RFR: 8277246: No need to check about KeyUsage when validating a TSA certificate
Xue-Lei Andrew Fan
xuelei at openjdk.java.net
Tue Nov 16 19:49:37 UTC 2021
On Tue, 16 Nov 2021 19:36:11 GMT, Weijun Wang <weijun at openjdk.org> wrote:
> There is no need to check for the KeyUsage extension when validating a TSA certificate.
>
> A test is modified where a TSA cert has a KeyUsage but without the DigitalSignature bit.
src/java.base/share/classes/sun/security/validator/EndEntityChecker.java line 364:
> 362: ValidatorException.T_EE_EXTENSIONS, cert);
> 363: }
> 364:
Could you add a comment here just in case someone else adding the checking back? Otherwise, looks nice to me.
-------------
PR: https://git.openjdk.java.net/jdk/pull/6416
More information about the security-dev
mailing list