Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8277976

Break up SEQUENCE in X509Certificate::getSubjectAlternativeNames and X509Certificate::getIssuerAlternativeNames in otherName

XMLWordPrintable

    • b12
    • generic
    • generic

      ADDITIONAL SYSTEM INFORMATION :
      Any OS, this is OS-agnostic, any Java version from 8

      A DESCRIPTION OF THE PROBLEM :
      When a GeneralName of tag number 0 ([0] otherName) occurs, the raw value of ASN.1 DER bytes is returned in the List's second value position. Some other names are as simple as SEQUENCE(OID, UTF8String). Client code must process the SEQUENCE manually which is cumbersome and unnecessary since Java does not provide a public ASN.1 parser.

      Proposal: When the X509Certificate parser finds an otherName field in the cert's SAN then the List should be extended to:
      * 1st position (no change): 0 for the tag number
      * 2nd position (no change): the otherName as opaque ASN.1 DER byte array
      * 3rd position (new): the parsed OID from the otherName SEQUENCE type-id in dotted string representation notation, e.g, 1.2.3.4
      * 4th position (new): a byte array containing the otherName SEQUENCE value WITHOUT the context-specific constructed tag with number 0 (untagged)

      Benefits:
      * Much simpler to process in client code, no need to unpack ASN.1 constructed types
      * In most cases the value is of primitive type, e.g., UTF8String, PrintableString, etc.
      * No compat issues since new values are appended to the List
      * Very helpful when you are in a corporate environment and need to extract MS UPN (1.3.6.1.4.1.311.20.2.3)

      The change is simple since internal classes have a decent ASN.1 parser to provide the above functionality.


            weijun Weijun Wang
            webbuggrp Webbug Group
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: