On Fri, 14 Jan 2022 11:18:23 GMT, Masanori Yano <my...@openjdk.org> wrote:
>> Could you please review the JDK-8255739 bug fix? >> >> I think sun.security.x509.SubjectAlternativeNameExtension() should throw an >> exception for incorrect SubjectAlternativeNames instead of returning the >> substituted characters, which is explained in the description of BugDB. >> >> I modified DerValue.readStringInternal() not to read incorrect >> SubjectAlternativeNames and throw an IOException. >> sun.security.x509.X509CertInfo.parse() catch the IOExcepton and ignore it if >> SAN is a non-ciritical extension like the behavior of the IOException in >> readStringInternal(). So I added a test with -Djava.security.debug=x509 to >> confirm that. > > Masanori Yano has updated the pull request incrementally with one additional > commit since the last revision: > > 8255739: x509Certificate returns � for invalid subjectAlternativeNames Thank you for your comments. @seanjmullan I agree that the fix has a compatibility risk. I made the fix again to check only DNSName to reduce the risk. Could you please review the fix? Is it necessary to issue CSR for the fix? @wangweij I think the behavior of openssl is incorrect. According to rfc5280, a certificate-using system MUST reject the certificate if it encounters a critical extension it does not recognize. https://datatracker.ietf.org/doc/html/rfc5280#section-4.2 Each extension in a certificate is designated as either critical or non-critical. A certificate-using system MUST reject the certificate if it encounters a critical extension it does not recognize or a critical extension that contains information that it cannot process. ------------- PR: https://git.openjdk.java.net/jdk/pull/6928
