On 10/13/2016 01:29 AM, Anthony Scarpino wrote:
On 10/12/2016 01:41 PM, Sean Mullan wrote:
On 10/12/2016 04:06 PM, Anthony Scarpino wrote:
Later in the verify(), AlgorithmChecker needs a TrustAnchor object.  In
this case, because it's the old method that deploy is using, I have to
manufacture a TrustAnchor until they can use the new method with the
real TrustAnchor.  Either way, if I pass null for the trust anchor,
IssuerInfo will need to create a TrustAnchor from the same data.  Do you
want me to add a comment what the TrustAnchor object is?

So, I think what you should do is skip the constraints check if it
contains the jdkCA constraint and the trust anchor is null, because you
need the trust anchor in order to do the check. I would also log a
warning with a debug message in this case.


I believe this is what you're looking for.  I changed AlgorithmChecker
to allow a null TrustAnchor and undid much of the other code to protect
against nulls.

webrev: http://cr.openjdk.java.net/~ascarpino/8165274/webrev.03/

Right, that's more along the lines I was thinking.


Reply via email to