RFR: 8277976: Break up SEQUENCE in X509Certificate::getSubjectAlternativeNames and X509Certificate::getIssuerAlternativeNames in otherName [v5]

[Sean Mullan]

On Fri, 18 Feb 2022 16:28:25 GMT, Weijun Wang <weijun at openjdk.org> wrote:

>> While I understand that, `new DerValue(byte[])` will be ignored and this will be also inconsistent with the remaining general names. Looking at sun.security.x509.GeneralName.GeneralName(DerValue, boolean) they all throw `IOException`.
>
> For other known names, you either return a parsed name or fail. For `otherName`, you already have the raw data and this further parsed name is a bonus. I just don't like a problem in getting the bonus to ruin the original benefit. Also, I think the caller will have to check the length and the type anyway so this will not be an extra burden. Besides, I always feel that `otherName` could be freely extended and the quality of its encoding might not be as guaranteed as the other ones. @seanjmullan, any comment here?
> 
> Too many "other" used and hopefully no one get confused.

This seems like a reasonable balance between preserving existing behavior and still providing the data for the application to inspect. To help debugging, you could log the exception.

-------------

PR: https://git.openjdk.java.net/jdk/pull/7167