-
Notifications
You must be signed in to change notification settings - Fork 5.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
8251468: X509Certificate.get{Subject,Issuer}AlternativeNames and getExtendedKeyUsage do not throw CertificateParsingException if extension is unparseable #6106
Conversation
… throw CertificateParsingException if extension is unparseable
/csr |
👋 Welcome back mullan! A progress list of the required criteria for merging this PR into |
@seanjmullan this pull request will not be integrated until the CSR request JDK-8275822 for issue JDK-8251468 has been approved. |
@seanjmullan The following label will be automatically applied to this pull request:
When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command. |
Webrevs
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How about other X509Certificate
methods that get info of an extension?
* CertificateParsingException if extension is unparseable/invalid. | ||
*/ | ||
public class NullRFC822Name { | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Adding a comment showing the ASN.1 fields would be a relief for the reader. OpenSSL shows:
// 430:d=4 hl=2 l= 11 cons: SEQUENCE
// 432:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name
// 437:d=5 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:30028100
@@ -1616,6 +1617,14 @@ public int getBasicConstraints() { | |||
SubjectAlternativeNameExtension subjectAltNameExt = | |||
getSubjectAlternativeNameExtension(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does it make sense to let the line above throwing an exception? I see the method is called in several places (X509CertSelector
, Builder
, etc). What is the correct behavior in those places?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To clarify, do you mean this code in getExtension(ObjectIdentifier)
that swallows the exception?:
} catch (IOException ioe) {
return null;
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's probably a little deeper and changing it will have a mass effect. What about at the getIssuerAlternativeNameExtension
level?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unless I am misunderstanding your comment, I don't think this is an issue in practice. The code inside the X509CertImpl.getExtension
method only throws an Exception if invalid OIDs or attribute names are passed to the internal get
methods of X509CertInfo
and CertificateExtensions
, which isn't possible when you are passing in known values/attributes. I think this is why the code swallows the exceptions and returns null, but it would be nice to have a comment explaining that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was asking if getIssuerAlternativeNameExtension
can throw the exception if IAE exists but not parseable.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, I understand your comment now. I'm hesitant to change those methods to throw an exception because to be consistent all the get*Extension()
methods should then throw an Exception. That might be the right thing to do, but it is a bigger change and more risky. The code that calls these internal methods is used for building certification paths, and if null is returned, it is as if the certificate did not contain the extension. That might be a more reasonable behavior than throwing an Exception, since it allows the code to find other potential certificates or certification paths. Adding certpath debug can always be used to find out more about why certain certificates were not selected.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK.
@@ -1680,6 +1690,14 @@ public int getBasicConstraints() { | |||
IssuerAlternativeNameExtension issuerAltNameExt = | |||
getIssuerAlternativeNameExtension(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same comment as above, but this method seems to be only called once in src.
Good question. There are 3: As for |
…s unparseable. - Renamed and enhanced test to check cert with badly encoded extensions. - Added comments to test describing which fields are badly encoded.
@seanjmullan This change now passes all automated pre-integration checks. ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details. After integration, the commit message for the final commit will be:
You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed. At the time when this comment was updated there had been 164 new commits pushed to the
As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details. ➡️ To integrate this PR with the above commit message to the |
/integrate |
Going to push as commit 8cc5950.
Your commit was automatically rebased without conflicts. |
@seanjmullan Pushed as commit 8cc5950. 💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored. |
The JDK implementation (as supplied by the "SUN" provider) of
X509Certificate::getSubjectAlternativeNames
andX509Certificate::getIssuerAlternativeNames
returnsnull
instead of throwing aCertificateParsingException
when the extension is unparseable.This fix changes the behavior to comply with the specification.
CSR: https://bugs.openjdk.java.net/browse/JDK-8275822
Progress
Issue
Reviewers
Reviewing
Using
git
Checkout this PR locally:
$ git fetch https://git.openjdk.java.net/jdk pull/6106/head:pull/6106
$ git checkout pull/6106
Update a local copy of the PR:
$ git checkout pull/6106
$ git pull https://git.openjdk.java.net/jdk pull/6106/head
Using Skara CLI tools
Checkout this PR locally:
$ git pr checkout 6106
View PR using the GUI difftool:
$ git pr show -t 6106
Using diff file
Download this PR as a diff file:
https://git.openjdk.java.net/jdk/pull/6106.diff