On May 23, 2014, at 2:15, Sean Mullan <sean.mul...@oracle.com> wrote:
> Hi Max, > > Did you consider using a CertPathBuilder instead? This should essentially do > the same thing (find a matching trust anchor, and build a validated path). I thought about it but anyway the certchain is still a chain. If I just treat them as an unordered set of certs, it seems too tolerant. --Max > > --Sean > > On 05/21/2014 08:20 PM, Wang Weijun wrote: >> Hi All >> >> Please review the code change at >> >> http://cr.openjdk.java.net/~weijun/8036709/webrev.01/ >> >> Before this change, jarsigner simply put a cert chain into a CertPath and >> validate it. If the CertPath contains a trust anchor inside, the validation >> could fail even if it should not. This fix searches for a trust anchor in >> the cert chain, if truncate at the position if one is found. If the first >> certificate is already a trust anchor, we don't do validation at all. >> >> Thanks >> Max >>
