On Tue, 24 Sep 2024 12:33:54 GMT, Sean Mullan <mul...@openjdk.org> wrote:
>> Mark Powers has updated the pull request incrementally with one additional
>> commit since the last revision:
>>
>> another comment from Sean
>
> src/java.base/share/classes/sun/security/x509/X509CRLImpl.java line 292:
>
>> 290: throw new CRLException("Parsing error: "
>> 291: + "issuer is not an X.500 DN");
>> 292: }
>
> I checked RFC 5280 and you can have more than one name in the
> `CertificateIssuer` field of the `CertificateIssuerExtension`, see
> https://www.rfc-editor.org/rfc/rfc5280#section-5.3.3
>
> But for this code, we are only interested in the `X500Name`, as we
> subsequently use that to associate the CRL entry with its issuer. So instead,
> what you should do is loop thru the names until we find an `X500Name`, and
> only throw a `CRLException` if we don't find an `X500Name`. Let me know if
> this makes sense.
Fixed.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/20528#discussion_r1792096204
