Thanks for the review.
I have though all certificate should adopt the PKCS#1, i.e, using the
algorithm OID, 1.2.840.113549.1.1.1. But I did find a certificate just a
few minutes ago that still use the OID, 2.5.8.1.1. Windows and Firefox
recognized the certificate.
With the fix, the certificate could be validated. Otherwise, thrown a
exception "java.security.InvalidKeyException: Not an RSA key: 2.5.8.1.1".
But by now, we did not get complains on the above exception, it is
really really a very rare use case.
Thanks,
Xuelei
Sean Mullan wrote:
The fix looks fine to me.
--Sean
Xuelei Fan wrote:
Hi,
The RSA OID from sun.security.x509.AlgorithmId is 1.2.5.8.1.1.
However no such OID seems to exist. The correct one should be 2.5.8.1.1.
ITU-T X.509 defined RSA encryption algorithm as:
id-ea-rsa = {joint-iso-itu-t(2) ds(5) algorithm(8)
encryptionAlgorithm(1) rsa(1)}
rsa ALGORITHM ::= {
KeySize
IDENTIFIED BY id-ea-rsa
}
However, the industry does not use the above specification, a serial
of definitions of PKCS#1 are adopted instead (the PKIX WG of IETF
adopts the PKCS#1 definitions). I think that is also why we did not
get issue report on parsing a certificate with such a OID. BTW there
is a defect report to deprecate the above definition. [1]
Anyway, I think we need to correct "1.2.5.8.1.1" to "2.5.8.1.1" even
no practical certificate issues reported by now.
Webrev: http://cr.openjdk.java.net/~xuelei/6570344/webrev.00/
Bug description: http://cr.openjdk.java.net/~xuelei/6570344/webrev.00/
[1]:
http://www.oid-info.com/cgi-bin/display?oid=2.5.8.1.1&submit=Display&action=display
Thanks,
Xuelei
