RFR: 8251468: X509Certificate.get{Subject, Issuer}AlternativeNames does not throw CertificateParsingException if extension is unparseable
Sean Mullan
mullan at openjdk.java.net
Mon Oct 25 15:16:09 UTC 2021
On Mon, 25 Oct 2021 14:17:56 GMT, Weijun Wang <weijun at openjdk.org> wrote:
>> The JDK implementation (as supplied by the "SUN" provider) of `X509Certificate::getSubjectAlternativeNames` and `X509Certificate::getIssuerAlternativeNames` returns `null` instead of throwing a `CertificateParsingException` when the extension is unparseable.
>>
>> This fix changes the behavior to comply with the specification.
>>
>> CSR: https://bugs.openjdk.java.net/browse/JDK-8275822
>
> src/java.base/share/classes/sun/security/x509/X509CertImpl.java line 1618:
>
>> 1616: }
>> 1617: SubjectAlternativeNameExtension subjectAltNameExt =
>> 1618: getSubjectAlternativeNameExtension();
>
> Does it make sense to let the line above throwing an exception? I see the method is called in several places (`X509CertSelector`, `Builder`, etc). What is the correct behavior in those places?
To clarify, do you mean this code in `getExtension(ObjectIdentifier)` that swallows the exception?:
} catch (IOException ioe) {
return null;
}
-------------
PR: https://git.openjdk.java.net/jdk/pull/6106
More information about the security-dev
mailing list