Well, sorry, but this is not a bug so we should not fix it. The
certificate is not compliant with RFC 5280. See Section 4.2: "A
certificate MUST NOT include more than one instance of a particular
extension." The EKU extension is already designed to specify more than
one key purpose, so it doesn't make any sense to add more than one
extension.
I would report this as a bug to the CA (Apple?) who is issuing
certificates like this.
--Sean
On 10/30/2014 11:21 AM, Vincent Ryan wrote:
Please review this fix that adds support for X.509 certificates that contain
more than one Extended Key Usage extension.
The certificate parser now merges duplicate EKU objects into a single one.
Webrev: http://cr.openjdk.java.net/~vinnie/8062548/webrev.00/
Bug: https://bugs.openjdk.java.net/browse/JDK-8062548
Thanks.
