webrev updated, adding comments to tests:
http://cr.openjdk.java.net/~xuelei/6852744/webrev.02/
Sean Mullan wrote:
Xuelei Fan wrote:
In this block of code:
858 if (principal != null && publicKey != null &&
859
principal.equals(cert.getSubjectX500Principal())) {
860 if (publicKey.equals(cert.getPublicKey())) {
861 this.trustAnchor = anchor;
862 return true;
863 }
864 // else, it is a self-issued certificate
of the abchor
865 }
you never check if the trust anchor name is equal to the issuer of
the cert before returning true. That seems to violate RFC 5280.
At line 859, when the cert's "subject" equals to the trust anchor
Why not match it with the cert's issuer? That would then be
compliant with 5280.
Above codes are used to check whether the target cert is a trust
anchor, so we need to compare the "subject" of both. If the cert is
not a trust anchor, we need to check its issuer.
Ok, but shouldn't the trust anchor name also match the cert issuer in
that case? A trust anchor name is supposed to match the issuer of the
first certificate in the chain. This is clearly specified in RFC 5280
(search for "working_issuer_name"). I would like to understand why we
don't need to check that in this case. Can you describe a chain that
doesn't satisfy this case and needs this check?
I think I understand what are your concerns now. If I'm right, you think
that the target cert of the method is expected to be the first
certificate in a certificate chain, which should be directly issued by a
trust anchor. By my understand of the method,
ForwardBuilder.isPathCompleted(X509Certificate cert), it would return
true if the "cert" parameter is a trust anchor, which means we have got
the first certificate in the certification path, now we are working on
the cert that issues the first certificate in the path, the issuer could
be a trust anchor.
For example, the expected path is EE->subca->trust anchor, and the
previous step has verified "subca", and got the path EE->subca, here we
don't know it is a complete path or not, we need one more step. We need
to look for the issuer of "subca" now, get the "trust anchor cert", then
we call ForwardBuilder.isPathCompleted("trust anchor cert"). In the
method, we firstly check whether the "trust anchor cert" is a trust
anchor or not, if itself is a trust anchor, return true immediately, and
cert will not be added to the path by the builder. Then we get the
conclusion that the path EE->subca is a complete certification path.
Does I make myself understood?
Thanks,
Andrew
Thanks,
Sean
The follows codes are used to check whether the target cert is issued
by the trust anchor:
-------------
868 // Check subject/issuer name chaining
869 if (principal == null ||
870
!principal.equals(cert.getIssuerX500Principal())) {
871 continue;
872 }
------------
If it is a cert issued by a trust anchor, the method will then check
the revocation and signature. I think that is your expected
behaviors, right?
Thanks,
Andrew
