Hello,
after the October Java update we noticed a few regression issues with saved X509 certificates. In our system we need to correlate CMS objects which reference certificates with Issuer+SN. We had stored the certificates in the DB and some could no longer be found.
This is caused by the improved encoding handling in CVE-2025-53056 / JDK-8360937
The certificate (issuers) in questions seem to be mostly self signed hierarchies. We have seen both BMPSTRINGS (containing \0 characters) and T61STRINGS (probably containing national characters escapes). I think the new behavior is better (although the T61 handling seems incomplete?), we will refresh the database entries, just thought somebody appreciates the warning,
Gruß,
Bernd
--
https://bernd.eckenfels.net
