Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8281606

Break up SEQUENCE in X509Certificate::getSubjectAlternativeNames and X509Certificate::getIssuerAlternativeNames in otherName

    XMLWordPrintable

Details

    • CSR
    • Resolution: Approved
    • P4
    • 19
    • security-libs
    • None
    • behavioral
    • minimal
    • The existing 2 elements in the list are not modified, only new elements are added.
    • Java API
    • SE

    Description

      Summary

      Add more elements to the list returned by X509Certificate::getSubjectAlternativeNames and X509Certificate::getIssuerAlternativeNames for an otherName so that user does not need to parse the name themselves.

      Problem

      X509Certificate::getSubjectAlternativeNames returns a collection of lists where each list contains the information of one name -- an integer type and a value. The type 0 is reserved for a special type called otherName where you can define your own type, and the value is an ASN.1 encoding that contains the "real" type as an object identifier and its "real" value. When dealing with such a type, user needs to parse the encoding themselves by extracting the object identifier and the real value. Parsing ASN.1 encoding is always complicated.

      Same problem with X509Certificate::getIssuerAlternativeNames.

      Solution

      Besides the existing type 0 and the full encoding, we now add 2 more elements in the list for an otherName. The first is the "real" type object identifier in string format. The second is the "real" value in its own ASN.1 encoding form.

      Same change for the X509Certificate::getIssuerAlternativeNames.

      Specification

      Make the following change to the specification of 2 methods:

       /*
       ...
       * The ASN.1 definition of the {@code SubjectAltName} extension is:
       ...
 +     *
 +     * OtherName ::= SEQUENCE {
 +     *      type-id    OBJECT IDENTIFIER,
 +     *      value      [0] EXPLICIT ANY DEFINED BY type-id }
       ...
       * If this certificate does not contain a {@code SubjectAltName}
       * extension, {@code null} is returned. Otherwise, a
       * {@code Collection} is returned with an entry representing each
       * {@code GeneralName} included in the extension. Each entry is a
       * {@code List} whose first entry is an {@code Integer}
       * (the name type, 0-8) and whose second entry is a {@code String}
       * or a byte array (the name, in string or ASN.1 DER encoded form,
 -     * respectively).
 +     * respectively). More entries may exist depending on the name type.
       ...
 -     * integers separated by periods. And directory names (distinguished names)
 +     * integers separated by periods. Directory names (distinguished names)
       * are returned in <a href="http://www.ietf.org/rfc/rfc2253.txt">
 -     * RFC 2253</a> string format. No standard string format is
 -     * defined for otherNames, X.400 names, EDI party names, or any
 -     * other type of names. They are returned as byte arrays
 -     * containing the ASN.1 DER encoded form of the name.
 +     * RFC 2253</a> string format. No standard string format is defined for
 +     * X.400 names or EDI party names. They are returned as byte arrays
 +     * containing the ASN.1 DER encoded form of the name. otherNames are also
 +     * returned as byte arrays containing the ASN.1 DER encoded form of the
 +     * name. A third entry may also be present in the list containing the
 +     * {@code type-id} of the otherName in string form, and a fourth entry
 +     * containing its {@code value} as either a string (if the value is
 +     * a valid supported character string) or a byte array containing the
 +     * ASN.1 DER encoded form of the value without the context-specific
 +     * constructed tag with number 0.

       ...
 +     * @implNote The JDK SUN provider supports the third and fourth
 +     * otherName entries.
       ...
       */
      public Collection<List<?>> getSubjectAlternativeNames()
              throws CertificateParsingException;

      /*
       ...
       * {@code List} whose first entry is an {@code Integer}
       * (the name type, 0-8) and whose second entry is a {@code String}
       * or a byte array (the name, in string or ASN.1 DER encoded form,
 -     * respectively). For more details about the formats used for each
 +     * respectively).  More entries may exist depending on the name type.
 +     * For more details about the formats used for each
       * name type, see the {@code getSubjectAlternativeNames} method.
       ...
       */
      public Collection<List<?>> getIssuerAlternativeNames()
              throws CertificateParsingException;

      Attachments

        Issue Links

          csr of

          Enhancement - null JDK-8277976 Break up SEQUENCE in X509Certificate::getSubjectAlternativeNames and X509Certificate::getIssuerAlternativeNames in otherName

          • P4 - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Activity

            People

              weijun Weijun Wang
              webbuggrp Webbug Group
              Sean Mullan
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: