Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-7113275

compatibility issue with MD2 trust anchor and old X509TrustManager

XMLWordPrintable

    • b15
    • generic
    • generic
    • Verified

        In JDK 7, we have two types of trust managers, X509TrustManager and X509ExtendedTrustManager. X509ExtendedTrustManager is introduced in JDK 7 in order to support TLS 1.2. Oracle provider will use X509ExtendedTrustManager in JDK 7. Applications may still use X509TrustManager as the super class as their customized trust manager. For compatibility, we have to wrap these trust managers into X509ExtendedTrustManager so that they can work with TLS 1.2.

        Additional constraints checks may be performed by the customized trust manager. But some other customized trust managers may not perform the constraints check in their implementation. So we may need the additional checking to ensure the wrapped trust manager also do the constraints checking properly, although it may have been done in the customized trust manager.

        The issue here is that for customized trust manager, we also check the constraints for trust anchors. So when a trust anchor is MD2 algorithm signed, it will be denied by the wrapped trust manager.

              xuelei Xuelei Fan
              xuelei Xuelei Fan
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved:
                Imported:
                Indexed: