On 12/2/16 2:23 PM, Xue-Lei Fan wrote:
On 11/29/2016 5:22 AM, Sean Mullan wrote:
On 11/27/16 7:43 AM, Xuelei Fan wrote:
On 11/27/2016 6:04 PM, Wang Weijun wrote:
This is not only a test update.
No, I happened to find an implementation issue with the new test, so fix
it altogether. The issue is that the simple validator
(SimpleValidator.java) does not support SKID/AKID during cert path
build. If two trusted certs has the same subject, the simple validator
may not be able to find the right one.
We have had issues in the PKIX CertPathBuilder with matching on
AKID/SKID when building certpaths, so we want to be careful not to
introduce a similar issue. See this bug for more information:
https://bugs.openjdk.java.net/browse/JDK-8072463
I have not reviewed the fix enough to know if this issue applies here
but please double-check it.
The KID are used for best effort matching in this update. If no KIDs
get matched, the previous behavior is reserved. Should be safe, I think.
You only have to get the authKeyId once, so I think it would be better
to get the keyids first and then pass them to the isKIDMatched method.
Also I wonder if you should throw an Exception if the cert has an akid
and all of the trusted certs have a skid and none of them match.
Looks ok otherwise.
--Sean
