RFR 8215776: Keytool importkeystore may mix up certificate chain entries when DNs conflict

Weijun Wang weijun.wang at oracle.com
Thu Jan 17 03:41:38 UTC 2019


I'll take a look. I thought java.security.cert.X509CertSelector is used by CertPath validators and builders internally and never thought it can be called directly.

Thanks,
Max

> On Jan 17, 2019, at 1:49 AM, Xuelei Fan <xuelei.fan at oracle.com> wrote:
> 
> Hi Max,
> 
> I did not look into the detailed implementation of findIssuer() yet. Have you considered to use java.security.cert.X509CertSelector?
> 
> Thanks,
> Xuelei
> 
> On 1/9/2019 6:59 AM, Weijun Wang wrote:
>> Please take a review at
>>   https://cr.openjdk.java.net/~weijun/8215776/webrev.00/
>> PKCS12KeyStore now can find certificate issuers more precisely using SubjectKeyIdentifier and AuthorityKeyIdentifier. I thought about using CertPath builder or checking signatures but those changes are too much.
>> Thanks,
>> Max



More information about the security-dev mailing list