On 1/15/2011 1:30 AM, Xuelei Fan wrote: > Hi Sean, > > webrev: http://cr.openjdk.java.net/~xuelei/7011497/webrev/
> Would you please review the update again. I integrate the fix for > 7011497 and 7012357 together. > > Comparing with previous webrev, the following updates are unchanged: > src/share/classes/java/security/cert/CertPathValidatorException.java > src/share/classes/sun/security/provider/certpath/AlgorithmChecker.java > src/share/classes/sun/security/validator/SimpleValidator.java > other test files. > > > The following are new changes for CR 7012357: > src/share/classes/sun/security/provider/certpath/ForwardBuilder.java > src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java > test/sun/security/provider/certpath/DisabledAlgorithms/CPValidatorEndEntity.java > > > Thanks, > Xuelei > > On 1/14/2011 11:10 AM, Xuelei Fan wrote: >> We don't checking the SKID and AKID during searching for the trust anchor. >> >> I have filled a new CR for the issue, 7012357, Improve trust anchor >> searching method during cert path validation. >> >> I will have this commented out block in CPValidatorEndEntity.java. I >> will use this test case for CR 7012357. >> >> Thanks, >> Xuelei >> >> On 1/14/2011 12:44 AM, Xuelei Fan wrote: >>> I just realized, if subject KID and issuer KID works, the cert path >>> validation should be able to find the proper trust anchor. I will look >>> into the issue tomorrow. >>> >>> Xuelei >>> >>> On 1/14/2011 12:27 AM, Xuelei Fan wrote: >>>> On 1/14/2011 12:05 AM, Sean Mullan wrote: >>>>> On 1/13/11 6:38 AM, Xuelei Fan wrote: >>>>>> Hi Sean, >>>>>> >>>>>> Would you please review the fix for CR 7011497? >>>>>> >>>>>> http://cr.openjdk.java.net/~xuelei/7011497/webrev/ >>>>>> >>>>>> Thanks, >>>>>> Xuelei >>>>> >>>>> CPValidatorEndEntity.java: >>>>> >>>>> 307 /* coment out useless trust anchor >>>>> 308 is = new >>>>> ByteArrayInputStream(trustAnchor_SHA1withRSA_512.getBytes()); >>>>> 309 cert = cf.generateCertificate(is); >>>>> 310 anchor = new TrustAnchor((X509Certificate)cert, null); >>>>> 311 anchors.add(anchor); >>>>> 312 */ >>>>> >>>>> Why do you leave this code in with this comment? >>>>> >>>> If I have this block. The cert path validation cannot find the proper >>>> trust anchor. As there are two trusted certificates, they are almost the >>>> same except the key size (one key size is 1024, another one is 512). >>>> >>>> In cert path validation, once a trust anchor found, if the signature is >>>> not valid, I think no more effort to test more trust anchors. >>>> >>>> I was wondering whether it is worthy to try more trust anchors. It's >>>> expensive! >>>> >>>> Thanks for the review. >>>> >>>> Xuelei >>>> >>>>> Otherwise, looks good. >>>>> >>>>> --Sean >>>> >>> >> >