Re: [9] RFR: 8076117: EndEntityChecker should not process custom extensions after PKIX validation

Mon, 13 Apr 2015 16:53:34 -0700 

Hi Thomas,
I am not actually turning off the check for unknown critical extensions. When validating with TYPE_PKIX, CertPathValidator will already have verified all extensions (and an exception would already have been thrown for any violations). This fix is merely to take out what would be a redundant check in EndEntityChecker that would result in wrong behavior. 


With that said, as Sean pointed out in his review, it would make more 
sense to disable the checks when validating with a TYPE_PKIX validator 
rather than enabling for TYPE_SIMPLE, so I've made that change in my 
latest revision. I've sent that out in a separate email.



Also, all of the APIs I've touched in this fix are internal APIs and are 
not to be used externally, so there is not a security concern in the way 
you've suggested.


Thanks, and I appreciate the feedback.

Jason

On 04/11/2015 01:43 PM, Thomas Lußnig wrote:

Hi,

even if i am new in this list i looked at the solution and have an question.
Why there is an switch to turn off check for unknown critical extensions ?
 From my point of view as an developer i would say an more secure solution
would be instead of an boolean switch, make an Set<String> checkedOids as
new parameter, so it is possible to tell what is already been checked.
That mean if the "non SimpleValidator" checks only part of the critical
extensions
the EndEntityChecker  would still throw an Exception.

Gruß Thomas

On 10.04.2015 21:39, Jason Uh wrote:

Please review this fix, which prevents redundant extension checking in
EndEntityChecker.

When checking extensions in an end entity certificate, if
sun.security.validator.EndEntityChecker comes across any extensions
that are critical and unknown, it throws an exception, even if those
extensions had already been checked by custom PKIXCertPathCheckers
(specified in the PKIXParameters) earlier in the validation by
PKIXValidator. This checking is not necessary when path validation is
performed by a PKIXValidator.

However, if the validation is performed by a SimpleValidator,
EndEntityChecker should continue to check extensions.

webrev: http://cr.openjdk.java.net/~juh/8076117/00/
bug: https://bugs.openjdk.java.net/browse/JDK-8076117

Thanks,
Jason
























					Reply via email to