RFR: 8277976: Break up SEQUENCE in X509Certificate::getSubjectAlternativeNames and X509Certificate::getIssuerAlternativeNames in otherName [v4]
Weijun Wang
weijun at openjdk.java.net
Tue Feb 15 14:40:19 UTC 2022
On Tue, 15 Feb 2022 09:10:22 GMT, Michael Osipov <duke at openjdk.java.net> wrote:
>> Weijun Wang has updated the pull request incrementally with one additional commit since the last revision:
>>
>> specifies the type of the 4th element
>
> src/java.base/share/classes/sun/security/x509/OtherName.java line 93:
>
>> 91: oid = in.getOID();
>> 92: DerValue derValue1 = in.getDerValue();
>> 93: if (!derValue1.isContextSpecific((byte)0)) {
>
> Where do you check for constructed (0x20)?
> E.g.:
>
> byte tag = buf.get();
> if (!(((tag >> CONTEXT_SPECIFIC_BIT) & 1) != 0 && ((tag >> CONSTRUCTED_BIT) & 1) != 0))
> throw new CertificateParsingException("Value must be explicitly encoded");
>
> int tagNumber = tag & 0xFF;
> tagNumber &= ~(1 << CONTEXT_SPECIFIC_BIT);
> tagNumber &= ~(1 << CONSTRUCTED_BIT);
>
> if (tagNumber != 0)
> throw new CertificateParsingException("Value tag number must be 0, but is " + tagNumber);
Oops, I should add an `isConstructed()` check.
> test/jdk/sun/security/x509/OtherName/Parse.java line 86:
>
>> 84: int found = 0;
>> 85: for (var san : x.getSubjectAlternativeNames()) {
>> 86: if (san.get(2).equals("1.2.3.5")
>
> Would it make sense to explicitly test length for at least 4?
Sure.
-------------
PR: https://git.openjdk.java.net/jdk/pull/7167
More information about the security-dev
mailing list