[jdk17u-dev] RFR: 8296072: CertAttrSet::encode and DerEncoder::derEncode should write into DerOutputStream

Tue Mar 4 12:07:33 UTC 2025

I backport this for parity with 17.0.16-oracle.

I had to resolve a hand full of files, but the conflicts are all
trivial. Wasn't there the copyright change in SignerOrder.java
I think it would be clean.

src/java.base/share/classes/sun/security/pkcs/SignerInfo.java
src/java.base/share/classes/sun/security/pkcs10/PKCS10Attributes.java
Removed import by hand.

src/java.base/share/classes/sun/security/util/DerEncoder.java
Trivial resolve due to context

src/java.base/share/classes/sun/security/util/DerOutputStream.java
Removed import by hand.

src/java.base/share/classes/sun/security/x509/BasicConstraintsExtension.java
Resolved due to context.

src/java.base/share/classes/sun/security/x509/CRLExtensions.java
Code formatted differently.

src/java.base/share/classes/sun/security/x509/CRLNumberExtension.java
There is a dead variable in the context.

src/java.base/share/classes/sun/security/x509/CertificateIssuerExtension.java
Copyright.

src/java.base/share/classes/sun/security/x509/DeltaCRLIndicatorExtension.java
There is a dead variable in the context.

src/java.base/share/classes/sun/security/x509/Extension.java
A bit more complex, but straight forward to resolve.

src/java.base/share/classes/sun/security/x509/FreshestCRLExtension.java
Resolve imports.

src/java.base/share/classes/sun/security/x509/InvalidityDateExtension.java
src/java.base/share/classes/sun/security/x509/IssuingDistributionPointExtension.java
test/jdk/sun/security/pkcs/pkcs7/SignerOrder.java
Copyright

A follow up is needed: [JDK-8296167](https://bugs.openjdk.org/browse/JDK-8296167). It is included
here.

I ran all of the following tests, and they pass:
test/jdk/sun/security/

I had a look at the related issues.
All of them were pushed after this change.
Some are clear cleanups, marked as enhancements. Others
are labeled as bug, but as I understand they are not
caused by this change, so they aren't required follow ups.
They rather are deficiencies of the previous implementation
and fixing them depended on this change, so they could all
be finished after pushing this.  In detail:

Bug JDK-8297723 asn1Encode methods in Kerberos throw IOException and Asn1Exception
 Cleanup of exceptions. Not yet fixed. No issue for 17, omit.
Bug JDK-8296736 Some PKCS9Attribute can be created but cannot be encoded
  This looks like a useful bugfix, but I don't think it is directly related.
  It was opened and fixed right after this change here.
Bug JDK-8296741 Illegal X400Address and EDIPartyName should not be created
  Another bugfix filed and fixed right after this change here.
Bug JDK-8296742 Illegal X509 Extension should not be created
  A large change, also a bugfix filed and fixed right after this change here.
Bug JDK-8297065 DerOutputStream operations should not throw IOExceptions
  Rather an enhancement coming after this here.  Don't backport.
Enhancement JDK-8296142 CertAttrSet::(getName|getElements|delete) are mostly useless
Enhancement JDK-8296143 CertAttrSet's set/get mechanism is not type-safe
Enhancement JDK-8296612 CertAttrSet is useless
  These three enhancements are cleanups. Huge. Don't backport.
Bug JDK-8296442 EncryptedPrivateKeyInfo can be created with an uninitialized AlgorithmParameters
Bug JDK-8296900 CertificateValidity fields are not optional
Bug JDK-8296901 Do not create unsigned certificate and CRL
  These three also came after this here.

-------------

Commit messages:
 - Backport da0ae5128a250bb7a5c6a7484589528db8220ed2
 - Backport 0d0bd7bd409c0caa5edebe3d1eacf8e5bb48f984

Changes: https://git.openjdk.org/jdk17u-dev/pull/3313/files
  Webrev: https://webrevs.openjdk.org/?repo=jdk17u-dev&pr=3313&range=00
  Issue: https://bugs.openjdk.org/browse/JDK-8296072
  Stats: 345 lines in 51 files changed: 30 ins; 135 del; 180 mod
  Patch: https://git.openjdk.org/jdk17u-dev/pull/3313.diff
  Fetch: git fetch https://git.openjdk.org/jdk17u-dev.git pull/3313/head:pull/3313

PR: https://git.openjdk.org/jdk17u-dev/pull/3313