On 1/14/2011 12:05 AM, Sean Mullan wrote: > On 1/13/11 6:38 AM, Xuelei Fan wrote: >> Hi Sean, >> >> Would you please review the fix for CR 7011497? >> >> http://cr.openjdk.java.net/~xuelei/7011497/webrev/ >> >> Thanks, >> Xuelei > > CPValidatorEndEntity.java: > > 307 /* coment out useless trust anchor > 308 is = new > ByteArrayInputStream(trustAnchor_SHA1withRSA_512.getBytes()); > 309 cert = cf.generateCertificate(is); > 310 anchor = new TrustAnchor((X509Certificate)cert, null); > 311 anchors.add(anchor); > 312 */ > > Why do you leave this code in with this comment? > If I have this block. The cert path validation cannot find the proper trust anchor. As there are two trusted certificates, they are almost the same except the key size (one key size is 1024, another one is 512).
In cert path validation, once a trust anchor found, if the signature is not valid, I think no more effort to test more trust anchors. I was wondering whether it is worthy to try more trust anchors. It's expensive! Thanks for the review. Xuelei > Otherwise, looks good. > > --Sean
