The updated fix looks good to me.
--Sean
On 3/29/17 4:38 AM, Weijun Wang wrote:
Webrev updated at
http://cr.openjdk.java.net/~weijun/8177569/webrev.01
Changes since last version:
- Trusted cert entries in the current keystore are also trusted. See the
new isTrusted() method.
- A cert is treated as a root CA cert only if -trustcacerts is specified.
- In the current keytool documentation, -trustcacerts is only designed
for -importcert, and it should have no effect on other commands.
Therefore the internal trustcacerts flag is reset when command is not
IMPORTCERT. We might re-consider this in a future release (JDK-8177760).
- Several checkWeak() calls are moved before keyStore change so the
check is only based on original keystore content. This prevents a new
cert treated trusted while it is being -import'ed.
- Test modifications.
Thanks
Max
On 03/27/2017 09:43 AM, Weijun Wang wrote:
Please take a review at
http://cr.openjdk.java.net/~weijun/8177569/webrev.00/
Since our implementation of CertPath validation does not check for the
signature algorithm of a root CA, keytool should not warn about its
weakness either.
Thanks
Max
