RFR: 8311546: Certificate name constraints improperly validated with leading period
Sean Mullan
mullan at openjdk.org
Fri Oct 27 15:15:35 UTC 2023
On Fri, 20 Oct 2023 20:52:13 GMT, Ben Perez <duke at openjdk.org> wrote:
> Updated the `constrains` method in `DNSName.java` to accept certificates with a leading period.
test/jdk/sun/security/x509/DNSName/LeadingPeriod.java line 54:
> 52:
> 53: // generate certification path
> 54: List<Certificate> list = Arrays.asList(targetCert, ca);
Probably simpler to use `List.of(targetCert, ca)` here.
test/jdk/sun/security/x509/DNSName/LeadingPeriod.java line 68:
> 66: // generate a trust anchor
> 67: TrustAnchor anchor;
> 68: anchor = new TrustAnchor((X509Certificate) selfSignedCert, null);
You can combine these two lines.
test/jdk/sun/security/x509/DNSName/LeadingPeriod.java line 78:
> 76:
> 77: // disable OCSP checker
> 78: Security.setProperty("ocsp.enable", "false");
You should not need to set this property if revocation is disabled.
test/jdk/sun/security/x509/DNSName/LeadingPeriod.java line 82:
> 80: // disable CRL checker
> 81: System.setProperty("com.sun.security.enableCRLDP", "false");
> 82:
You should not need to set this property if revocation is disabled.
test/jdk/sun/security/x509/DNSName/LeadingPeriod.java line 104:
> 102: try {
> 103: validator.validate(pathWithoutLeadingPeriod, paramsForCAWithoutLeadingPeriod);
> 104: } catch (CertPathValidatorException uoe) {
You don't need try/catch here since main throws Exception this will just get propagated upwards. Same comment on line 122.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/16295#discussion_r1374716446
PR Review Comment: https://git.openjdk.org/jdk/pull/16295#discussion_r1374711648
PR Review Comment: https://git.openjdk.org/jdk/pull/16295#discussion_r1374712279
PR Review Comment: https://git.openjdk.org/jdk/pull/16295#discussion_r1374712640
PR Review Comment: https://git.openjdk.org/jdk/pull/16295#discussion_r1374713948
More information about the security-dev
mailing list