sun.security.x509.DNSName leading dot in name constraints

Sean Mullan sean.mullan at oracle.com
Tue Jun 9 11:21:48 UTC 2015


-Bcc jdk9-dev

This question is more appropriate for security-dev, so I am copying that 
list for further discussion.

--Sean

On 06/09/2015 02:21 AM, Vyronas Tsingaras wrote:
> Hi all,
>
> I work for the Hellenic Academic and Research Institutions Certification Authority (https://www.harica.gr), a Root Certification Authority included in the NSS, Microsoft and Apple certificate stores. Our RootCA certificate uses the name constraints extension with a small error, instead of just gr, org and edu in the permitted subtrees it has .gr, .edu and .org. As a result certificates issued under our CA fail to verify with Java. We had the same issue with OpenSSL and gnuTLS but fortunately they modified their implementation to accommodate for our situation. I kindly ask if this is something that could also be done with OpenJDK, and if so what would be the best way to implement that. Currently we have a patch against the 'constrains' method of 'DNSName' that just ignores the leading dot in name constraints.
>
> Kind Regards,
> Vyronas Tsingaras,
> Aristotle University of Thessaloniki, IT Center
>


More information about the jdk9-dev mailing list