On Tue, 8 Oct 2024 15:28:58 GMT, Mark Powers <[email protected]> wrote:
>> src/java.base/share/classes/sun/security/x509/X509CRLImpl.java line 292:
>>
>>> 290: throw new CRLException("Parsing error: "
>>> 291: + "issuer is not an X.500 DN");
>>> 292: }
>>
>> I checked RFC 5280 and you can have more than one name in the
>> `CertificateIssuer` field of the `CertificateIssuerExtension`, see
>> https://www.rfc-editor.org/rfc/rfc5280#section-5.3.3
>>
>> But for this code, we are only interested in the `X500Name`, as we
>> subsequently use that to associate the CRL entry with its issuer. So
>> instead, what you should do is loop thru the names until we find an
>> `X500Name`, and only throw a `CRLException` if we don't find an `X500Name`.
>> Let me know if this makes sense.
>
> Fixed.
Does the test need to be modified to test for more than one name? I could go
either way.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/20528#discussion_r1792102768
