RFR: 8277976: Break up SEQUENCE in X509Certificate::getSubjectAlternativeNames and X509Certificate::getIssuerAlternativeNames in otherName [v5]
Michael Osipov
duke at openjdk.java.net
Tue Feb 15 16:20:09 UTC 2022
On Tue, 15 Feb 2022 16:09:13 GMT, Michael Osipov <duke at openjdk.java.net> wrote:
>> But in this case, we still have a place to provide the raw bytes. Maybe that's better? Or you'd rather be guaranteed that one particular otherName should always have a string there and there's no need to do an `instanceof` check? What if the tag is already wrong and I don't know it should be a string?
>
> I have thought about this actually. Now the parse is free of any semantics, which is naive. Actually, you need a list of wellknown OIDs to know the target tag type to perform the conversion. E.g., you know that MS UPN must be UTF8String, if not this is an error. If you don't know the OID, don't touch it.
> OpenSSL knows the semantics and decodes it, otherwise don't touch it and leave it: https://github.com/openssl/openssl/blob/317acac5cc0a2cb31bc4b91353c2b752a3989d8a/crypto/x509/v3_san.c#L113-L120
Maybe adopt the list of OpenSSL, otherwise return byte array?
-------------
PR: https://git.openjdk.java.net/jdk/pull/7167
More information about the security-dev
mailing list