RFR 8165274: SHA1 certpath constraint check fails with OCSP certificate

Sean Mullan sean.mullan at oracle.com
Thu Oct 13 15:27:39 UTC 2016

On 10/13/2016 01:29 AM, Anthony Scarpino wrote:
> On 10/12/2016 01:41 PM, Sean Mullan wrote:
>> On 10/12/2016 04:06 PM, Anthony Scarpino wrote:
>>> Later in the verify(), AlgorithmChecker needs a TrustAnchor object.  In
>>> this case, because it's the old method that deploy is using, I have to
>>> manufacture a TrustAnchor until they can use the new method with the
>>> real TrustAnchor.  Either way, if I pass null for the trust anchor,
>>> IssuerInfo will need to create a TrustAnchor from the same data.  Do you
>>> want me to add a comment what the TrustAnchor object is?
>> So, I think what you should do is skip the constraints check if it
>> contains the jdkCA constraint and the trust anchor is null, because you
>> need the trust anchor in order to do the check. I would also log a
>> warning with a debug message in this case.
>> --Sean
> I believe this is what you're looking for.  I changed AlgorithmChecker
> to allow a null TrustAnchor and undid much of the other code to protect
> against nulls.
> webrev: http://cr.openjdk.java.net/~ascarpino/8165274/webrev.03/

Right, that's more along the lines I was thinking.


More information about the security-dev mailing list