Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-7113275

compatibility issue with MD2 trust anchor and old X509TrustManager

    Details

    • Subcomponent:
    • Resolved In Build:
      b15
    • CPU:
      generic
    • OS:
      generic
    • Verification:
      Verified

      Backports

        Description

        In JDK 7, we have two types of trust managers, X509TrustManager and X509ExtendedTrustManager. X509ExtendedTrustManager is introduced in JDK 7 in order to support TLS 1.2. Oracle provider will use X509ExtendedTrustManager in JDK 7. Applications may still use X509TrustManager as the super class as their customized trust manager. For compatibility, we have to wrap these trust managers into X509ExtendedTrustManager so that they can work with TLS 1.2.

        Additional constraints checks may be performed by the customized trust manager. But some other customized trust managers may not perform the constraints check in their implementation. So we may need the additional checking to ensure the wrapped trust manager also do the constraints checking properly, although it may have been done in the customized trust manager.

        The issue here is that for customized trust manager, we also check the constraints for trust anchors. So when a trust anchor is MD2 algorithm signed, it will be denied by the wrapped trust manager.

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  xuelei Xue-Lei Fan
                  Reporter:
                  xuelei Xue-Lei Fan
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  4 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:
                    Imported:
                    Indexed: