On Fri, 14 Jan 2022 11:18:23 GMT, Masanori Yano <my...@openjdk.org> wrote:
>> Could you please review the JDK-8255739 bug fix? >> >> I think sun.security.x509.SubjectAlternativeNameExtension() should throw an >> exception for incorrect SubjectAlternativeNames instead of returning the >> substituted characters, which is explained in the description of BugDB. >> >> I modified DerValue.readStringInternal() not to read incorrect >> SubjectAlternativeNames and throw an IOException. >> sun.security.x509.X509CertInfo.parse() catch the IOExcepton and ignore it if >> SAN is a non-ciritical extension like the behavior of the IOException in >> readStringInternal(). So I added a test with -Djava.security.debug=x509 to >> confirm that. > > Masanori Yano has updated the pull request incrementally with one additional > commit since the last revision: > > 8255739: x509Certificate returns � for invalid subjectAlternativeNames Thank you for discussing this with many comments. I understood that the fix is risky, requires additional matching checks, and is preferable to be selectable by a parameter. I would like to consider them, but it will take a little time to reflect them in the change. ------------- PR: https://git.openjdk.java.net/jdk/pull/6928
