Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8169745

Discourage the use of SunX509 trust manager

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: P3
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 9
    • Component/s: docs
    • Labels:
    • Subcomponent:
    • CPU:
      generic
    • OS:
      generic

      Description

      The SunX509 trust manager is implemented in SimpleValidator.java for compatibility use only, and no new features will be added. The PKIX trust manager is the default and recommended trust manager.

      In the SunX509 validator/trust manager implementation, we used to check known critical extensions only. The supported extensions are white listed in sun/security/validator/EndEntityChecker.java. If an extension is critical and not present in the white list, the cert cannot pass the SunX509 validation. The PKIX validator/trust manager supports more rich extensions and features.

      In the Oracle Providers documentation, it currently says:

      "SunX509: A factory for X509ExtendedTrustManager instances that validate certificate chains according to the rules defined by the IETF PKIX working group in RFC 3280 or its successor."

      This is misleading since it does not support all of the required extensions (and probably other requirements) of RFC 3280, and it is not strictly compliant with RFC 3280 and may not support all required extensions. We can also discourage its use. And we should update the RFC 3280 references to 5280 throughout this document.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              jgordon Joni Gordon (Inactive)
              Reporter:
              xuelei Xue-Lei Fan
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: