JDK-6958869 : regression: PKIXValidator fails when multiple trust anchors have same dn
  • Type: Bug
  • Status: Closed
  • Resolution: Fixed
  • Component: security-libs
  • Sub-Component: java.security
  • Priority: P2
  • Affected Version: 7
  • OS: generic
  • CPU: generic
  • Submit Date: 2010-06-06
  • Updated Date: 2011-03-07
  • Resolved Date: 2011-03-07
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availabitlity Release.

To download the current JDK release, click here.
JDK 6 JDK 7
6u21Resolved 7 b100Fixed
Description
Fix for 6948803 breaks PKIXValidator, it checks if the head of a input chain using a Map<X500Principal,Cert>. If there are multiple trust anchors with the same dn, this map is not complete. In this case, a trust anchor might be checked as an intermediate CA. Since the check for an intermediate CA is much more restrictive, some valid chains are rejected.

Comments
EVALUATION http://hg.openjdk.java.net/jdk7/tl/jdk/rev/b1ec20722051
2010-06-11

EVALUATION Change Map<X500Principal,Cert> into Map<X500Principal,List<Cert>> so that it's complete.
2010-06-08