RFR 8165274: SHA1 certpath constraint check fails with OCSP certificate
Anthony Scarpino
anthony.scarpino at oracle.com
Thu Oct 13 05:29:21 UTC 2016
On 10/12/2016 01:41 PM, Sean Mullan wrote:
> On 10/12/2016 04:06 PM, Anthony Scarpino wrote:
>> Later in the verify(), AlgorithmChecker needs a TrustAnchor object. In
>> this case, because it's the old method that deploy is using, I have to
>> manufacture a TrustAnchor until they can use the new method with the
>> real TrustAnchor. Either way, if I pass null for the trust anchor,
>> IssuerInfo will need to create a TrustAnchor from the same data. Do you
>> want me to add a comment what the TrustAnchor object is?
>
> So, I think what you should do is skip the constraints check if it
> contains the jdkCA constraint and the trust anchor is null, because you
> need the trust anchor in order to do the check. I would also log a
> warning with a debug message in this case.
>
> --Sean
>
I believe this is what you're looking for. I changed AlgorithmChecker
to allow a null TrustAnchor and undid much of the other code to protect
against nulls.
webrev: http://cr.openjdk.java.net/~ascarpino/8165274/webrev.03/
Tony
More information about the security-dev
mailing list