On Thu, 23 Feb 2023 16:42:17 GMT, Sean Mullan <mul...@openjdk.org> wrote:
> The LDAPCertStore implementation passes Distinguished Names in CRL and > Certificate URLs as Strings to JNDI APIs such as > LdapContext.getAttributes(String), which then treats them as CompositeNames. > This causes issues with URLs that have DNs with forward slashes. These are > rare but compliant with the LDAP URL format for DNs referenced by [section > 4.2.1.13 of RFC > 5280](https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.13). Instead, the > implementation should be passing the DN to JNDI APIs as an LdapName, which > parses the forward slash character as part of the DN. Unfortunately, LDAP > referral URLs can not be converted to LdapNames, so we keep the current DN > syntax checks (and disallow forward slashes) if there are referrals involved. > > The current > test/jdk/security/infra/java/security/cert/CertPathValidator/certification/ActalisCA.java > can be used to test this fix as it contains a test certificate with an LDAP > URL in the CRL Distribution Points with a forward slash in the Distinguished > Name. Prior to the fix it was failing because of this bug, now it is passing. > We also take this opportunity to update the test and replace expired test > certificates with new ones. This pull request has now been integrated. Changeset: df9aad01 Author: Sean Mullan <mul...@openjdk.org> URL: https://git.openjdk.org/jdk/commit/df9aad018a769a27221cb29e4e66465e5d98ba94 Stats: 62 lines in 2 files changed: 11 ins; 8 del; 43 mod 8297955: LDAP CertStore should use LdapName and not String for DNs Reviewed-by: weijun, rhalade ------------- PR: https://git.openjdk.org/jdk/pull/12730
