Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8076117

EndEntityChecker should not process custom extensions after PKIX validation

    XMLWordPrintable

Details

    • b61
    • Verified

    Backports

      Description

        When checking extensions in an end entity certificate, if sun.security.validator.EndEntityChecker comes across any extensions that are critical and unknown, it throws an exception, even if those extensions had already been checked by custom PKIXCertPathCheckers (specified in the PKIXParameters) earlier in the validation by PKIXValidator.

        When validating a certification path with sun.security.validator.Validator, if the Validator is a PKIXValidator, the extensions of all certificates are checked with PKIXCertPathCheckers during the path validation. Then, Validator calls EndEntityChecker at the end of the validation, and throws an exception if there are any unresolved critical extensions, even though they were checked previously by PKIXCertPathCheckers. This check by EndEntityChecker is redundant and should not happen after validation with a PKIXValidator.

        On the other hand, if the Validator is a SimpleValidator, the path validation doesn't check for unsupported critical extensions in the end entity certificate, and leaves that up to EndEntityChecker, which *should* continue to check for unresolved critical extensions.

        Attachments

          Issue Links

            backported by

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8084673 EndEntityChecker should not process custom extensions after PKIX validation

            • P4 - Minor loss of function, or other problem where easy workaround is present.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8198298 EndEntityChecker should not process custom extensions after PKIX validation

            • P4 - Minor loss of function, or other problem where easy workaround is present.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8199821 EndEntityChecker should not process custom extensions after PKIX validation

            • P4 - Minor loss of function, or other problem where easy workaround is present.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8199833 EndEntityChecker should not process custom extensions after PKIX validation

            • P4 - Minor loss of function, or other problem where easy workaround is present.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8201388 EndEntityChecker should not process custom extensions after PKIX validation

            • P4 - Minor loss of function, or other problem where easy workaround is present.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8203146 EndEntityChecker should not process custom extensions after PKIX validation

            • P4 - Minor loss of function, or other problem where easy workaround is present.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8208730 EndEntityChecker should not process custom extensions after PKIX validation

            • P4 - Minor loss of function, or other problem where easy workaround is present.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8208941 EndEntityChecker should not process custom extensions after PKIX validation

            • P4 - Minor loss of function, or other problem where easy workaround is present.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8211531 EndEntityChecker should not process custom extensions after PKIX validation

            • P4 - Minor loss of function, or other problem where easy workaround is present.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8212515 EndEntityChecker should not process custom extensions after PKIX validation

            • P4 - Minor loss of function, or other problem where easy workaround is present.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8216842 EndEntityChecker should not process custom extensions after PKIX validation

            • P4 - Minor loss of function, or other problem where easy workaround is present.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8199038 EndEntityChecker should not process custom extensions after PKIX validation

            • P4 - Minor loss of function, or other problem where easy workaround is present.
            • Closed
            duplicates

            Bug - A problem which impairs or prevents the functions of the product. JDK-8197545 EndEntityChecker should not process custom extensions after PKIX validation

            • P3 - Major loss of function.
            • Closed
            links to

            Web Link Review

            Activity

              People

                juh Jason Uh (Inactive)
                mullan Sean Mullan
                Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved: