Hi Svetlana

According to http://tools.ietf.org/html/rfc5280#section-4.1.2.2:

   Note: Non-conforming CAs may issue certificates with serial numbers
   that are negative or zero.  Certificate users SHOULD be prepared to
   gracefully handle such certificates.

This means although a modern library/tool MUST NOT create negative serial 
numbers, it is required to support an existing certificate with a negative 
serial number.

At least in 
jdk/src/java.base/share/classes/sun/security/ssl/StatusResponseManager.java:

257   CertId cid = new CertId(chain[1],
258           new SerialNumber(chain[0].getSerialNumber()));

It is reading an existing serial number.

JDK is mainly about parsing certificates and if I remember correctly the only 
place it creates one is in keytool, and the tool has already made sure serial 
numbers be non-negative.

I would close this bug as not-an-issue.

Other suggestions are welcome.

Thanks
Max


> On Jul 8, 2016, at 2:29 AM, Svetlana Nikandrova 
> <svetlana.nikandr...@oracle.com> wrote:
> 
> Hello,
> 
> could you please review this simple fix.
> Issue:
> https://bugs.openjdk.java.net/browse/JDK-8054537
> Webrev:
> http://cr.openjdk.java.net/~snikandrova/8054537/webrev.00/ 
> <http://cr.openjdk.java.net/%7Esnikandrova/8054537/webrev.00/>
> 
> Description:
> Added check if SerialNumber constructor's parameter is negative.
> 
> Thank you,
> Svetlana
> 
> 

Reply via email to