RFR 8054537: sun.security.x509.SerialNumber constructor should not accept negative numbers

Svetlana Nikandrova svetlana.nikandrova at oracle.com
Fri Jul 8 14:34:18 UTC 2016


Hi Max,

thank you for pointing this out. Sure, if this change will break 
existing certificates handling we shouldn't add this restriction.
If you don't mind I'll wait a little bit if anyone else wants to share 
his/her opinion on that topic and if not close it as "Not an issue" as 
you suggested.

Thank you,
Svetlana

On 08.07.2016 3:55, Wang Weijun wrote:
> Hi Svetlana
>
> According to http://tools.ietf.org/html/rfc5280#section-4.1.2.2:
>
>     Note: Non-conforming CAs may issue certificates with serial numbers
>     that are negative or zero.  Certificate users SHOULD be prepared to
>     gracefully handle such certificates.
>
> This means although a modern library/tool MUST NOT create negative serial numbers, it is required to support an existing certificate with a negative serial number.
>
> At least in jdk/src/java.base/share/classes/sun/security/ssl/StatusResponseManager.java:
>
> 257   CertId cid = new CertId(chain[1],
> 258           new SerialNumber(chain[0].getSerialNumber()));
>
> It is reading an existing serial number.
>
> JDK is mainly about parsing certificates and if I remember correctly the only place it creates one is in keytool, and the tool has already made sure serial numbers be non-negative.
>
> I would close this bug as not-an-issue.
>
> Other suggestions are welcome.
>
> Thanks
> Max
>
>
>> On Jul 8, 2016, at 2:29 AM, Svetlana Nikandrova <svetlana.nikandrova at oracle.com> wrote:
>>
>> Hello,
>>
>> could you please review this simple fix.
>> Issue:
>> https://bugs.openjdk.java.net/browse/JDK-8054537
>> Webrev:
>> http://cr.openjdk.java.net/~snikandrova/8054537/webrev.00/ <http://cr.openjdk.java.net/%7Esnikandrova/8054537/webrev.00/>
>>
>> Description:
>> Added check if SerialNumber constructor's parameter is negative.
>>
>> Thank you,
>> Svetlana
>>
>>



More information about the security-dev mailing list