Hi Max,
thank you for pointing this out. Sure, if this change will break
existing certificates handling we shouldn't add this restriction.
If you don't mind I'll wait a little bit if anyone else wants to share
his/her opinion on that topic and if not close it as "Not an issue" as
you suggested.
Thank you,
Svetlana
On 08.07.2016 3:55, Wang Weijun wrote:
Hi Svetlana
According to http://tools.ietf.org/html/rfc5280#section-4.1.2.2:
Note: Non-conforming CAs may issue certificates with serial numbers
that are negative or zero. Certificate users SHOULD be prepared to
gracefully handle such certificates.
This means although a modern library/tool MUST NOT create negative serial
numbers, it is required to support an existing certificate with a negative
serial number.
At least in
jdk/src/java.base/share/classes/sun/security/ssl/StatusResponseManager.java:
257 CertId cid = new CertId(chain[1],
258 new SerialNumber(chain[0].getSerialNumber()));
It is reading an existing serial number.
JDK is mainly about parsing certificates and if I remember correctly the only
place it creates one is in keytool, and the tool has already made sure serial
numbers be non-negative.
I would close this bug as not-an-issue.
Other suggestions are welcome.
Thanks
Max
On Jul 8, 2016, at 2:29 AM, Svetlana Nikandrova
<svetlana.nikandr...@oracle.com> wrote:
Hello,
could you please review this simple fix.
Issue:
https://bugs.openjdk.java.net/browse/JDK-8054537
Webrev:
http://cr.openjdk.java.net/~snikandrova/8054537/webrev.00/
<http://cr.openjdk.java.net/%7Esnikandrova/8054537/webrev.00/>
Description:
Added check if SerialNumber constructor's parameter is negative.
Thank you,
Svetlana
