Code Review Request, JDK-8146600 AVA Normalizer.Form issue

Wang Weijun weijun.wang at oracle.com
Mon Sep 19 01:46:12 UTC 2016


I am not sure of this change for several reasons:

1. I cannot find anywhere in RFC 2253 (or its new versions) mentioning normalizations. Do you know elsewhere?

2. It's not obvious to say "Hello, world!" and "Hello, world!" should be different if NFKD thinks they are.

3. Why not NFC? Although I did't find normalization on X500 names in RFC 5280, I do see in several other cases NFV is used.

4. Is it possible to perform normalization before escaping special characters?

5. Why is normalization necessary? At least in RFC 5280 4.1.2.6, it says

           When the subject of the certificate is a CA, the subject
           field MUST be encoded in the same way as it is encoded in the
           issuer field (Section 4.1.2.4 ) in all certificates issued by
           the subject CA.

which implies comparison should be on encoding instead of toString.

Thanks
Max

> On Sep 15, 2016, at 8:09 AM, Xuelei Fan <xuelei.fan at oracle.com> wrote:
> 
> Hi,
> 
> Please review this fix:
>    http://cr.openjdk.java.net/~xuelei/8146600/webrev.00/
> 
> The Normalizer.Form.NFKD is used to normalize attribute-value assertion in X.509 certificate processing.  The normalizer may convert some UTF-8 character into ASCII code.  For example, ","(two bytes) will be converted to ","(one byte), and "Hello, world!" is normalize to "Hello, world!".  However, "Hello, world!" and "Hello, world!" should be different because of the comma code.  This conversion may result in unexpected weird behaviors for name comparing and conversions.
> 
> This fix will update to use "Normalizer.Form.NFD".
> 
> Thanks,
> Xuelei



More information about the security-dev mailing list