custom critical X509v3 extensions
Jan Willem Janssen
janwillem.janssen at luminis.eu
Wed Mar 25 08:00:58 UTC 2015
> On 24 Mar 2015, at 14:12, Sean Mullan <sean.mullan at oracle.com> wrote:
>
> On 03/24/2015 08:53 AM, Jan Willem Janssen wrote:
>>
>> When a X509TrustManager validates an endpoint certificate containing a
>> critical custom extension the sun.security.validator.EndEntityChecker
>> will always fail. While this is correct behaviour, and according to
>> the spec, there appears no way of adding support for custom critical
>> extensions on endpoint certificates?!
>
> The CertPath API allows you to create your own PKIXCertPathChecker to process custom extensions. This could then be added to the CertPathTrustManagerParameters (via the addCertPathChecker method of PKIXParameters), but it looks like there is no hook in the EndEntityChecker to call the PKIXCertPathCheckers.
Yes, that is also what I was doing, but was a little surprised that EndEntityChecker didn’t take any of those custom PKIXCertPathCheckers into consideration.
> I'll file a bug.
Thanks for the clarification, Sean!
--
Met vriendelijke groeten | Kind regards
Jan Willem Janssen | Software Architect
+31 631 765 814
My world is revolving around INAETICS and Amdatu
Luminis Technologies B.V.
Churchillplein 1
7314 BZ Apeldoorn
+31 88 586 46 00
http://www.luminis-technologies.com
http://www.luminis.eu
KvK (CoC) 09 16 28 93
BTW (VAT) NL8169.78.566.B.01
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 817 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20150325/8bdf93a0/signature.asc>
More information about the security-dev
mailing list