8261513: Various BasicConstraintsExtension issues

[blperez01]

---

Progress

• Change must be properly reviewed (1 review required, with at least 1 Reviewer)
• Change must not contain extraneous whitespace
• Commit message must refer to an issue

Issue

• JDK-8261513: Various BasicConstraintsExtension issues (Bug - P4)

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk.git pull/20224/head:pull/20224
$ git checkout pull/20224

Update a local copy of the PR:
$ git checkout pull/20224
$ git pull https://git.openjdk.org/jdk.git pull/20224/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 20224

View PR using the GUI difftool:
$ git pr show -t 20224

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/20224.diff

Using Webrev

Link to Webrev Comment

[bridgekeeper]

👋 Welcome back blperez01! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[openjdk]

❗ This change is not yet ready to be integrated.
See the Progress checklist in the description for automated requirements.

[openjdk]

@blperez01 The following label will be automatically applied to this pull request:

• security

When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command.

[mlbridge]

Webrevs

• 03: Full - Incremental (6ba44821)
• 02: Full - Incremental (64398d5c)
• 01: Full - Incremental (c04afb03)
• 00: Full (911bd228)

[bridgekeeper]

@blperez01 This pull request has been inactive for more than 4 weeks and will be automatically closed if another 4 weeks passes without any activity. To avoid this, simply add a new comment to the pull request. Feel free to ask for assistance if you need help with progressing this pull request towards integration!

[bridgekeeper]

@blperez01 This pull request has been inactive for more than 8 weeks and will now be automatically closed. If you would like to continue working on this pull request in the future, feel free to reopen it! This can be done using the /open pull request command.

[blperez01]

/open

[openjdk]

@blperez01 This pull request is now open

[blperez01]

Re-opening PR

[seanjmullan]

On line 143, we should throw an IOException if the decoded pathLenConstraint field is < 0. This is point #1 in the bug report.

[seanjmullan]

A couple more comments. You'll need to add an appropriate noreg label to the bug if you think it isn't practical to write a test for this.

[seanjmullan]

Typo: s/unconstained/unconstrained/

But I actually prefer the words "no limit" as that is what RFC 5280, section 4.2.1.9 uses, so please restore those words. You can use that term for the "undefined" case as well.

[seanjmullan]

On line 186, it's questionable if we need to set the critical flag to the value of the ca field. This was comment #6 in the bug report. RFC 5280 gives a few cases where it is acceptable to have a non-critical BasicConstraintsExtension with a ca field set to true. I would remove that and make sure all tests still pass.