Loading...

XML

Word

Printable

Type: Bug
Resolution: Fixed
Priority: P4
Fix Version/s: 9
Affects Version/s: None
Component/s: security-libs
Labels:

Subcomponent:
java.security
Resolved In Build:
b61
Verification:
Verified

Issue	Fix Version	Assignee	Priority	Status	Resolution	Resolved In Build
JDK-8084673	emb-9	Jason Uh	P4	Resolved	Fixed	team
JDK-8212515	8u202	Ivan Gerasimov	P4	Resolved	Fixed	b01
JDK-8208941	8u201	Ivan Gerasimov	P4	Resolved	Fixed	b01
JDK-8198298	8u192	Ivan Gerasimov	P4	Resolved	Fixed	b01
JDK-8199821	8u191	Ivan Gerasimov	P4	Resolved	Fixed	b01
JDK-8201388	8u181	Ivan Gerasimov	P4	Resolved	Fixed	b02
JDK-8199833	8u172	Ivan Gerasimov	P4	Resolved	Fixed	b31
JDK-8199038	8u162	Ivan Gerasimov	P4	Closed	Fixed	b36
JDK-8216842	emb-8u201	Ivan Gerasimov	P4	Resolved	Fixed	master
JDK-8211531	emb-8u191	Ivan Gerasimov	P4	Resolved	Fixed	master
JDK-8203146	emb-8u181	Ivan Gerasimov	P4	Resolved	Fixed	b02
JDK-8208730	openjdk7u	Ivan Gerasimov	P4	Resolved	Fixed	master

When checking extensions in an end entity certificate, if sun.security.validator.EndEntityChecker comes across any extensions that are critical and unknown, it throws an exception, even if those extensions had already been checked by custom PKIXCertPathCheckers (specified in the PKIXParameters) earlier in the validation by PKIXValidator.

When validating a certification path with sun.security.validator.Validator, if the Validator is a PKIXValidator, the extensions of all certificates are checked with PKIXCertPathCheckers during the path validation. Then, Validator calls EndEntityChecker at the end of the validation, and throws an exception if there are any unresolved critical extensions, even though they were checked previously by PKIXCertPathCheckers. This check by EndEntityChecker is redundant and should not happen after validation with a PKIXValidator.

On the other hand, if the Validator is a SimpleValidator, the path validation doesn't check for unsupported critical extensions in the end entity certificate, and leaves that up to EndEntityChecker, which *should* continue to check for unresolved critical extensions.

backported by

JDK-8084673 EndEntityChecker should not process custom extensions after PKIX validation

Resolved

JDK-8198298 EndEntityChecker should not process custom extensions after PKIX validation

Resolved

JDK-8199821 EndEntityChecker should not process custom extensions after PKIX validation

Resolved

JDK-8199833 EndEntityChecker should not process custom extensions after PKIX validation

Resolved

JDK-8201388 EndEntityChecker should not process custom extensions after PKIX validation

Resolved

JDK-8203146 EndEntityChecker should not process custom extensions after PKIX validation

Resolved

JDK-8208730 EndEntityChecker should not process custom extensions after PKIX validation

Resolved

JDK-8208941 EndEntityChecker should not process custom extensions after PKIX validation

Resolved

JDK-8211531 EndEntityChecker should not process custom extensions after PKIX validation

Resolved

JDK-8212515 EndEntityChecker should not process custom extensions after PKIX validation

Resolved

JDK-8216842 EndEntityChecker should not process custom extensions after PKIX validation

Resolved

JDK-8199038 EndEntityChecker should not process custom extensions after PKIX validation

Closed

duplicates

JDK-8197545 EndEntityChecker should not process custom extensions after PKIX validation

Closed

links to

Review

(7 backported by, 1 duplicates, 1 links to)

Assignee:: Jason Uh (Inactive)

Reporter:: Sean Mullan

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2015-03-26 13:53

Updated:: 2019-01-13 22:37

Resolved:: 2015-04-14 13:44

Details

Backports

Description

Attachments

Issue Links

Activity

People

Dates