RFR JDK-8206925,,Support the certificate_authorities extension

Sean Mullan sean.mullan at oracle.com
Wed May 27 15:24:02 UTC 2020 

On 5/22/20 6:38 PM, Xuelei Fan wrote:
> On 5/22/2020 11:17 AM, Sean Mullan wrote:
>> On 5/22/20 1:55 PM, Xuelei Fan wrote:
>>>> * test/jdk/sun/security/ssl/X509TrustManagerImpl/TooMuchCAs.java
>>>>
>>>> Will this test FAIL if we ever exceed the maximum number of CAs? I 
>>>> think it is important that it does FAIL, as the extension is 
>>>> effectively not working anymore and could cause compatibility 
>>>> issues. I even think we would need to try to think of some way to 
>>>> fix it, either by seeing if some CAs could be excluded - not really 
>>>> sure, hopefully it won't ever happen but we would want to know about 
>>>> it in advance.
>>>>
>>> Alexey (from azul) and I discussed the idea to control the number of 
>>> CAs.  However, there are still some issues in practice.
>>>
>>> "If the certificate authorities can not be fully listed, it cannot be 
>>> used to indicate the peer certificate selection accuracy.  For 
>>> example, client support A, B and C, and is only able to indicate A 
>>> and B.  If the server supports C, the connection cannot be 
>>> established with this extension. This is not the expected behavior.  
>>> Maybe, it is no worse than without this extension. "
>>>
>>> It looks like safer that the extension is not used if the size exceed 
>>> the limit, at least there ARE less compatibility issues.  I have a 
>>> note in the CSR and release note for the behaviors.
>>>
>>> The test case, TooMuchCAs, is used to make sure the connection can be 
>>> established when the CAs size exceed the limit (no extension used).
>>
>> Sure, I agree that is the best behavior. I guess my point is that if 
>> we ever really exceed the maximum number of CAs in the cacerts 
>> keystore, it would be good to have a test that will fail because of 
>> that. Minimally, this would allow us to publish a release note warning 
>> users that the CA extension will no longer work unless some roots are 
>> removed.
>>
> Good point.  It is useful to have a test case to check the size limit of 
> the cacert keystore.  A new test case, CacertsLimit.java, is added.  The 
> same webrev URL is used:
>     http://cr.openjdk.java.net/~xuelei/8206925/webrev.05/

   71                         "certificate_authorities extension can be 
used " +

typo: s/can/cannot/

Looks good otherwise.

--Sean

More information about the security-dev mailing list