Bug ID: JDK-8076117 EndEntityChecker should not process custom extensions after PKIX validation

Versions (Unresolved/Resolved/Fixed)

The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.

JDK 8	JDK 9	Other
8u162Fixed	9 b61Fixed	openjdk7uFixed

When checking extensions in an end entity certificate, if sun.security.validator.EndEntityChecker comes across any extensions that are critical and unknown, it throws an exception, even if those extensions had already been checked by custom PKIXCertPathCheckers (specified in the PKIXParameters) earlier in the validation by PKIXValidator.

When validating a certification path with sun.security.validator.Validator, if the Validator is a PKIXValidator, the extensions of all certificates are checked with PKIXCertPathCheckers during the path validation. Then, Validator calls EndEntityChecker at the end of the validation, and throws an exception if there are any unresolved critical extensions, even though they were checked previously by PKIXCertPathCheckers. This check by EndEntityChecker is redundant and should not happen after validation with a PKIXValidator.

On the other hand, if the Validator is a SimpleValidator, the path validation doesn't check for unsupported critical extensions in the end entity certificate, and leaves that up to EndEntityChecker, which *should* continue to check for unresolved critical extensions.