Re: RFR[15]: 8186143: keytool -ext option doesn’t accept wildcards for DNS subject alternatives names
Jamil Nimeh
jamil.j.nimeh at oracle.com
Fri Mar 13 19:24:00 UTC 2020
Hello Hai-May,
The fix overall looks good. One or two comments about the test:
* 103: I think the comment might be more clear saying something like
"partial wildcard disallowed" since it's not the "*" in and of
itself that's the issue, it's that the next character following it
isn't a domain separator (".").
* A similar badSanNames test case (I think) that walks a different
code path would be something like "a*.com". Although the test on
line 95 might walk the same codepath...If so then no need to add
anything else.
--Jamil
On 3/13/2020 9:25 AM, Hai-May Chao wrote:
> Hi,
>
> I need a code review for -
>
> Bug: https://bugs.openjdk.java.net/browse/JDK-8186143
> Webrev: http://cr.openjdk.java.net/~weijun/8186143/webrev.00/
>
> The keytool -ext option doesn’t accept wildcards for DNS subject alternatives names in certificates. Certificates with wildcarded domains are useful for allowing domain names under a common subdomain to share the same certificate.
>
> The fix involves adding a new DNSName constructor with an additional boolean flag ‘allowWildcard’.
>
> Thank you,
> Hai-May
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20200313/47df4e7b/attachment.htm>
More information about the security-dev
mailing list