8360937: Enhance certificate handling

seanjmullan · bchristi-git · commit e1d1fa91cf26 · 2025-10-20T16:42:01.000-07:00
Reviewed-by: ahgross, rhalade, jnibedita, ascarpino, naoto
diff --git a/src/java.base/share/classes/sun/security/util/DerValue.java b/src/java.base/share/classes/sun/security/util/DerValue.java
@@ -859,6 +859,22 @@ public String getUniversalString() throws IOException {
         return readStringInternal(tag_UniversalString, new UTF_32BE());
     }
 
+    /**
+     * Checks that the BMPString does not contain any surrogate characters,
+     * which are outside the Basic Multilingual Plane.
+     *
+     * @throws IOException if illegal characters are detected
+     */
+    public void validateBMPString() throws IOException {
+        String bmpString = getBMPString();
+        for (int i = 0; i < bmpString.length(); i++) {
+            if (Character.isSurrogate(bmpString.charAt(i))) {
+                throw new IOException(
+                    "Illegal character in BMPString, index: " + i);
+            }
+         }
+     }
+
     /**
      * Reads the ASN.1 NULL value
      */
diff --git a/src/java.base/share/classes/sun/security/x509/AVA.java b/src/java.base/share/classes/sun/security/x509/AVA.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2024, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2025, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -28,10 +28,13 @@
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.io.Reader;
+import java.nio.charset.Charset;
 import java.text.Normalizer;
 import java.util.*;
 
+import static java.nio.charset.StandardCharsets.ISO_8859_1;
 import static java.nio.charset.StandardCharsets.UTF_8;
+import static java.nio.charset.StandardCharsets.UTF_16BE;
 
 import sun.security.util.*;
 import sun.security.pkcs.PKCS9Attribute;
@@ -589,6 +592,10 @@ private static boolean trailingSpace(Reader in) throws IOException {
             throw new IOException("AVA, extra bytes = "
                 + derval.data.available());
         }
+
+        if (value.tag == DerValue.tag_BMPString) {
+            value.validateBMPString();
+        }
     }
 
     AVA(DerInputStream in) throws IOException {
@@ -713,7 +720,8 @@ public String toRFC2253String(Map<String, String> oidMap) {
              * NOTE: this implementation only emits DirectoryStrings of the
              * types returned by isDerString().
              */
-            String valStr = new String(value.getDataBytes(), UTF_8);
+            String valStr =
+                new String(value.getDataBytes(), getCharset(value, false));
 
             /*
              * 2.4 (cont): If the UTF-8 string does not have any of the
@@ -832,7 +840,8 @@ public String toRFC2253CanonicalString() {
              * NOTE: this implementation only emits DirectoryStrings of the
              * types returned by isDerString().
              */
-            String valStr = new String(value.getDataBytes(), UTF_8);
+            String valStr =
+                new String(value.getDataBytes(), getCharset(value, true));
 
             /*
              * 2.4 (cont): If the UTF-8 string does not have any of the
@@ -927,6 +936,39 @@ private static boolean isDerString(DerValue value, boolean canonical) {
         }
     }
 
+    /*
+     * Returns the charset that should be used to decode each DN string type.
+     *
+     * This method ensures that multi-byte (UTF8String and BMPString) types
+     * are decoded using the correct charset and the String forms represent
+     * the correct characters. For 8-bit ASCII-based types (PrintableString
+     * and IA5String), we return ISO_8859_1 rather than ASCII, so that the
+     * complete range of characters can be represented, as many certificates
+     * do not comply with the Internationalized Domain Name ACE format.
+     *
+     * NOTE: this method only supports DirectoryStrings of the types returned
+     * by isDerString().
+     */
+    private static Charset getCharset(DerValue value, boolean canonical) {
+        if (canonical) {
+            return switch (value.tag) {
+                case DerValue.tag_PrintableString -> ISO_8859_1;
+                case DerValue.tag_UTF8String -> UTF_8;
+                default -> throw new Error("unexpected tag: " + value.tag);
+            };
+        }
+
+        return switch (value.tag) {
+            case DerValue.tag_PrintableString,
+                 DerValue.tag_T61String,
+                 DerValue.tag_IA5String,
+                 DerValue.tag_GeneralString -> ISO_8859_1;
+            case DerValue.tag_BMPString -> UTF_16BE;
+            case DerValue.tag_UTF8String -> UTF_8;
+            default -> throw new Error("unexpected tag: " + value.tag);
+        };
+    }
+
     boolean hasRFC2253Keyword() {
         return AVAKeyword.hasKeyword(oid, RFC2253);
     }
diff --git a/test/lib/jdk/test/lib/security/CertificateBuilder.java b/test/lib/jdk/test/lib/security/CertificateBuilder.java
@@ -53,6 +53,7 @@
 import sun.security.x509.SubjectAlternativeNameExtension;
 import sun.security.x509.URIName;
 import sun.security.x509.KeyIdentifier;
+import sun.security.x509.X500Name;
 
 
 /**
@@ -90,7 +91,7 @@
 public class CertificateBuilder {
     private final CertificateFactory factory;
 
-    private X500Principal subjectName = null;
+    private X500Name subjectName = null;
     private BigInteger serialNumber = null;
     private PublicKey publicKey = null;
     private Date notBefore = null;
@@ -199,7 +200,7 @@ public CertificateBuilder() throws CertificateException {
      * on this certificate.
      */
     public CertificateBuilder setSubjectName(X500Principal name) {
-        subjectName = name;
+        subjectName = X500Name.asX500Name(name);
         return this;
     }
 
@@ -209,7 +210,23 @@ public CertificateBuilder setSubjectName(X500Principal name) {
      * @param name The subject name in RFC 2253 format
      */
     public CertificateBuilder setSubjectName(String name) {
-        subjectName = new X500Principal(name);
+        try {
+            subjectName = new X500Name(name);
+        } catch (IOException ioe) {
+            throw new IllegalArgumentException(ioe);
+        }
+        return this;
+    }
+
+    /**
+     * Set the subject name for the certificate. This method is useful when
+     * you need more control over the contents of the subject name.
+     *
+     * @param name an {@code X500Name} to be used as the subject name
+     * on this certificate
+     */
+    public CertificateBuilder setSubjectName(X500Name name) {
+        subjectName = name;
         return this;
     }
 
