sun.security.x509.DNSName leading dot in name constraints
vtsingaras at it.auth.gr
Tue Jun 9 06:21:24 UTC 2015
I work for the Hellenic Academic and Research Institutions Certification Authority (https://www.harica.gr), a Root Certification Authority included in the NSS, Microsoft and Apple certificate stores. Our RootCA certificate uses the name constraints extension with a small error, instead of just gr, org and edu in the permitted subtrees it has .gr, .edu and .org. As a result certificates issued under our CA fail to verify with Java. We had the same issue with OpenSSL and gnuTLS but fortunately they modified their implementation to accommodate for our situation. I kindly ask if this is something that could also be done with OpenJDK, and if so what would be the best way to implement that. Currently we have a patch against the 'constrains' method of 'DNSName' that just ignores the leading dot in name constraints.
Aristotle University of Thessaloniki, IT Center
More information about the jdk9-dev