On Mon, 25 Oct 2021 12:53:43 GMT, Sean Mullan <mul...@openjdk.org> wrote:
> The JDK implementation (as supplied by the "SUN" provider) of > `X509Certificate::getSubjectAlternativeNames` and > `X509Certificate::getIssuerAlternativeNames` returns `null` instead of > throwing a `CertificateParsingException` when the extension is unparseable. > > This fix changes the behavior to comply with the specification. > > CSR: https://bugs.openjdk.java.net/browse/JDK-8275822 How about other `X509Certificate` methods that get info of an extension? src/java.base/share/classes/sun/security/x509/X509CertImpl.java line 1618: > 1616: } > 1617: SubjectAlternativeNameExtension subjectAltNameExt = > 1618: getSubjectAlternativeNameExtension(); Does it make sense to let the line above throwing an exception? I see the method is called in several places (`X509CertSelector`, `Builder`, etc). What is the correct behavior in those places? src/java.base/share/classes/sun/security/x509/X509CertImpl.java line 1691: > 1689: } > 1690: IssuerAlternativeNameExtension issuerAltNameExt = > 1691: getIssuerAlternativeNameExtension(); Same comment as above, but this method seems to be only called once in src. test/jdk/java/security/cert/GetSubjectAlternativeNames/NullRFC822Name.java line 37: > 35: */ > 36: public class NullRFC822Name { > 37: Adding a comment showing the ASN.1 fields would be a relief for the reader. OpenSSL shows: // 430:d=4 hl=2 l= 11 cons: SEQUENCE // 432:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name // 437:d=5 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:30028100 ------------- PR: https://git.openjdk.java.net/jdk/pull/6106
