Code Review Request JDK-8170329 New SSLSocket testing template
Sean Mullan
sean.mullan at oracle.com
Tue Dec 6 22:38:04 UTC 2016
On 12/2/16 2:23 PM, Xue-Lei Fan wrote:
> On 11/29/2016 5:22 AM, Sean Mullan wrote:
>> On 11/27/16 7:43 AM, Xuelei Fan wrote:
>>> On 11/27/2016 6:04 PM, Wang Weijun wrote:
>>>> This is not only a test update.
>>>>
>>> No, I happened to find an implementation issue with the new test, so fix
>>> it altogether. The issue is that the simple validator
>>> (SimpleValidator.java) does not support SKID/AKID during cert path
>>> build. If two trusted certs has the same subject, the simple validator
>>> may not be able to find the right one.
>>
>> We have had issues in the PKIX CertPathBuilder with matching on
>> AKID/SKID when building certpaths, so we want to be careful not to
>> introduce a similar issue. See this bug for more information:
>>
>> https://bugs.openjdk.java.net/browse/JDK-8072463
>>
>> I have not reviewed the fix enough to know if this issue applies here
>> but please double-check it.
>>
> The KID are used for best effort matching in this update. If no KIDs
> get matched, the previous behavior is reserved. Should be safe, I think.
You only have to get the authKeyId once, so I think it would be better
to get the keyids first and then pass them to the isKIDMatched method.
Also I wonder if you should throw an Exception if the cert has an akid
and all of the trusted certs have a skid and none of them match.
Looks ok otherwise.
--Sean
More information about the security-dev
mailing list