[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openjdk-security-dev
Subject:    Re: Code Review Request JDK-8170329 New SSLSocket testing template
From:       Sean Mullan <sean.mullan () oracle ! com>
Date:       2016-11-29 13:22:49
Message-ID: 632e2e00-591a-542d-cadc-4d8ce45f6742 () oracle ! com
[Download RAW message or body]

On 11/27/16 7:43 AM, Xuelei Fan wrote:
> On 11/27/2016 6:04 PM, Wang Weijun wrote:
>> This is not only a test update.
>>
> No, I happened to find an implementation issue with the new test, so fix
> it altogether.  The issue is that the simple validator
> (SimpleValidator.java) does not support SKID/AKID during cert path
> build.  If two trusted certs has the same subject,  the simple validator
> may not be able to find the right one.

We have had issues in the PKIX CertPathBuilder with matching on 
AKID/SKID when building certpaths, so we want to be careful not to 
introduce a similar issue. See this bug for more information:

https://bugs.openjdk.java.net/browse/JDK-8072463

I have not reviewed the fix enough to know if this issue applies here 
but please double-check it.

--Sean

>
> Thanks,
> Xuelei
>
>>> On Nov 27, 2016, at 9:35 AM, Xuelei Fan <xuelei.fan@oracle.com> wrote:
>>>
>>> Hi,
>>>
>>> Please review this test update:
>>>
>>>   http://cr.openjdk.java.net/~xuelei/8170329/webrev.00/
>>>
>>> The new template (SSLSocketTemplate.java) could be used to avoid the
>>> anti-free-port issues.  By using sub-classes of it, the new one can
>>> simplify the general SSLSocket test code significantly.
>>>
>>> Thanks,
>>> Xuelei
>>
[prev in list] [next in list] [prev in thread] [next in thread]