On 11/29/2016 5:22 AM, Sean Mullan wrote:
On 11/27/16 7:43 AM, Xuelei Fan wrote:
On 11/27/2016 6:04 PM, Wang Weijun wrote:
This is not only a test update.
No, I happened to find an implementation issue with the new test, so fix
it altogether. The issue is that the simple validator
(SimpleValidator.java) does not support SKID/AKID during cert path
build. If two trusted certs has the same subject, the simple validator
may not be able to find the right one.
We have had issues in the PKIX CertPathBuilder with matching on
AKID/SKID when building certpaths, so we want to be careful not to
introduce a similar issue. See this bug for more information:
https://bugs.openjdk.java.net/browse/JDK-8072463
I have not reviewed the fix enough to know if this issue applies here
but please double-check it.
The KID are used for best effort matching in this update. If no KIDs
get matched, the previous behavior is reserved. Should be safe, I think.
Xuelei
--Sean
Thanks,
Xuelei
On Nov 27, 2016, at 9:35 AM, Xuelei Fan <xuelei....@oracle.com> wrote:
Hi,
Please review this test update:
http://cr.openjdk.java.net/~xuelei/8170329/webrev.00/
The new template (SSLSocketTemplate.java) could be used to avoid the
anti-free-port issues. By using sub-classes of it, the new one can
simplify the general SSLSocket test code significantly.
Thanks,
Xuelei
