RFR: 8277976: Break up SEQUENCE in X509Certiticate::getSubjectAlternativeNames and X509Certiticate::getIssuerAlternativeNames in otherName [v2]
Sean Mullan
mullan at openjdk.java.net
Thu Feb 10 19:29:11 UTC 2022
On Thu, 10 Feb 2022 16:47:55 GMT, Weijun Wang <weijun at openjdk.org> wrote:
>> The enhancement adds two extra items in the `getSubjectAlternativeNames()` output for an OtherName.
>>
>> It also fix several errors:
>> 1. In `OtherName.java`, `nameValue` should be the value inside `CONTEXT [0]` without the tag and length bytes.
>> 2. The argument in constructor `extClass.getConstructor(Object.class)` is suspicious. Maybe it meant `byte[]`.
>
> Weijun Wang has updated the pull request incrementally with one additional commit since the last revision:
>
> wording, title
One issue with this change is that there is no guarantee when or if a 3rd party provider will support these additional elements for OtherNames. In a worst case scenario, code may get an IOOBException if they assume there will be a 3rd or fourth element and there isn't. There is no perfect solution for this. I would suggest rewording the new text with a "may", and adding an @implNote stating that the SUN provider supports this feature. Something like:
* otherNames are returned as a byte array
* containing the ASN.1 DER encoded form of the name, and
* may also return a third entry in the list containing its {@code type-id} in string
* format, and a fourth entry containing the ASN.1 DER encoding of
* its {@code value} without the context-specific constructed tag
* with number 0.
*
* @implNote The JDK SUN provider supports the third and fourth otherName elements.
-------------
PR: https://git.openjdk.java.net/jdk/pull/7167
More information about the security-dev
mailing list