X509TrustManager check in SSLContextImpl
Sebu Koleth
sebukoleth at gmail.com
Wed Oct 6 03:53:52 UTC 2021
Apologies if this is the wrong mailing list for this question, and if yes,
please point to the right one.
In sun.security.ssl.SSLContextImpl we have the following method:
private X509TrustManager chooseTrustManager(TrustManager[] tm)
throws KeyManagementException {
// We only use the first instance of X509TrustManager passed to us.
for (int i = 0; tm != null && i < tm.length; i++) {
if (tm[i] instanceof X509TrustManager) {
* if (SunJSSE.isFIPS() && !(tm[i] instanceof
X509TrustManagerImpl))* {
throw new KeyManagementException
("FIPS mode: only SunJSSE TrustManagers may be
used");
}
if (tm[i] instanceof X509ExtendedTrustManager) {
return (X509TrustManager)tm[i];
} else {
return new AbstractTrustManagerWrapper(
(X509TrustManager)tm[i]);
}
}
}
// nothing found, return a dummy X509TrustManager.
return DummyX509TrustManager.INSTANCE;
}
In the FIPS case why is it required for the TrustManager to be an instance
of X509TrustManagerImpl? Isn't it sufficient for it to be an instance of
X509ExtendedTrustManager?
regards,
Sebu Koleth
--
The most popular software for writing fiction isn't Word. It's Excel.
408 dot 759 dot 1870
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20211005/f80634ee/attachment.htm>
More information about the security-dev
mailing list