Due to several problems with extended attributes, sun.security.x509.X509CertImpl and its helper classes cannot parse Versign certificates, which occur in Netscape signed jar signatures. There are similar problems parsing Nortel certificates.

The problems are:

1. Constructor BasicConstraints(Boolean, Object) throws an exception when
    both (optional) fields of a BasicConstraints extended attribute are missing.
    (Field val.data of DerValue val is unexpectedly null.)

2. KeyUsageExtension(Boolean, Object) rejects a KeyUsage extension if it is
   marked noncritical. Similarly for one case of a BasicConstraints extended
   extended attribute. (The latest PKIX draft recommends that KeyUsage be
   marked critical and requires that BasicConstraints be marked critical.)

3. A number of noncritical extended attributes with unrecognized OIDs are
   rejected. Some of these are Netscape or Microsoft

4. Parsing a KeyUsage extended attribute containing a BIT
   STRING whose length is not a multiple of 8 returns an unexpected null.
   (See bug 4081538).

The Nortel certificate also failed to parse because it contained several extended attributes with unrecognized OIDs, one of them marked critical. These OIDs were all in the id-ce (2.5.29.xxx) OID class used in X.509 revision documents, so probably we should recognize them.