Code Review Request, JDK-8166103 Allow certs with unknown critical extension in SunX509 validator
Xuelei Fan
xuelei.fan at oracle.com
Fri Nov 11 05:11:06 UTC 2016
Hi,
Please review this bug fix:
http://cr.openjdk.java.net/~xuelei/8166103/webrev.00/
The current validator implementations only allow white listed critical
certificate extensions, and not all JDK supported extensions are known
to the validator. As may result in some issues that the cert is valid,
but cannot pass the validation because there is a critical extension
that is not white listed in the validator implementation.
This fix will only check the validity of the white listed critical
certificate extensions, and ignore the critical certificate extensions
if they can be parsed with X509Certificate.
Thanks,
Xuelei
More information about the security-dev
mailing list