[9] RFR: 8134708: Certpath validation fails to load certs and CRLs if AIA and CRLDP extensions point to LDAP resources

Seán Coffey sean.coffey at oracle.com
Wed Sep 2 10:23:46 UTC 2015


Hi Artem,

I'll let the main review to other reviewers but while we're here, can 
you consider improving the original exception message that was seen in 
this issue ?
In LDAPCertStore constructor :

         } else {
             throw new InvalidAlgorithmParameterException(
                 "parameters must be either LDAPCertStoreParameters or " +
                 "URICertStoreParameters");
         }

Can we print the instance type of the 'params' variable in the exception 
message ? params.getClass().getName() should be sufficient.

I see 2-3 other exceptions in LDAPCertStore that could be improved there 
also. If you can change them, that would be great  - otherwise we can 
follow up with  enhancement request.

             if (!u.getScheme().equalsIgnoreCase("ldap")) {
                 throw new InvalidAlgorithmParameterException(
                 "Only LDAP URIs are supported for LDAP Certore");

Let's print the scheme received!


         } else if (!(selector instanceof X509CertSelector)) {
             throw new CertStoreException("need X509CertSelector to find 
certs");

this code occurs twice. Let's print the selector class received.

Regards,
Sean.

On 02/09/15 00:15, Artem Smotrakov wrote:
> Hello,
>
> Please review this fix for 9.
>
> Certpath validation fails to load certs and CRLs if AIA and CRLDP 
> extensions point to LDAP resources. This happens because LDAPCertStore 
> accepts only instances of LDAPCertStoreParameters and 
> URICertStoreParameters classes, but 
> sun.security.provider.certpath.URICertStore uses an inner static 
> URICertStoreParameters class. Please see details in the bug.
>
> This fix removes URICertStore.URICertStoreParameters class, and 
> updates URICertStore and DistributionPointFetcher to use new 
> java.security.cert.URICertStoreParameters class.
>
> A regression test starts a local name service which logs requested 
> host names. The test checks that host names from AIA and CRLDP 
> extensions were loaded and requested to resolve during certpath 
> validation.
>
> Bug: https://bugs.openjdk.java.net/browse/JDK-8134708
> Webrev: http://cr.openjdk.java.net/~asmotrak/8134708/webrev.01/
>
> Artem

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20150902/3687222e/attachment.htm>


More information about the security-dev mailing list