On 1/21/2019 4:38 PM, Weijun Wang wrote:
So what do you think of my original webrev? It only compares KID and
subject/issuer, not caring about other extensions (like BC).
The original webrev looks right to me except that I'm not sure if a new
AuthorityKeyIdentifierExtension was needed. Is it sufficient to use the
octet string of the DER value?
It may need to selectors to use the X509CertSelector, for issuers w/o
AKID. I will leave it to you for the final decision.
Xuelei
Thanks,
Max
On Jan 22, 2019, at 1:39 AM, Xuelei Fan <xuelei....@oracle.com> wrote:
but it seems it cannot deal with the case where a cert has the correct subject
but no SKID extension. Or do you think this should never happen?
It could happen, especially for self-signed cert. See also, the
sun.security.provider.certpath.ForwardBuilder#PKIXCertComparator.
Xuelei
On 1/21/2019 2:05 AM, Weijun Wang wrote:
;
but it seems it cannot deal with the case where a cert has the correct subject
but no SKID extension. Or do you think this should never happen?
Thanks
Max
On Jan 17, 2019, at 11:41 AM, Weijun Wang <weijun.w...@oracle.com> wrote:
I'll take a look. I thought java.security.cert.X509CertSelector is used by
CertPath validators and builders internally and never thought it can be called
directly.
Thanks,
Max
On Jan 17, 2019, at 1:49 AM, Xuelei Fan <xuelei....@oracle.com> wrote:
Hi Max,
I did not look into the detailed implementation of findIssuer() yet. Have you
considered to use java.security.cert.X509CertSelector?
Thanks,
Xuelei
On 1/9/2019 6:59 AM, Weijun Wang wrote:
Please take a review at
https://cr.openjdk.java.net/~weijun/8215776/webrev.00/
PKCS12KeyStore now can find certificate issuers more precisely using
SubjectKeyIdentifier and AuthorityKeyIdentifier. I thought about using CertPath
builder or checking signatures but those changes are too much.
Thanks,
Max
