RFR: 8255739: x509Certificate returns � for invalid subjectAlternativeNames [v2]
Masanori Yano
myano at openjdk.java.net
Thu Jan 27 08:01:34 UTC 2022
On Fri, 14 Jan 2022 11:18:23 GMT, Masanori Yano <myano at openjdk.org> wrote:
>> Could you please review the JDK-8255739 bug fix?
>>
>> I think sun.security.x509.SubjectAlternativeNameExtension() should throw an exception for incorrect SubjectAlternativeNames instead of returning the substituted characters, which is explained in the description of BugDB.
>>
>> I modified DerValue.readStringInternal() not to read incorrect SubjectAlternativeNames and throw an IOException. sun.security.x509.X509CertInfo.parse() catch the IOExcepton and ignore it if SAN is a non-ciritical extension like the behavior of the IOException in readStringInternal(). So I added a test with -Djava.security.debug=x509 to confirm that.
>
> Masanori Yano has updated the pull request incrementally with one additional commit since the last revision:
>
> 8255739: x509Certificate returns � for invalid subjectAlternativeNames
Thank you for discussing this with many comments.
I understood that the fix is risky, requires additional matching checks, and is preferable to be selectable by a parameter.
I would like to consider them, but it will take a little time to reflect them in the change.
-------------
PR: https://git.openjdk.java.net/jdk/pull/6928
More information about the security-dev
mailing list