Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8076117

EndEntityChecker should not process custom extensions after PKIX validation

    Details

    • Subcomponent:
    • Resolved In Build:
      b61
    • Verification:
      Verified

      Backports

        Description

        When checking extensions in an end entity certificate, if sun.security.validator.EndEntityChecker comes across any extensions that are critical and unknown, it throws an exception, even if those extensions had already been checked by custom PKIXCertPathCheckers (specified in the PKIXParameters) earlier in the validation by PKIXValidator.

        When validating a certification path with sun.security.validator.Validator, if the Validator is a PKIXValidator, the extensions of all certificates are checked with PKIXCertPathCheckers during the path validation. Then, Validator calls EndEntityChecker at the end of the validation, and throws an exception if there are any unresolved critical extensions, even though they were checked previously by PKIXCertPathCheckers. This check by EndEntityChecker is redundant and should not happen after validation with a PKIXValidator.

        On the other hand, if the Validator is a SimpleValidator, the path validation doesn't check for unsupported critical extensions in the end entity certificate, and leaves that up to EndEntityChecker, which *should* continue to check for unresolved critical extensions.

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  juh Jason Uh (Inactive)
                  Reporter:
                  mullan Sean Mullan
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  3 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: