RFR: 8297955: LDAP CertStore should use LdapName and not String for DNs

Rajan Halade rhalade at openjdk.org
Thu Mar 2 22:50:13 UTC 2023


On Thu, 23 Feb 2023 16:42:17 GMT, Sean Mullan <mullan at openjdk.org> wrote:

> The LDAPCertStore implementation passes Distinguished Names in CRL and Certificate URLs as Strings to JNDI APIs such as LdapContext.getAttributes(String), which then treats them as CompositeNames. This causes issues with URLs that have DNs with forward slashes. These are rare  but compliant with the LDAP URL format for DNs referenced by [section 4.2.1.13 of RFC 5280](https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.13). Instead, the implementation should be passing the DN to JNDI APIs as an LdapName, which parses the forward slash character as part of the DN. Unfortunately, LDAP referral URLs can not be converted to LdapNames, so we keep the current DN syntax checks (and disallow forward slashes) if there are referrals involved.
> 
> The current test/jdk/security/infra/java/security/cert/CertPathValidator/certification/ActalisCA.java can be used to test this fix as it contains a test certificate with an LDAP URL in the CRL Distribution Points with a forward slash in the Distinguished Name. Prior to the fix it was failing because of this bug, now it is passing. We also take this opportunity to update the test and replace expired test certificates with new ones.

Marked as reviewed by rhalade (Reviewer).

-------------

PR: https://git.openjdk.org/jdk/pull/12730


More information about the security-dev mailing list