New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
8261472: BasicConstraintsExtension::toString shows "PathLen:2147483647" if there is no pathLenConstraint #2493
Conversation
…7" if there is no pathLenConstraint 8261472: BasicConstraintsExtension::toString shows "PathLen:2147483647" if there is no pathLenConstraint
👋 Welcome back weijun! A progress list of the required criteria for merging this PR into |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks fine to me.
@wangweij This change now passes all automated pre-integration checks. ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details. After integration, the commit message for the final commit will be:
You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed. At the time when this comment was updated there had been 95 new commits pushed to the
As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details. ➡️ To integrate this PR with the above commit message to the |
/integrate |
@wangweij Since your change was applied there have been 95 commits pushed to the
Your commit was automatically rebased without conflicts. Pushed as commit 4619f37. 💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored. |
Mailing list message from Michael StJohns on security-dev: On 2/9/2021 9:02 PM, Weijun Wang wrote: Sorry - not quite right, it's not quite that trivial a fix. The definition for BasicConstraints is
If pathLenConstraint is not present, then the path length is infinite.?? You really ought to get the same encoding coming and going (e.g. 1) It's not valid to encode or decode pathLenConstraint in the DER as a 2) I'm not sure why the set/get methods were added.? I think it was to 3) And since the only place pathLen is available externally is in the 4) And to fix the problem that led to this discussion, change line 176 5) One more - in the other constructor, change line 108 to "this.pathLen 6) *sigh* Delete lines 197-201.? I have no idea why they are overriding Mike -------------- next part -------------- |
Thanks for all the points. I've filed https://bugs.openjdk.java.net/browse/JDK-8261513, which will be non-trivial. |
Mailing list message from Sean Mullan on security-dev: Michael, Thanks for the comments - a couple of observations of mine below -- On 2/10/21 12:53 AM, Michael StJohns wrote:
I agree.
Some of this is due to the API for "the value of pathLenConstraint if the BasicConstraints extension is We need to be careful that for any changes we make, we still comply with
In this case, I would throw an Exception. If the pathLenConstraint is The internal X509 classes have set/get/delete methods dating back to the
I think it is better to ensure that in this class, pathLen is never < 0,
That does seem a little weird. --Sean |
Print out "no limit" instead. This is the words RFC 5280 uses: "Where pathLenConstraint does not appear, no limit is imposed".
No regression test. Trivial.
Progress
Issue
Reviewers
Download
$ git fetch https://git.openjdk.java.net/jdk pull/2493/head:pull/2493
$ git checkout pull/2493