Code Review Request JDK-8170329 New SSLSocket testing template
Xue-Lei Fan
xuelei.fan at oracle.com
Fri Dec 2 19:23:58 UTC 2016
On 11/29/2016 5:22 AM, Sean Mullan wrote:
> On 11/27/16 7:43 AM, Xuelei Fan wrote:
>> On 11/27/2016 6:04 PM, Wang Weijun wrote:
>>> This is not only a test update.
>>>
>> No, I happened to find an implementation issue with the new test, so fix
>> it altogether. The issue is that the simple validator
>> (SimpleValidator.java) does not support SKID/AKID during cert path
>> build. If two trusted certs has the same subject, the simple validator
>> may not be able to find the right one.
>
> We have had issues in the PKIX CertPathBuilder with matching on
> AKID/SKID when building certpaths, so we want to be careful not to
> introduce a similar issue. See this bug for more information:
>
> https://bugs.openjdk.java.net/browse/JDK-8072463
>
> I have not reviewed the fix enough to know if this issue applies here
> but please double-check it.
>
The KID are used for best effort matching in this update. If no KIDs
get matched, the previous behavior is reserved. Should be safe, I think.
Xuelei
> --Sean
>
>>
>> Thanks,
>> Xuelei
>>
>>>> On Nov 27, 2016, at 9:35 AM, Xuelei Fan <xuelei.fan at oracle.com> wrote:
>>>>
>>>> Hi,
>>>>
>>>> Please review this test update:
>>>>
>>>> http://cr.openjdk.java.net/~xuelei/8170329/webrev.00/
>>>>
>>>> The new template (SSLSocketTemplate.java) could be used to avoid the
>>>> anti-free-port issues. By using sub-classes of it, the new one can
>>>> simplify the general SSLSocket test code significantly.
>>>>
>>>> Thanks,
>>>> Xuelei
>>>
More information about the security-dev
mailing list