RFR: 8251468: X509Certificate.get{Subject, Issuer}AlternativeNames does not throw CertificateParsingException if extension is unparseable
Sean Mullan
mullan at openjdk.java.net
Mon Oct 25 20:20:04 UTC 2021
On Mon, 25 Oct 2021 18:29:34 GMT, Weijun Wang <weijun at openjdk.org> wrote:
>> To clarify, do you mean this code in `getExtension(ObjectIdentifier)` that swallows the exception?:
>>
>>
>> } catch (IOException ioe) {
>> return null;
>> }
>
> That's probably a little deeper and changing it will have a mass effect. What about at the `getIssuerAlternativeNameExtension` level?
Unless I am misunderstanding your comment, I don't think this is an issue in practice. The code inside the `X509CertImpl.getExtension` method only throws an Exception if invalid OIDs or attribute names are passed to the internal `get` methods of `X509CertInfo` and `CertificateExtensions`, which isn't possible when you are passing in known values/attributes. I think this is why the code swallows the exceptions and returns null, but it would be nice to have a comment explaining that.
-------------
PR: https://git.openjdk.java.net/jdk/pull/6106
More information about the security-dev
mailing list