RFR: [JDK-8072463] Remove requirement that AKID and SKID have to match when building certificate chain
Sean Mullan
sean.mullan at oracle.com
Tue Nov 10 14:57:49 UTC 2015
Please review this fix for a regression that removes the requirement
that a certificate's Authority Key Identifier must match the issuing
certificate's Subject Key Identifier when building a certificate chain.
The certificate chain validation algorithm in RFC 5280 does not require
that the AKID/SKID match.
I have moved the AKID/SKID match into the sorting criteria for building
paths. If they match, it will try that certificate first, but it will
also fallback and search other paths.
A new test has been added to the closed area since it depends on
certificates contributed by the submitter.
webrev: http://cr.openjdk.java.net/~mullan/webrevs/8072463/webrev.00/
--Sean
More information about the security-dev
mailing list