RFR: 8255739: x509Certificate returns � for invalid subjectAlternativeNames [v2]

[Masanori Yano]

On Fri, 14 Jan 2022 11:18:23 GMT, Masanori Yano <myano at openjdk.org> wrote:

>> Could you please review the JDK-8255739 bug fix?
>> 
>> I think sun.security.x509.SubjectAlternativeNameExtension() should throw an exception for incorrect SubjectAlternativeNames instead of returning the substituted characters, which is explained in the description of BugDB.
>> 
>> I modified DerValue.readStringInternal() not to read incorrect SubjectAlternativeNames and throw an IOException. sun.security.x509.X509CertInfo.parse() catch the IOExcepton and ignore it if SAN is a non-ciritical extension like the behavior of the IOException in readStringInternal(). So I added a test with -Djava.security.debug=x509 to confirm that.
>
> Masanori Yano has updated the pull request incrementally with one additional commit since the last revision:
> 
>   8255739: x509Certificate returns � for invalid subjectAlternativeNames

Thank you for your comments.

@seanjmullan I agree that the fix has a compatibility risk.  
I made the fix again to check only DNSName to reduce the risk.
Could you please review the fix?
Is it necessary to issue CSR for the fix?

@wangweij I think the behavior of openssl is incorrect.
According to rfc5280, a certificate-using system MUST reject the certificate if it encounters
a critical extension it does not recognize.

https://datatracker.ietf.org/doc/html/rfc5280#section-4.2

Each extension in a certificate is designated as either critical or non-critical.  
A certificate-using system MUST reject the certificate if it encounters
a critical extension it does not recognize or a critical extension
that contains information that it cannot process.

-------------

PR: https://git.openjdk.java.net/jdk/pull/6928