Weijun Wang wrote:
Hi
In keytool's installReply(), there is:
if (replyCerts.length == 1) {
// single-cert reply
newChain = establishCertChain(userCert, replyCerts[0]);
} else {
// cert-chain reply (e.g., PKCS#7)
newChain = validateReply(alias, userCert, replyCerts);
}
If the trust cannot be setup with a known trust anchor, in
establishCertChain(), the import simply fails; in validateReply(), a
prompt is displayed, and if you type yes, it's imported.
This means the user experience is different between directly applying
for a cert from a root CA (in which the reply is a single cert) and from
an intermediate CA (in which the reply includes the user's cert and the
CA's cert), when the root CA is not in user's cacerts.
Is this rational? Why isn't validateReply() always be called?
I don't know why, but the behaviors of establishCertChain() and
validateReply() for trust is differ. establishCertChain() will try to
build a *full* cert chain from key store or trust ca cert store;
validateReply() would only try to find "ONE" cert that could verify the
last cert in chain. I don't know the underlying stories.
Andrew
Thanks
Max
