[7u40] Request for Phase 2 approval for 8014805: NPE is thrown during certpath validation if certificate does not have AuthorityKeyIdentifier extension (original) (raw)

Vincent Ryan vincent.x.ryan at oracle.com
Tue Jun 25 03:29:38 PDT 2013

The testcase to verify the fix: jdk/test/closed/java/security/cert/CertPathValidator/OCSP/ValidateUsingOCSPCache.java

I've added a link to a recent JPRT test run to my justification comment:

https://jbs.oracle.com/bugs/browse/JDK-8014805?focusedCommentId=13343010&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13343010

On 24 Jun 2013, at 21:50, Seán Coffey wrote:

Vinnie,

likewise - what testing was performed ? regards, Sean. On 24/06/13 12:41, Vincent Ryan wrote: Hello all,

Please approve the following fix for 7u40: Bug: http://bugs.sun.com/viewbug.do?bugid=8014805 Webrev: http://cr.openjdk.java.net/~vinnie/8014805/webrev.00/ Code review: http://mail.openjdk.java.net/pipermail/security-dev/2013-June/007886.html This simple fix corrects the way an Authority Key Identifier (AKID) X.509 certificate extension is handled during OCSP certificate validation. Two forms of AKID are permitted: hash-based and name/serial number based. The fix for 7168191 (7u6) added a check to match AKIDs when distinguishing certificates with the same subject name. This fix corrects that check to handle the rare case when a certificate contains a non-hash-based AKID. This problem does not occur in JDK 8 (because a different code path is used). Thanks.

More information about the jdk7u-dev mailing list