Hello Michael,
Thanks for your review comments.
The cert path implementation in JDK currently doesn't support that AKID
variant. I don't think that it is commonly used. Especially since RFC
5280 requires the SKID extension to be present in all CA certs.
Would you like me to file an RFE to add support for it?
On 06/19/12 09:48 PM, Michael StJohns wrote:
Hi - there's two different varieties of authorityKeyIdentifier - you only fixed
one.
If the child cert has an akid consisting of the value of the parent skid, then
you're good to go. But there's also the akid variant which contains
issuerName/serialNumber of its parent where the parent has no skid.
Mike
Sent from my iPad
On Jun 19, 2012, at 15:52, Vincent Ryan<[email protected]> wrote:
Hello,
Please review the following changeset for JDK 7u6:
http://cr.openjdk.java.net/~vinnie/7168191/webrev.01
The bug report is at:
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7168191
This fix addresses a bug in the OCSP client when processing key-rollover
certs. Typically such certs have the same subject name but different
keys. Now the OCSP code examines all the matching candidates (not just
the first one) both when preparing the request and when validating the
response.
Thanks.
