RFR 8215776: Keytool importkeystore may mix up certificate chain entries when DNs conflict

Weijun Wang weijun.wang at oracle.com
Tue Jan 22 00:38:58 UTC 2019


So what do you think of my original webrev? It only compares KID and subject/issuer, not caring about other extensions (like BC).

Thanks,
Max

> On Jan 22, 2019, at 1:39 AM, Xuelei Fan <xuelei.fan at oracle.com> wrote:
> 
> > but it seems it cannot deal with the case where a cert has the correct subject but no SKID extension. Or do you think this should never happen?
> It could happen, especially for self-signed cert.  See also, the sun.security.provider.certpath.ForwardBuilder#PKIXCertComparator.
> Xuelei
> On 1/21/2019 2:05 AM, Weijun Wang wrote:
>> ;
>> 
>> but it seems it cannot deal with the case where a cert has the correct subject but no SKID extension. Or do you think this should never happen?
>> 
>> Thanks
>> Max
>> 
>>> On Jan 17, 2019, at 11:41 AM, Weijun Wang <weijun.wang at oracle.com> wrote:
>>> 
>>> I'll take a look. I thought java.security.cert.X509CertSelector is used by CertPath validators and builders internally and never thought it can be called directly.
>>> 
>>> Thanks,
>>> Max
>>> 
>>>> On Jan 17, 2019, at 1:49 AM, Xuelei Fan <xuelei.fan at oracle.com> wrote:
>>>> 
>>>> Hi Max,
>>>> 
>>>> I did not look into the detailed implementation of findIssuer() yet. Have you considered to use java.security.cert.X509CertSelector?
>>>> 
>>>> Thanks,
>>>> Xuelei
>>>> 
>>>> On 1/9/2019 6:59 AM, Weijun Wang wrote:
>>>>> Please take a review at
>>>>>  https://cr.openjdk.java.net/~weijun/8215776/webrev.00/
>>>>> PKCS12KeyStore now can find certificate issuers more precisely using SubjectKeyIdentifier and AuthorityKeyIdentifier. I thought about using CertPath builder or checking signatures but those changes are too much.
>>>>> Thanks,
>>>>> Max
>>> 
>> 



More information about the security-dev mailing list