.
>
> When checking extensions in an end entity certificate, if
> sun.security.validator.EndEntityChecker comes across any extensions that
> are critical and unknown, it throws an exception, even if those
> extensions had already been checked by custom PKIXCertPathCheckers
> (specified in the PKIXParameters) earlier in the validation by
> PKIXValidator. This checking is not necessary when path validation is
> performed by a PKIXValidator.
>
> However, if the validation is performed by a SimpleValidator,
> EndEntityChecker should continue to check extensions.
>
> webrev: http://cr.openjdk.java.net/~juh/8076117/00/
> bug: https://bugs.openjdk.java.net/browse/JDK-8076117
>
> Thanks,
> Jason
More information about the security-dev
mailing list