RFR: 8277976: Break up SEQUENCE in X509Certificate::getSubjectAlternativeNames and X509Certificate::getIssuerAlternativeNames in otherName [v5]
Michael Osipov
duke at openjdk.java.net
Tue Feb 15 16:12:07 UTC 2022
On Tue, 15 Feb 2022 15:55:50 GMT, Weijun Wang <weijun at openjdk.org> wrote:
>> Correct, but they don't swallow at least.
>
> But in this case, we still have a place to provide the raw bytes. Maybe that's better? Or you'd rather be guaranteed that one particular otherName should always have a string there and there's no need to do an `instanceof` check? What if the tag is already wrong and I don't know it should be a string?
I have thought about this actually. Now the parse is free of any semantics, which is naive. Actually, you need a list of wellknown OIDs to know the target tag type to perform the conversion. E.g., you know that MS UPN must be UTF8String, if not this is an error. If you don't know the OID, don't touch it.
OpenSSL knows the semantics and decodes it, otherwise don't touch it and leave it: https://github.com/openssl/openssl/blob/317acac5cc0a2cb31bc4b91353c2b752a3989d8a/crypto/x509/v3_san.c#L113-L120
-------------
PR: https://git.openjdk.java.net/jdk/pull/7167
More information about the security-dev
mailing list