Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8076117

EndEntityChecker should not process custom extensions after PKIX validation

    XMLWordPrintable

Details

    • b61
    • Verified

    Backports

      Description

        When checking extensions in an end entity certificate, if sun.security.validator.EndEntityChecker comes across any extensions that are critical and unknown, it throws an exception, even if those extensions had already been checked by custom PKIXCertPathCheckers (specified in the PKIXParameters) earlier in the validation by PKIXValidator.

        When validating a certification path with sun.security.validator.Validator, if the Validator is a PKIXValidator, the extensions of all certificates are checked with PKIXCertPathCheckers during the path validation. Then, Validator calls EndEntityChecker at the end of the validation, and throws an exception if there are any unresolved critical extensions, even though they were checked previously by PKIXCertPathCheckers. This check by EndEntityChecker is redundant and should not happen after validation with a PKIXValidator.

        On the other hand, if the Validator is a SimpleValidator, the path validation doesn't check for unsupported critical extensions in the end entity certificate, and leaves that up to EndEntityChecker, which *should* continue to check for unresolved critical extensions.

        Attachments

          Issue Links

            Activity

              People

                juh Jason Uh (Inactive)
                mullan Sean Mullan
                Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved: