RFR 8054537: sun.security.x509.SerialNumber constructor should not accept negative numbers
Wang Weijun
weijun.wang at oracle.com
Fri Jul 8 00:55:44 UTC 2016
Hi Svetlana
According to http://tools.ietf.org/html/rfc5280#section-4.1.2.2:
Note: Non-conforming CAs may issue certificates with serial numbers
that are negative or zero. Certificate users SHOULD be prepared to
gracefully handle such certificates.
This means although a modern library/tool MUST NOT create negative serial numbers, it is required to support an existing certificate with a negative serial number.
At least in jdk/src/java.base/share/classes/sun/security/ssl/StatusResponseManager.java:
257 CertId cid = new CertId(chain[1],
258 new SerialNumber(chain[0].getSerialNumber()));
It is reading an existing serial number.
JDK is mainly about parsing certificates and if I remember correctly the only place it creates one is in keytool, and the tool has already made sure serial numbers be non-negative.
I would close this bug as not-an-issue.
Other suggestions are welcome.
Thanks
Max
> On Jul 8, 2016, at 2:29 AM, Svetlana Nikandrova <svetlana.nikandrova at oracle.com> wrote:
>
> Hello,
>
> could you please review this simple fix.
> Issue:
> https://bugs.openjdk.java.net/browse/JDK-8054537
> Webrev:
> http://cr.openjdk.java.net/~snikandrova/8054537/webrev.00/ <http://cr.openjdk.java.net/%7Esnikandrova/8054537/webrev.00/>
>
> Description:
> Added check if SerialNumber constructor's parameter is negative.
>
> Thank you,
> Svetlana
>
>
More information about the security-dev
mailing list