RFR 8165274: SHA1 certpath constraint check fails with OCSP certificate

Anthony Scarpino anthony.scarpino at oracle.com
Thu Oct 13 05:29:21 UTC 2016

On 10/12/2016 01:41 PM, Sean Mullan wrote:
> On 10/12/2016 04:06 PM, Anthony Scarpino wrote:
>> Later in the verify(), AlgorithmChecker needs a TrustAnchor object.  In
>> this case, because it's the old method that deploy is using, I have to
>> manufacture a TrustAnchor until they can use the new method with the
>> real TrustAnchor.  Either way, if I pass null for the trust anchor,
>> IssuerInfo will need to create a TrustAnchor from the same data.  Do you
>> want me to add a comment what the TrustAnchor object is?
> So, I think what you should do is skip the constraints check if it
> contains the jdkCA constraint and the trust anchor is null, because you
> need the trust anchor in order to do the check. I would also log a
> warning with a debug message in this case.
> --Sean

I believe this is what you're looking for.  I changed AlgorithmChecker 
to allow a null TrustAnchor and undid much of the other code to protect 
against nulls.

webrev: http://cr.openjdk.java.net/~ascarpino/8165274/webrev.03/


More information about the security-dev mailing list