RFR: [JDK-8072463] Remove requirement that AKID and SKID have to match when building certificate chain

Sean Mullan sean.mullan at oracle.com
Tue Nov 10 14:57:49 UTC 2015


Please review this fix for a regression that removes the requirement 
that a certificate's Authority Key Identifier must match the issuing 
certificate's Subject Key Identifier when building a certificate chain.

The certificate chain validation algorithm in RFC 5280 does not require 
that the AKID/SKID match.

I have moved the AKID/SKID match into the sorting criteria for building 
paths. If they match, it will try that certificate first, but it will 
also fallback and search other paths.

A new test has been added to the closed area since it depends on 
certificates contributed by the submitter.

webrev: http://cr.openjdk.java.net/~mullan/webrevs/8072463/webrev.00/

--Sean



More information about the security-dev mailing list