So what do you think of my original webrev? It only compares KID and subject/issuer, not caring about other extensions (like BC).
Thanks, Max > On Jan 22, 2019, at 1:39 AM, Xuelei Fan <xuelei....@oracle.com> wrote: > > > but it seems it cannot deal with the case where a cert has the correct > > subject but no SKID extension. Or do you think this should never happen? > It could happen, especially for self-signed cert. See also, the > sun.security.provider.certpath.ForwardBuilder#PKIXCertComparator. > Xuelei > On 1/21/2019 2:05 AM, Weijun Wang wrote: >> ; >> >> but it seems it cannot deal with the case where a cert has the correct >> subject but no SKID extension. Or do you think this should never happen? >> >> Thanks >> Max >> >>> On Jan 17, 2019, at 11:41 AM, Weijun Wang <weijun.w...@oracle.com> wrote: >>> >>> I'll take a look. I thought java.security.cert.X509CertSelector is used by >>> CertPath validators and builders internally and never thought it can be >>> called directly. >>> >>> Thanks, >>> Max >>> >>>> On Jan 17, 2019, at 1:49 AM, Xuelei Fan <xuelei....@oracle.com> wrote: >>>> >>>> Hi Max, >>>> >>>> I did not look into the detailed implementation of findIssuer() yet. Have >>>> you considered to use java.security.cert.X509CertSelector? >>>> >>>> Thanks, >>>> Xuelei >>>> >>>> On 1/9/2019 6:59 AM, Weijun Wang wrote: >>>>> Please take a review at >>>>> https://cr.openjdk.java.net/~weijun/8215776/webrev.00/ >>>>> PKCS12KeyStore now can find certificate issuers more precisely using >>>>> SubjectKeyIdentifier and AuthorityKeyIdentifier. I thought about using >>>>> CertPath builder or checking signatures but those changes are too much. >>>>> Thanks, >>>>> Max >>> >>
