RFR: 8251468: X509Certificate.get{Subject, Issuer}AlternativeNames does not throw CertificateParsingException if extension is unparseable
Weijun Wang
weijun at openjdk.java.net
Mon Oct 25 14:23:08 UTC 2021
On Mon, 25 Oct 2021 12:53:43 GMT, Sean Mullan <mullan at openjdk.org> wrote:
> The JDK implementation (as supplied by the "SUN" provider) of `X509Certificate::getSubjectAlternativeNames` and `X509Certificate::getIssuerAlternativeNames` returns `null` instead of throwing a `CertificateParsingException` when the extension is unparseable.
>
> This fix changes the behavior to comply with the specification.
>
> CSR: https://bugs.openjdk.java.net/browse/JDK-8275822
How about other `X509Certificate` methods that get info of an extension?
src/java.base/share/classes/sun/security/x509/X509CertImpl.java line 1618:
> 1616: }
> 1617: SubjectAlternativeNameExtension subjectAltNameExt =
> 1618: getSubjectAlternativeNameExtension();
Does it make sense to let the line above throwing an exception? I see the method is called in several places (`X509CertSelector`, `Builder`, etc). What is the correct behavior in those places?
src/java.base/share/classes/sun/security/x509/X509CertImpl.java line 1691:
> 1689: }
> 1690: IssuerAlternativeNameExtension issuerAltNameExt =
> 1691: getIssuerAlternativeNameExtension();
Same comment as above, but this method seems to be only called once in src.
test/jdk/java/security/cert/GetSubjectAlternativeNames/NullRFC822Name.java line 37:
> 35: */
> 36: public class NullRFC822Name {
> 37:
Adding a comment showing the ASN.1 fields would be a relief for the reader. OpenSSL shows:
// 430:d=4 hl=2 l= 11 cons: SEQUENCE
// 432:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name
// 437:d=5 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:30028100
-------------
PR: https://git.openjdk.java.net/jdk/pull/6106
More information about the security-dev
mailing list