harmony-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tim Ellison (JIRA)" <j...@apache.org>
Subject [jira] Commented: (HARMONY-6248) Wildcard subjectAltName dNSName entries throw IOException
Date Fri, 26 Jun 2009 15:27:07 GMT

    [ https://issues.apache.org/jira/browse/HARMONY-6248?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12724575#action_12724575

Tim Ellison commented on HARMONY-6248:

Unfortunately my v2 patch causes our regression tests to fail.

Running a simple example on the RI shows it doesn't accept DNSName-s starting with a number

    new X509CertSelector().addSubjectAlternativeName(2,"3example.com");

results in 

Exception in thread "main" java.io.IOException: DNSName components must begin with a letter
        at sun.security.x509.DNSName.<init>(DNSName.java:76)
        at java.security.cert.X509CertSelector.makeGeneralNameInterface(X509CertSelector.java:900)
        at java.security.cert.X509CertSelector.addSubjectAlternativeNameInternal(X509CertSelector.java:796)
        at java.security.cert.X509CertSelector.addSubjectAlternativeName(X509CertSelector.java:735)
        at GeneralNameTest.main(GeneralNameTest.java:13)

> Wildcard subjectAltName dNSName entries throw IOException
> ---------------------------------------------------------
>                 Key: HARMONY-6248
>                 URL: https://issues.apache.org/jira/browse/HARMONY-6248
>             Project: Harmony
>          Issue Type: Bug
>          Components: Classlib
>            Reporter: Ian Payton
>            Assignee: Tim Ellison
>         Attachments: harmony-6248-v2.patch, harmony-6248.patch
> Using the DRLCertFactory JCE provider, calling getSubjectAlternativeNames() on an X509Certificate
throws IOException if the subjectAltName extension in the certificate contains a dNSName entry
with a wildcard (such as "*.example.com").
> This is ultimately because GeneralName::checkDNS() does not allow wildcard entries. 
RFC3280 and RFC1034 both discuss wildcards, although a strict reading of RFC3280 would *appear*
not to allow for them in a subjectAltName dNSName.  However, RFC3280 explicitly allows for
application-specific semantics of use of wildcards in subjectAltName.  As the Harmony code
currently stands, it is not possible for an application to even retrieve the subjectAltName
values if they contain a dNSName that does not strictly conform to the "preferred name syntax"
in RFC1034.  So it is not possible for an application to make the decision on what semantics
to apply to a wildcard value.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message