Hi Jason, Sorry for the delay in reviewing this.
On 02/28/2014 02:54 PM, Jason Uh wrote:
Hi Sean, Could I please get a review of this change? This fix allows a certpath to be validated when a certificate issued by a version 1 trusted cert has a validity period that doesn't fall within the validity of the issuer. Trust anchors whose validity do contain the issued cert's validity period will be prioritized above those that do not. webrev: http://cr.openjdk.java.net/~juh/8021804/webrev.00/ bug: http://bugs.openjdk.java.net/browse/JDK-8021804
In PKIXCertPathValidator, I would remove the call to X509CertSelector.setValidityPeriod on line 98 and just match on the subject and SKID when trying to find a matching trust anchor. Most of the other changes are not necessary I think. At this point you are just trying to find a matching root. In most cases there will only be one possible choice, so unless there are 2 V1 roots with the same subject name and a different public key (ex: due to key rollover). Maybe trying to match on the validity period would help select the right root in the key rollover case, but I'm not sure the extra code is worth it for this rare case (and V1 roots are becoming much less common). And even if it does select the wrong root the first time, the code should fail quickly (when the signature on the cert issued by the root fails), and then proceed to try the next one (and then succeed).
--Sean
