Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8257497

Update keytool to create AKID from the SKID of the issuing certificate as specified by RFC 5280

    XMLWordPrintable

Details

    Backports

      Description

        When using keytool to generate a certificate and have it signed with an
        existing CA, keytool creates the Authority Key Identifier extension based on
        the CA's public key.

        Section "4.2.1.1. Authority Key Identifier" of RFC5280 states the following:
        "Where a key identifier has been previously established, the CA SHOULD use
        the previously established identifier."

        So if the CA certificate was not generated by keytool(in our case, RSA
        Cert-J), its Subject Key Identifier might have been generated slightly
        differently, i.e., not just the public key but with some other pieces of
        data. The end result is that when the new certificate is used in TLS
        communication, the client may throw a certpath validation error(although the
        CA is indeed in the trust store)

        Attachments

          Issue Links

            backported by

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8266549 Update keytool to create AKID from the SKID of the issuing certificate as specified by RFC 5280

            • P3 - Major loss of function.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8271847 Update keytool to create AKID from the SKID of the issuing certificate as specified by RFC 5280

            • P3 - Major loss of function.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8278054 Update keytool to create AKID from the SKID of the issuing certificate as specified by RFC 5280

            • P3 - Major loss of function.
            • Resolved
            links to

            Commit Commit openjdk/jdk11u-dev/0c783b06

            Commit Commit openjdk/jdk/05301f5f

            Review Review openjdk/jdk11u-dev/167

            Review Review openjdk/jdk/2343

            Activity

              People

                hchao Haimay Chao
                shadowbug Shadow Bug
                Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved: