The LDAPCertStore implementation passes Distinguished Names in CRL and Certificate URLs as Strings to JNDI APIs such as LdapContext.getAttributes(String), which then treats them as CompositeNames. This causes issues with URLs that have DNs with forward slashes. These are rare but compliant with the LDAP URL format for DNs referenced by [section 4.2.1.13 of RFC 5280](https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.13). Instead, the implementation should be passing the DN to JNDI APIs as an LdapName, which parses the forward slash character as part of the DN. Unfortunately, LDAP referral URLs can not be converted to LdapNames, so we keep the current DN syntax checks (and disallow forward slashes) if there are referrals involved.
The current test/jdk/security/infra/java/security/cert/CertPathValidator/certification/ActalisCA.java can be used to test this fix as it contains a test certificate with an LDAP URL in the CRL Distribution Points with a forward slash in the Distinguished Name. Prior to the fix it was failing because of this bug, now it is passing. We also take this opportunity to update the test and replace expired test certificates with new ones. ------------- Commit messages: - Add comments. Update Actalis test certificates. - Restore checking of composite name on referral URL. - Merge - Update copyright date. - Merge - Initial revision. Changes: https://git.openjdk.org/jdk/pull/12730/files Webrev: https://webrevs.openjdk.org/?repo=jdk&pr=12730&range=00 Issue: https://bugs.openjdk.org/browse/JDK-8297955 Stats: 62 lines in 2 files changed: 11 ins; 8 del; 43 mod Patch: https://git.openjdk.org/jdk/pull/12730.diff Fetch: git fetch https://git.openjdk.org/jdk pull/12730/head:pull/12730 PR: https://git.openjdk.org/jdk/pull/12730
