RFR JDK-8206925,,Support the certificate_authorities extension

[Sean Mullan]

On 5/22/20 1:55 PM, Xuelei Fan wrote:
>> * test/jdk/sun/security/ssl/X509TrustManagerImpl/TooMuchCAs.java
>>
>> Will this test FAIL if we ever exceed the maximum number of CAs? I 
>> think it is important that it does FAIL, as the extension is 
>> effectively not working anymore and could cause compatibility issues. 
>> I even think we would need to try to think of some way to fix it, 
>> either by seeing if some CAs could be excluded - not really sure, 
>> hopefully it won't ever happen but we would want to know about it in 
>> advance.
>>
> Alexey (from azul) and I discussed the idea to control the number of 
> CAs.  However, there are still some issues in practice.
> 
> "If the certificate authorities can not be fully listed, it cannot be 
> used to indicate the peer certificate selection accuracy.  For example, 
> client support A, B and C, and is only able to indicate A and B.  If the 
> server supports C, the connection cannot be established with this 
> extension. This is not the expected behavior.  Maybe, it is no worse 
> than without this extension. "
> 
> It looks like safer that the extension is not used if the size exceed 
> the limit, at least there ARE less compatibility issues.  I have a note 
> in the CSR and release note for the behaviors.
> 
> The test case, TooMuchCAs, is used to make sure the connection can be 
> established when the CAs size exceed the limit (no extension used).

Sure, I agree that is the best behavior. I guess my point is that if we 
ever really exceed the maximum number of CAs in the cacerts keystore, it 
would be good to have a test that will fail because of that. Minimally, 
this would allow us to publish a release note warning users that the CA 
extension will no longer work unless some roots are removed.

Would the other test fail 
(test/jdk/sun/security/ssl/X509KeyManager/CertificateAuthorities.java) 
if that happens?

--Sean