[7u] code review request: 8014805: NPE is thrown during certpath validation if certificate does not have AuthorityKeyIdentifier extension (original) (raw)

Sean Mullan sean.mullan at oracle.com
Mon Jun 24 19:28:05 UTC 2013

Looks good.

--Sean

On 06/24/2013 02:33 PM, Vincent Ryan wrote:

I've updated the webrev to address your comments: http://cr.openjdk.java.net/~vinnie/8014805/webrev.02/

Thanks.

On 24 Jun 2013, at 16:24, Sean Mullan wrote: On 06/24/2013 10:38 AM, Vincent Ryan wrote: Hello all,

The fix to handle Authority Key IDs also applies to Subject Key IDs so I've duplicated the changes: http://cr.openjdk.java.net/~vinnie/8014805/webrev.01 1211 subjectKeyId = id.getIdentifier(); Should "id" be "ki"? Yes. Also, these 2 methods are not thread-safe, which could cause issues if the same certificates are used in multiple threads. This is an existing issue with the methods, but unless this is a demonstrable performance issue, I think you should change them to not cache the subject/authKeyIds and just generate them each time the methods are invoked. Agreed. --Sean

Thanks.

On 24 Jun 2013, at 12:42, Vincent Ryan wrote: Thanks. On 22 Jun 2013, at 01:19, Xuelei Fan wrote: Looks fine to me.

Xuelei On 6/21/2013 11:46 PM, Vincent Ryan wrote: Please review this fix for 7u:

http://cr.openjdk.java.net/~vinnie/8014805/webrev.00/ http://bugs.sun.com/bugdatabase/viewbug.do?bugid=8014805 It corrects the NPE that occurs when verifying an X.509 cert that has an Authority Key ID extension present but it is not in the hash-based format. This problem does not occur in JDK 8. Thanks.

More information about the security-dev mailing list