8311546: Certificate name constraints improperly validated with leading period

[blperez01]

Updated the constrains method in DNSName.java to accept certificates with a leading period.

---

Progress

• Change must be properly reviewed (1 review required, with at least 1 Reviewer)
• Change must not contain extraneous whitespace
• Commit message must refer to an issue

Issue

• JDK-8311546: Certificate name constraints improperly validated with leading period (Bug - P3)

Reviewers

• Sean Mullan (@seanjmullan - Reviewer)

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk.git pull/16295/head:pull/16295
$ git checkout pull/16295

Update a local copy of the PR:
$ git checkout pull/16295
$ git pull https://git.openjdk.org/jdk.git pull/16295/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 16295

View PR using the GUI difftool:
$ git pr show -t 16295

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/16295.diff

Webrev

Link to Webrev Comment

[bridgekeeper]

👋 Welcome back blperez01! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[openjdk]

@blperez01 The following label will be automatically applied to this pull request:

• security

When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command.

[mlbridge]

Webrevs

• 02: Full - Incremental (7cf1628c)
• 01: Full - Incremental (6db8c331)
• 00: Full (cffa7b99)

[seanjmullan]

On line 203, can you modify the comment to:

• RFC 5280: For DNS names, restrictions MUST use the dNSName syntax in
  Section 4.2.1.6.

  This matches the new text in the errata (https://www.rfc-editor.org/errata/eid5997).

  Also, you can remove the comments on lines 208-213 as they are duplicates.

[seanjmullan]

Nit, change to:

/*
 * @test

[seanjmullan]

You can combine these two lines.

[seanjmullan]

You should not need to set this property if revocation is disabled.

[seanjmullan]

You should not need to set this property if revocation is disabled.

[seanjmullan]

You may have missed this comment, you can also remove lines 77-78.

[seanjmullan]

You don't need try/catch here since main throws Exception this will just get propagated upwards. Same comment on line 122.

[seanjmullan]

Probably simpler to use List.of(targetCert, ca) here.

[openjdk]

@blperez01 This change now passes all automated pre-integration checks.

ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details.

After integration, the commit message for the final commit will be:

8311546: Certificate name constraints improperly validated with leading period

Reviewed-by: mullan

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 140 new commits pushed to the master branch:

• b3fec6b: 8306980: Generated docs should contain correct Legal Documents
• 1139482: 8316132: CDSProtectionDomain::get_shared_protection_domain should check for exception
• 2182c93: 8313643: Update HarfBuzz to 8.2.2
• 613a3cc: 8301846: Invalid TargetDataLine after screen lock when using JFileChooser or COM library
• 613d32c: 8169475: WheelModifier.java fails by timeout
• f1e8787: 8317609: Classfile API fails to verify /jdk.jcmd/sun/tools/jstat/Alignment.class
• 47624f6: 8299058: AssertionError in sun.net.httpserver.ServerImpl when connection is idle
• 2d5829a: 8239508: JFR: @RemoveFields
• 0064cf9: 8311596: Add separate system properties for TLS server and client for maximum chain length
• 3a7525d: 8309118: HttpClient: Add more tests for 100 ExpectContinue with HTTP/2
• ... and 130 more: https://git.openjdk.org/jdk/compare/d3ebb4a155be8ed93e79b6b58c645e861ec30267...master

As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

As you do not have Committer status in this project an existing Committer must agree to sponsor your change. Possible candidates are the reviewers of this PR (@seanjmullan) but any other Committer may sponsor as well.

➡️ To flag this PR as ready for integration with the above commit message, type /integrate in a new comment. (Afterwards, your sponsor types /sponsor in a new comment to perform the integration).

[blperez01]

/integrate

[openjdk]

@blperez01
Your change (at version 7cf1628) is now ready to be sponsored by a Committer.

[seanjmullan]

/sponsor

[openjdk]

Going to push as commit bfaf570.
Since your change was applied there have been 149 commits pushed to the master branch:

• d354141: 8318694: [JVMCI] disable can_call_java in most contexts for libjvmci compiler threads
• c86592d: 8319046: Execute tests in source/class-file order in JavadocTester
• 3660a90: 8319139: Improve diagnosability of JavadocTester output
• 7f47c51: 8316025: Use testUI() method of PassFailJFrame.Builder in FileChooserSymLinkTest.java
• 36de19d: 8317048: VerifyError with unnamed pattern variable and more than one components
• ab19348: 8318647: Serial: Refactor BlockOffsetTable
• b4f5379: 8304939: os::win32::exit_process_or_thread should be marked noreturn
• 0461d9a: 8318016: Per-compilation memory ceiling
• 2a76ad9: 8318683: compiler/c2/irTests/TestPhiDuplicatedConversion.java "Failed IR Rules (2) of Methods (2)"
• b3fec6b: 8306980: Generated docs should contain correct Legal Documents
• ... and 139 more: https://git.openjdk.org/jdk/compare/d3ebb4a155be8ed93e79b6b58c645e861ec30267...master

Your commit was automatically rebased without conflicts.

[openjdk]

@seanjmullan @blperez01 Pushed as commit bfaf570.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.