RFR: 8277976: Break up SEQUENCE in X509Certificate::getSubjectAlternativeNames and X509Certificate::getIssuerAlternativeNames in otherName [v6]
Weijun Wang
weijun at openjdk.java.net
Tue Feb 15 21:37:10 UTC 2022
On Tue, 15 Feb 2022 20:09:27 GMT, Michael Osipov <duke at openjdk.java.net> wrote:
> > New commit pushed. For the openssl style suggestion, I think its major benefit is to provide a string format of the type (like `"othername: UPN:"`). In the `default` block, it still extracts either the IA5String or the UTF8String. I think it's not worth penalizing people putting an IA5String into a UPN. Right?
>
> UPN is a DirectoryString from AD which is UTF-8 encoded. The default case from OPENSSL tries to cover OIDs it does not know. UPN it does know and its semantics is always UTF8String. Everything else is wrong. I5AString is rather email which is another general name. We have now two options: add well known and decode accordingly or do yhe default case. From a user's perspective the encoding is rather irrelevant because he wants Java types.
I'll pick the 2nd option now.
-------------
PR: https://git.openjdk.java.net/jdk/pull/7167
More information about the security-dev
mailing list