[security-dev 00975]: Re: code review request 6852744: PIT b61: PKI test suite fails because self signed certificates are being rejected

Thu, 09 Jul 2009 12:47:08 -0700 

Xuelei Fan wrote:
webrev updated, adding comments to tests: http://cr.openjdk.java.net/~xuelei/6852744/webrev.02/ 


In DisableRevocation.java, why do you add CRLs to the CertStore if revocation is 
disabled?




I think I understand what are your concerns now. If I'm right, you think 
that the target cert of the method is expected to be the first 
certificate in a certificate chain, which should be directly issued by a 
trust anchor. By my understand of the method, 
ForwardBuilder.isPathCompleted(X509Certificate cert), it would return 
true if the "cert" parameter is a trust anchor, which means we have got 
the first certificate in the certification path, now we are working on 
the cert that issues the first certificate in the path, the issuer could 
be a trust anchor.



You're right, though now I'm kind of wondering if that's a bug because it 
requires the CertStores passed to CertPathBuilder to include the trust anchor. 
That shouldn't really be required, since you have already specified them in the 
TrustAnchors parameter. Ok, if its been that way for a long time and nobody has 
complained, lets leave it for now.



For example, the expected path is EE->subca->trust anchor, and the 
previous step has verified "subca", and got the path EE->subca, here we 
don't know it is a complete path or not, we need one more step. We need 
to look for the issuer of "subca" now, get the "trust anchor cert", then 
we call ForwardBuilder.isPathCompleted("trust anchor cert"). In the 
method, we firstly check whether the "trust anchor cert" is a trust 
anchor or not, if itself is a trust anchor, return true immediately, and 
cert will not be added to the path by the builder. Then we get the 
conclusion that the path EE->subca is a complete certification path.


Does I make myself understood?


Yes, the fix looks good.

--Sean



Thanks,
Andrew


Thanks,
Sean



The follows codes are used to check whether the target cert is issued 
by the trust anchor:

-------------
868                 // Check subject/issuer name chaining
869                 if (principal == null ||

870                         
!principal.equals(cert.getIssuerX500Principal())) {


871                     continue;
872                 }

------------


If it is a cert issued by a trust anchor, the method will then check 
the revocation and signature. I think that is your expected 
behaviors, right?


Thanks,
Andrew




























					Reply via email to