Xuelei Fan wrote:
In this block of code:
858 if (principal != null && publicKey != null &&
859
principal.equals(cert.getSubjectX500Principal())) {
860 if (publicKey.equals(cert.getPublicKey())) {
861 this.trustAnchor = anchor;
862 return true;
863 }
864 // else, it is a self-issued certificate
of the abchor
865 }
you never check if the trust anchor name is equal to the issuer of
the cert before returning true. That seems to violate RFC 5280.
At line 859, when the cert's "subject" equals to the trust anchor
Why not match it with the cert's issuer? That would then be compliant
with 5280.
Above codes are used to check whether the target cert is a trust
anchor, so we need to compare the "subject" of both. If the cert is
not a trust anchor, we need to check its issuer.
Ok, but shouldn't the trust anchor name also match the cert issuer in
that case? A trust anchor name is supposed to match the issuer of the
first certificate in the chain. This is clearly specified in RFC 5280
(search for "working_issuer_name"). I would like to understand why we
don't need to check that in this case. Can you describe a chain that
doesn't satisfy this case and needs this check?
Thanks,
Sean
The follows codes are used to check whether the target cert is issued
by the trust anchor:
-------------
868 // Check subject/issuer name chaining
869 if (principal == null ||
870
!principal.equals(cert.getIssuerX500Principal())) {
871 continue;
872 }
------------
If it is a cert issued by a trust anchor, the method will then check
the revocation and signature. I think that is your expected behaviors,
right?
Thanks,
Andrew