On 05/22/2014 07:42 PM, Wang Weijun wrote:
On May 23, 2014, at 2:15, Sean Mullan <sean.mul...@oracle.com> wrote:
Hi Max,
Did you consider using a CertPathBuilder instead? This should essentially do
the same thing (find a matching trust anchor, and build a validated path).
I thought about it but anyway the certchain is still a chain. If I just treat
them as an unordered set of certs, it seems too tolerant.
Ok. The fix looks fine to me, though it looks like the code in the 2
methods is very similar - could it be refactored into a common method?
--Sean
--Max
--Sean
On 05/21/2014 08:20 PM, Wang Weijun wrote:
Hi All
Please review the code change at
http://cr.openjdk.java.net/~weijun/8036709/webrev.01/
Before this change, jarsigner simply put a cert chain into a CertPath and
validate it. If the CertPath contains a trust anchor inside, the validation
could fail even if it should not. This fix searches for a trust anchor in the
cert chain, if truncate at the position if one is found. If the first
certificate is already a trust anchor, we don't do validation at all.
Thanks
Max
