Code Review Request JDK-8170329 New SSLSocket testing template
Xuelei Fan
xuelei.fan at oracle.com
Wed Dec 7 01:00:34 UTC 2016
new webrev:
http://cr.openjdk.java.net/~xuelei/8170329/webrev.02/
On 12/6/2016 2:38 PM, Sean Mullan wrote:
> On 12/2/16 2:23 PM, Xue-Lei Fan wrote:
>> On 11/29/2016 5:22 AM, Sean Mullan wrote:
>>> On 11/27/16 7:43 AM, Xuelei Fan wrote:
>>>> On 11/27/2016 6:04 PM, Wang Weijun wrote:
>>>>> This is not only a test update.
>>>>>
>>>> No, I happened to find an implementation issue with the new test, so
>>>> fix
>>>> it altogether. The issue is that the simple validator
>>>> (SimpleValidator.java) does not support SKID/AKID during cert path
>>>> build. If two trusted certs has the same subject, the simple
>>>> validator
>>>> may not be able to find the right one.
>>>
>>> We have had issues in the PKIX CertPathBuilder with matching on
>>> AKID/SKID when building certpaths, so we want to be careful not to
>>> introduce a similar issue. See this bug for more information:
>>>
>>> https://bugs.openjdk.java.net/browse/JDK-8072463
>>>
>>> I have not reviewed the fix enough to know if this issue applies here
>>> but please double-check it.
>>>
>> The KID are used for best effort matching in this update. If no KIDs
>> get matched, the previous behavior is reserved. Should be safe, I think.
>
> You only have to get the authKeyId once, so I think it would be better
> to get the keyids first and then pass them to the isKIDMatched method.
>
Good!
> Also I wonder if you should throw an Exception if the cert has an akid
> and all of the trusted certs have a skid and none of them match.
>
It can be an exception in general. I want a safe and no compatibility
impact update. The following validation processes will identify the
problem if the cert path is not correct.
> Looks ok otherwise.
>
> --Sean
Thanks!
Xuelei
More information about the security-dev
mailing list