Thanks for verifying. Approved for jdk7u40-dev.
regards,
Sean.
On 25/06/2013 11:29, Vincent Ryan wrote:
The testcase to verify the fix:
jdk/test/closed/java/security/cert/CertPathValidator/OCSP/ValidateUsingOCSPCache.java
I've added a link to a recent JPRT test run to my justification comment:
https://jbs.oracle.com/bugs/browse/JDK-8014805?focusedCommentId=13343010&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13343010
On 24 Jun 2013, at 21:50, Seán Coffey wrote:
Vinnie,
likewise - what testing was performed ?
regards,
Sean.
On 24/06/13 12:41, Vincent Ryan wrote:
Hello all,
Please approve the following fix for 7u40:
Bug: http://bugs.sun.com/view_bug.do?bug_id=8014805
Webrev: http://cr.openjdk.java.net/~vinnie/8014805/webrev.00/
Code review:
http://mail.openjdk.java.net/pipermail/security-dev/2013-June/007886.html
This simple fix corrects the way an Authority Key Identifier (AKID) X.509
certificate extension is
handled during OCSP certificate validation. Two forms of AKID are permitted:
hash-based and
name/serial number based. The fix for 7168191 (7u6) added a check to match
AKIDs when
distinguishing certificates with the same subject name. This fix corrects that
check to handle the
rare case when a certificate contains a non-hash-based AKID.
This problem does not occur in JDK 8 (because a different code path is used).
Thanks.
