Looks fine to me except a few minor comments. Validator.java -------------- Would you mind add a comment about why only check extension for TYPE_SIMPLE?
EndEntityExtensionCheck.java ---------------------------- line 26-28: We normally use bug tag before other tags. line 52-55, and similar places: Normally, a "*" character is expected for each comment line. As is easier to read. eeextensioncheck.jks -------------------- Binary file is not preferred in Mercurial. Would you mind use string key store as what you did for CA and EE certs in EndEntityExtensionCheck.java? Xuelei On 4/11/2015 3:39 AM, Jason Uh wrote: > Please review this fix, which prevents redundant extension checking in > EndEntityChecker. > > When checking extensions in an end entity certificate, if > sun.security.validator.EndEntityChecker comes across any extensions that > are critical and unknown, it throws an exception, even if those > extensions had already been checked by custom PKIXCertPathCheckers > (specified in the PKIXParameters) earlier in the validation by > PKIXValidator. This checking is not necessary when path validation is > performed by a PKIXValidator. > > However, if the validation is performed by a SimpleValidator, > EndEntityChecker should continue to check extensions. > > webrev: http://cr.openjdk.java.net/~juh/8076117/00/ > bug: https://bugs.openjdk.java.net/browse/JDK-8076117 > > Thanks, > Jason
