RFR: 8277976: Break up SEQUENCE in X509Certificate::getSubjectAlternativeNames and X509Certificate::getIssuerAlternativeNames in otherName [v5]

Michael StJohns mstjohns at comcast.net
Fri Feb 18 19:19:58 UTC 2022


OtherName.java @93,97

PR:https://git.openjdk.java.net/jdk/pull/7167

>         if (derValue1.isContextSpecific((byte) 0) && 
> derValue1.isConstructed()) {
>             nameValue = derValue1.data.toByteArray();
>         } else {
>             throw new IOException("value is not [0]");
>         }
That exception string isn't correct (the value is usually not just the 
tag), nor very descriptive.  How about instead:

throw new IOException ("value is not EXPLICTly tagged [0]");

Also, the derValue1.data should be parseable into a DerValue itself. 
Should that be checked here as well and an error thrown if invalid?  
I.e.,  add this after nameValue = ...

    try {
        new DerValue (nameValue);
    } catch (IOException ex) {
        throw new IOException ("Body of OtherName is not a valid BER or
    DER value", ex);
    }


Thanks - Mike

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20220218/095af108/attachment.htm>


More information about the security-dev mailing list