RFR: 8213952: Relax DNSName restriction as per RFC 1123

Fri Nov 16 21:27:25 UTC 2018

Hello Sean,

I was only looking at the inspected DNSName class, it still has some variations (but start now with DNSNames which is good already):

  76 throw new IOException("DNSName must not be null or empty");
  78 throw new IOException("DNSNames or NameConstraints with blank components are not permitted");
  80 throw new IOException("DNSNames or NameConstraints may not begin or end with a .");
  92 throw new IOException("DNSName SubjectAltNames with empty components are not permitted");
 96 throw new IOException("DNSName components must begin with a letter or digit");
101 throw new IOException("DNSName components must consist of letters, digits, and hyphens");

I did not check if those exceptions are catched and rethrown with something like „while validating the SubjectAltName Extension <num> of certificate <subject>...“, in my experience it helps if you do not have to find and review the actual certificates (in this case it might not be a problem if SAN is only in the end entity). You can probably remove „or NameConstraints“ and „SubjectAltNames“ from lines 78-92 (this is good if DNsName applies to SAN or NameConstrained context and the validation logic does not know — so it’s not only more unified but also less missleading)

BTW: probably not inthe scope of this fix but a subtype for validation errors which have getters for context/location and maybe error code and getValue() would allow callers to print nicer validation reports without relying on the message or Stacktraces.

Gruss
Bernd
--
http://bernd.eckenfels.net

________________________________
Von: Seán Coffey <sean.coffey at oracle.com>
Gesendet: Freitag, November 16, 2018 5:15 PM
An: Bernd Eckenfels; security-dev at openjdk.java.net
Betreff: Re: RFR: 8213952: Relax DNSName restriction as per RFC 1123

Thanks for the comments Bernd. comments inline..

On 16/11/18 12:40, Bernd Eckenfels wrote:
You could also add (a..b, false) and (.a, false), (a., false) to the testcases.
good point. test updated.

I noticed that there are different types of Exception messages (DNS name, DNSName, DNS Name or name constrained, DNS name and SAN), would be good if all of them have the same keyword?
I cleaned up some other references to DNSName in the sun.security.x509 package. I'm not sure what classes you were referencing the above examples from.

new webrev : http://cr.openjdk.java.net/~coffeys/webrev.8213952.v2/webrev/

regards,
Sean.

Gruss
Bernd
--
http://bernd.eckenfels.net

________________________________
Von: security-dev <security-dev-bounces at openjdk.java.net><mailto:security-dev-bounces at openjdk.java.net> im Auftrag von Seán Coffey <sean.coffey at oracle.com><mailto:sean.coffey at oracle.com>
Gesendet: Freitag, November 16, 2018 12:25 PM
An: OpenJDK Dev list
Betreff: RFR: 8213952: Relax DNSName restriction as per RFC 1123

Looking to make an adjustment to DNSName constructor to help comply with
RFC 1123

https://bugs.openjdk.java.net/browse/JDK-8213952
http://cr.openjdk.java.net/~coffeys/webrev.8213952/webrev/

regards,
Sean.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20181116/6cadd620/attachment.htm>