-
Enhancement
-
Resolution: Unresolved
-
P3
-
None
-
None
-
None
The PKIX KeyManagerFactory algorithm is underspecified. It does not provide sufficient information for an independent implementation to be compatible. The standard algorithm document [1] says:
"A factory for X509ExtendedKeyManagers that manage X.509 certificate-based key pairs for local side authentication according to the rules defined by the IETF PKIX working group in RFC 3280 or its successor. The KeyManagerFactory must support initialization using the class javax.net.ssl.KeyStoreBuilderParameters."
The OpenJDK implementation never calls a PKIX CertPathValidator or CertPathBuilder. It needs to be more specific that it is a filtering mechanism, and avoids selecting certificates that would not be PKIX compliant. It also needs to be more specific about how it uses the KeyStoreBuilderParameters.
[1] http://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#KeyManagerFactory
"A factory for X509ExtendedKeyManagers that manage X.509 certificate-based key pairs for local side authentication according to the rules defined by the IETF PKIX working group in RFC 3280 or its successor. The KeyManagerFactory must support initialization using the class javax.net.ssl.KeyStoreBuilderParameters."
The OpenJDK implementation never calls a PKIX CertPathValidator or CertPathBuilder. It needs to be more specific that it is a filtering mechanism, and avoids selecting certificates that would not be PKIX compliant. It also needs to be more specific about how it uses the KeyStoreBuilderParameters.
[1] http://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#KeyManagerFactory
- is blocked by
-
-
- Open
-