On Thu, 23 Dec 2021 11:59:18 GMT, Masanori Yano <[email protected]> wrote:
> Could you please review the JDK-8255739 bug fix?
>
> I think sun.security.x509.SubjectAlternativeNameExtension() should throw an
> exception for incorrect SubjectAlternativeNames instead of returning the
> substituted characters, which is explained in the description of BugDB.
>
> I modified DerValue.readStringInternal() not to read incorrect
> SubjectAlternativeNames and throw an IOException.
> sun.security.x509.X509CertInfo.parse() catch the IOExcepton and ignore it if
> SAN is a non-ciritical extension like the behavior of the IOException in
> readStringInternal(). So I added a test with -Djava.security.debug=x509 to
> confirm that.
The method modified has effect on all the string reading methods in `DerValue`.
I wonder if this is worth doing. How harmful is this bug?
BTW, openssl seems to be reading them as UTF-8 strings:
X509v3 Subject Alternative Name:
DNS:℡.com, DNS:K.com
-------------
PR: https://git.openjdk.java.net/jdk/pull/6928
