RFR 8215776: Keytool importkeystore may mix up certificate chain entries when DNs conflict

Xuelei Fan xuelei.fan at oracle.com
Mon Jan 21 17:39:55 UTC 2019


 > but it seems it cannot deal with the case where a cert has the 
correct subject but no SKID extension. Or do you think this should never 
happen?

It could happen, especially for self-signed cert.  See also, the 
sun.security.provider.certpath.ForwardBuilder#PKIXCertComparator.

Xuelei

On 1/21/2019 2:05 AM, Weijun Wang wrote:
> I tried something like this:
>
> private X509Certificate findIssuer(X509Certificate input) {
>
>      X509CertSelector selector =new X509CertSelector(); selector.setSubject(input.getIssuerX500Principal()); byte[]issuerIdExtension =input.getExtensionValue("2.5.29.35"); if (issuerIdExtension !=null) {
>          try {
>              byte[]issuerId =new AuthorityKeyIdentifierExtension(
>                          false, new DerValue(issuerIdExtension).getOctetString())
>                      .getEncodedKeyIdentifier(); selector.setSubjectKeyIdentifier(issuerId); }catch (IOException e) {
>              // ignored. issuerId is still null }
>      }
>
>      for (X509Certificate cert :allCerts) {
>          if (selector.match(cert)) {
>              return cert; }
>      }
>      return null; }
> but it seems it cannot deal with the case where a cert has the correct 
> subject but no SKID extension. Or do you think this should never happen?
>
> Thanks
> Max
>
>> On Jan 17, 2019, at 11:41 AM, Weijun Wang <weijun.wang at oracle.com 
>> <mailto:weijun.wang at oracle.com>> wrote:
>>
>> I'll take a look. I thought java.security.cert.X509CertSelector is 
>> used by CertPath validators and builders internally and never thought 
>> it can be called directly.
>>
>> Thanks,
>> Max
>>
>>> On Jan 17, 2019, at 1:49 AM, Xuelei Fan <xuelei.fan at oracle.com 
>>> <mailto:xuelei.fan at oracle.com>> wrote:
>>>
>>> Hi Max,
>>>
>>> I did not look into the detailed implementation of findIssuer() yet. 
>>> Have you considered to use java.security.cert.X509CertSelector?
>>>
>>> Thanks,
>>> Xuelei
>>>
>>> On 1/9/2019 6:59 AM, Weijun Wang wrote:
>>>> Please take a review at
>>>> https://cr.openjdk.java.net/~weijun/8215776/webrev.00/
>>>> PKCS12KeyStore now can find certificate issuers more precisely 
>>>> using SubjectKeyIdentifier and AuthorityKeyIdentifier. I thought 
>>>> about using CertPath builder or checking signatures but those 
>>>> changes are too much.
>>>> Thanks,
>>>> Max
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.java.net/pipermail/security-dev/attachments/20190121/d385e165/attachment-0001.html>


More information about the security-dev mailing list