RFR 8165274: SHA1 certpath constraint check fails with OCSP certificate

Sean Mullan sean.mullan at oracle.com
Wed Oct 12 14:55:33 UTC 2016

* AlgorithmChecker

Not sure why these changes are necessary or why the check method has 
been made non-static. Isn't the previous code sufficient?


129             responderURI, new OCSPResponse.IssuerInfo(null, 
issuerCert), null,

Passing null to OCSPResponse.IssuerInfo will throw an NPE. (but see 
comment below)

* OCSPResponse

For IssuerInfo, you don't always have/know the TrustAnchor, so shouldn't 
it be optional?

1061                 return anchor;

should be indented 4 spaces


On 10/10/2016 02:53 PM, Anthony Scarpino wrote:
> Hi,
> I need a review of a fix to JEP 288 were certpath algorithm checking
> wasn't checking OCSP certs against the jdkCA keyword.
> http://cr.openjdk.java.net/~ascarpino/8165274/webrev/
> thanks
> Tony

More information about the security-dev mailing list