RFR: 8277976: Break up SEQUENCE in X509Certificate::getSubjectAlternativeNames and X509Certificate::getIssuerAlternativeNames in otherName [v5]
Michael Osipov
duke at openjdk.java.net
Tue Feb 15 15:59:12 UTC 2022
On Tue, 15 Feb 2022 15:16:58 GMT, Weijun Wang <weijun at openjdk.org> wrote:
>> The enhancement adds two extra items in the `getSubjectAlternativeNames()` output for an OtherName.
>>
>> It also fix several errors:
>> 1. In `OtherName.java`, `nameValue` should be the value inside `CONTEXT [0]` without the tag and length bytes.
>> 2. The argument in constructor `extClass.getConstructor(Object.class)` is suspicious. Maybe it meant `byte[]`.
>
> Weijun Wang has updated the pull request incrementally with one additional commit since the last revision:
>
> string at 4th place
src/java.base/share/classes/sun/security/x509/X509CertImpl.java line 1594:
> 1592: String v = new DerValue(nameValue).getAsString();
> 1593: nameEntry.add(v == null ? nameValue : v);
> 1594: } catch (IOException ioe) {
Attention, this catch block will hide invalid ASN.1 encoding of the other name element from:
* sun.security.util.DerValue.init(boolean, InputStream, boolean)
* sun.security.util.DerValue.getIA5String()
Other blocks throw:
throw new CertificateException("Unable to parse DER value of SAN:otherName", ioe);
Do you really intend to hide an encoding error int the cert from the user?
-------------
PR: https://git.openjdk.java.net/jdk/pull/7167
More information about the security-dev
mailing list