RFR: [JDK-8072463] Remove requirement that AKID and SKID have to match when building certificate chain

Xuelei Fan Xuelei.Fan at Oracle.COM
Thu Nov 12 12:35:44 UTC 2015


Looks fine to me.

Xuelei

On 11/10/2015 10:57 PM, Sean Mullan wrote:
> Please review this fix for a regression that removes the requirement
> that a certificate's Authority Key Identifier must match the issuing
> certificate's Subject Key Identifier when building a certificate chain.
>
> The certificate chain validation algorithm in RFC 5280 does not require
> that the AKID/SKID match.
>
> I have moved the AKID/SKID match into the sorting criteria for building
> paths. If they match, it will try that certificate first, but it will
> also fallback and search other paths.
>
> A new test has been added to the closed area since it depends on
> certificates contributed by the submitter.
>
> webrev: http://cr.openjdk.java.net/~mullan/webrevs/8072463/webrev.00/
>
> --Sean




More information about the security-dev mailing list