custom critical X509v3 extensions

Jan Willem Janssen janwillem.janssen at
Wed Mar 25 08:00:58 UTC 2015

> On 24 Mar 2015, at 14:12, Sean Mullan <sean.mullan at> wrote:
> On 03/24/2015 08:53 AM, Jan Willem Janssen wrote:
>> When a X509TrustManager validates an endpoint certificate containing a
>> critical custom extension the
>> will always fail. While this is correct behaviour, and according to
>> the spec, there appears no way of adding support for custom critical
>> extensions on endpoint certificates?!
> The CertPath API allows you to create your own PKIXCertPathChecker to process custom extensions. This could then be added to the CertPathTrustManagerParameters (via the addCertPathChecker method of PKIXParameters), but it looks like there is no hook in the EndEntityChecker to call the PKIXCertPathCheckers.

Yes, that is also what I was doing, but was a little surprised that EndEntityChecker didn’t take any of those custom PKIXCertPathCheckers into consideration.

> I'll file a bug.

Thanks for the clarification, Sean!

Met vriendelijke groeten | Kind regards

Jan Willem Janssen | Software Architect
+31 631 765 814

My world is revolving around INAETICS and Amdatu

Luminis Technologies B.V.
Churchillplein 1
7314 BZ   Apeldoorn
+31 88 586 46 00

KvK (CoC) 09 16 28 93
BTW (VAT) NL8169.78.566.B.01

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 817 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <>

More information about the security-dev mailing list