RFR: 8336665: CCE in X509CRLImpl$TBSCertList.getCertIssuer [v4]
Sean Mullan
mullan at openjdk.org
Tue Sep 24 12:37:36 UTC 2024
On Wed, 11 Sep 2024 15:03:43 GMT, Mark Powers <mpowers at openjdk.org> wrote:
>> https://bugs.openjdk.org/browse/JDK-8336665
>
> Mark Powers has updated the pull request incrementally with one additional commit since the last revision:
>
> another comment from Sean
src/java.base/share/classes/sun/security/x509/X509CRLImpl.java line 292:
> 290: throw new CRLException("Parsing error: "
> 291: + "issuer is not an X.500 DN");
> 292: }
I checked RFC 5280 and you can have more than one name in the `CertificateIssuer` field of the `CertificateIssuerExtension`, see https://www.rfc-editor.org/rfc/rfc5280#section-5.3.3
But for this code, we are only interested in the `X500Name`, as we subsequently use that to associate the CRL entry with its issuer. So instead, what you should do is loop thru the names until we find an `X500Name`, and only throw a `CRLException` if we don't find an `X500Name`. Let me know if this makes sense.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/20528#discussion_r1773255931
More information about the security-dev
mailing list