RFR 8215776: Keytool importkeystore may mix up certificate chain entries when DNs conflict

Xuelei Fan xuelei.fan at oracle.com
Tue Jan 22 02:33:01 UTC 2019


On 1/21/2019 4:38 PM, Weijun Wang wrote:
> So what do you think of my original webrev? It only compares KID and subject/issuer, not caring about other extensions (like BC).

The original webrev looks right to me except that I'm  not sure if a new 
AuthorityKeyIdentifierExtension was needed.  Is it sufficient to use the 
octet string of the DER value?

It may need to selectors to use the X509CertSelector, for issuers w/o 
AKID. I will leave it to you for the final decision.

Xuelei


> Thanks,
> Max
>
>> On Jan 22, 2019, at 1:39 AM, Xuelei Fan <xuelei.fan at oracle.com> wrote:
>>
>>> but it seems it cannot deal with the case where a cert has the correct subject but no SKID extension. Or do you think this should never happen?
>> It could happen, especially for self-signed cert.  See also, the sun.security.provider.certpath.ForwardBuilder#PKIXCertComparator.
>> Xuelei
>> On 1/21/2019 2:05 AM, Weijun Wang wrote:
>>> ;
>>>
>>> but it seems it cannot deal with the case where a cert has the correct subject but no SKID extension. Or do you think this should never happen?
>>>
>>> Thanks
>>> Max
>>>
>>>> On Jan 17, 2019, at 11:41 AM, Weijun Wang <weijun.wang at oracle.com> wrote:
>>>>
>>>> I'll take a look. I thought java.security.cert.X509CertSelector is used by CertPath validators and builders internally and never thought it can be called directly.
>>>>
>>>> Thanks,
>>>> Max
>>>>
>>>>> On Jan 17, 2019, at 1:49 AM, Xuelei Fan <xuelei.fan at oracle.com> wrote:
>>>>>
>>>>> Hi Max,
>>>>>
>>>>> I did not look into the detailed implementation of findIssuer() yet. Have you considered to use java.security.cert.X509CertSelector?
>>>>>
>>>>> Thanks,
>>>>> Xuelei
>>>>>
>>>>> On 1/9/2019 6:59 AM, Weijun Wang wrote:
>>>>>> Please take a review at
>>>>>>   https://cr.openjdk.java.net/~weijun/8215776/webrev.00/
>>>>>> PKCS12KeyStore now can find certificate issuers more precisely using SubjectKeyIdentifier and AuthorityKeyIdentifier. I thought about using CertPath builder or checking signatures but those changes are too much.
>>>>>> Thanks,
>>>>>> Max
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.java.net/pipermail/security-dev/attachments/20190121/222333ba/attachment.html>


More information about the security-dev mailing list