We don't checking the SKID and AKID during searching for the trust anchor. I have filled a new CR for the issue, 7012357, Improve trust anchor searching method during cert path validation.
I will have this commented out block in CPValidatorEndEntity.java. I will use this test case for CR 7012357. Thanks, Xuelei On 1/14/2011 12:44 AM, Xuelei Fan wrote: > I just realized, if subject KID and issuer KID works, the cert path > validation should be able to find the proper trust anchor. I will look > into the issue tomorrow. > > Xuelei > > On 1/14/2011 12:27 AM, Xuelei Fan wrote: >> On 1/14/2011 12:05 AM, Sean Mullan wrote: >>> On 1/13/11 6:38 AM, Xuelei Fan wrote: >>>> Hi Sean, >>>> >>>> Would you please review the fix for CR 7011497? >>>> >>>> http://cr.openjdk.java.net/~xuelei/7011497/webrev/ >>>> >>>> Thanks, >>>> Xuelei >>> >>> CPValidatorEndEntity.java: >>> >>> 307 /* coment out useless trust anchor >>> 308 is = new >>> ByteArrayInputStream(trustAnchor_SHA1withRSA_512.getBytes()); >>> 309 cert = cf.generateCertificate(is); >>> 310 anchor = new TrustAnchor((X509Certificate)cert, null); >>> 311 anchors.add(anchor); >>> 312 */ >>> >>> Why do you leave this code in with this comment? >>> >> If I have this block. The cert path validation cannot find the proper >> trust anchor. As there are two trusted certificates, they are almost the >> same except the key size (one key size is 1024, another one is 512). >> >> In cert path validation, once a trust anchor found, if the signature is >> not valid, I think no more effort to test more trust anchors. >> >> I was wondering whether it is worthy to try more trust anchors. It's >> expensive! >> >> Thanks for the review. >> >> Xuelei >> >>> Otherwise, looks good. >>> >>> --Sean >> >
