RFR: 8277976: Break up SEQUENCE in X509Certificate::getSubjectAlternativeNames and X509Certificate::getIssuerAlternativeNames in otherName [v4]

Weijun Wang weijun at openjdk.java.net
Tue Feb 15 14:40:19 UTC 2022


On Tue, 15 Feb 2022 09:10:22 GMT, Michael Osipov <duke at openjdk.java.net> wrote:

>> Weijun Wang has updated the pull request incrementally with one additional commit since the last revision:
>> 
>>   specifies the type of the 4th element
>
> src/java.base/share/classes/sun/security/x509/OtherName.java line 93:
> 
>> 91:         oid = in.getOID();
>> 92:         DerValue derValue1 = in.getDerValue();
>> 93:         if (!derValue1.isContextSpecific((byte)0)) {
> 
> Where do you check for constructed (0x20)?
> E.g.:
> 
> byte tag = buf.get();
> if (!(((tag >> CONTEXT_SPECIFIC_BIT) & 1) != 0 && ((tag >> CONSTRUCTED_BIT) & 1) != 0))
> 	throw new CertificateParsingException("Value must be explicitly encoded");
> 
> int tagNumber = tag & 0xFF;
> tagNumber &= ~(1 << CONTEXT_SPECIFIC_BIT);
> tagNumber &= ~(1 << CONSTRUCTED_BIT);
> 
> if (tagNumber != 0)
> 	throw new CertificateParsingException("Value tag number must be 0, but is " + tagNumber);

Oops, I should add an `isConstructed()` check.

> test/jdk/sun/security/x509/OtherName/Parse.java line 86:
> 
>> 84:         int found = 0;
>> 85:         for (var san : x.getSubjectAlternativeNames()) {
>> 86:             if (san.get(2).equals("1.2.3.5")
> 
> Would it make sense to explicitly test length for at least 4?

Sure.

-------------

PR: https://git.openjdk.java.net/jdk/pull/7167



More information about the security-dev mailing list