7018897: CertPath validation cannot handle self-signed cert with bad KeyUsage
Summary: Remove KeyUsage checking for trust anchors
Reviewed-by: mullan
--- a/jdk/src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java Mon Feb 14 11:00:02 2011 -0800
+++ b/jdk/src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java Mon Feb 14 13:31:13 2011 -0800
@@ -231,13 +231,6 @@
AdaptableX509CertSelector issuerSelector =
new AdaptableX509CertSelector();
- // check trusted certificate's key usage
- boolean[] usages = trustedCert.getKeyUsage();
- if (usages != null) {
- usages[5] = true; // keyCertSign
- issuerSelector.setKeyUsage(usages);
- }
-
// check trusted certificate's subject
issuerSelector.setSubject(firstCert.getIssuerX500Principal());