[9] RFR: 8076117: EndEntityChecker should not process custom extensions after PKIX validation

Jason Uh jason.uh at oracle.com
Mon Apr 13 23:52:46 UTC 2015 

Hi Thomas,

I am not actually turning off the check for unknown critical extensions. 
When validating with TYPE_PKIX, CertPathValidator will already have 
verified all extensions (and an exception would already have been thrown 
for any violations). This fix is merely to take out what would be a 
redundant check in EndEntityChecker that would result in wrong behavior.

With that said, as Sean pointed out in his review, it would make more 
sense to disable the checks when validating with a TYPE_PKIX validator 
rather than enabling for TYPE_SIMPLE, so I've made that change in my 
latest revision. I've sent that out in a separate email.

Also, all of the APIs I've touched in this fix are internal APIs and are 
not to be used externally, so there is not a security concern in the way 
you've suggested.

Thanks, and I appreciate the feedback.

Jason

On 04/11/2015 01:43 PM, Thomas Lußnig wrote:
> Hi,
>
> even if i am new in this list i looked at the solution and have an question.
> Why there is an switch to turn off check for unknown critical extensions ?
>  From my point of view as an developer i would say an more secure solution
> would be instead of an boolean switch, make an Set<String> checkedOids as
> new parameter, so it is possible to tell what is already been checked.
> That mean if the "non SimpleValidator" checks only part of the critical
> extensions
> the EndEntityChecker  would still throw an Exception.
>
> Gruß Thomas
>
> On 10.04.2015 21:39, Jason Uh wrote:
>> Please review this fix, which prevents redundant extension checking in
>> EndEntityChecker.
>>
>> When checking extensions in an end entity certificate, if
>> sun.security.validator.EndEntityChecker comes across any extensions
>> that are critical and unknown, it throws an exception, even if those
>> extensions had already been checked by custom PKIXCertPathCheckers
>> (specified in the PKIXParameters) earlier in the validation by
>> PKIXValidator. This checking is not necessary when path validation is
>> performed by a PKIXValidator.
>>
>> However, if the validation is performed by a SimpleValidator,
>> EndEntityChecker should continue to check extensions.
>>
>> webrev: http://cr.openjdk.java.net/~juh/8076117/00/
>> bug: https://bugs.openjdk.java.net/browse/JDK-8076117
>>
>> Thanks,
>> Jason
>

More information about the security-dev mailing list