Upgrade from 1.62 -> 1.64 causes Other-Name: Unrecognized ObjectIdentifier: 1.3.6.1.4.1.311.20.2.3

[BharathPG]

Upgrading from 1.62 to 1.64 is causing SAN's Other-Name: Unrecognized ObjectIdentifier: 1.3.6.1.4.1.311.20.2.3, this is happening while consuming client certificate.

Below is the cert info of SSL debug during handshake:

javax.net.ssl|DEBUG|01 1C|pool-3-thread-5|2020-01-02 01:38:45.941 PST|null:-1|Consuming client Certificate handshake message ( "Certificates": [ "certificate" : { "version" : "v3", "serial number" : "48 00 00 00 1D 6E E9 AA 02 4F 86 12 1C 00 00 00 00 00 1D", "signature algorithm": "SHA1withRSA", "issuer" : "CN=ad-bpg-AD-BPG-CA, DC=ad-bpg, DC=eng, DC=abc, DC=com", "not before" : "2019-07-19 03:06:56.000 PDT", "not after" : "2020-07-18 03:06:56.000 PDT", "subject" : "EMAILADDRESS=vlsuser-1@ad-bpg.eng.abc.com, CN=vlsuser-1, CN=Users, DC=ad-bpg, DC=eng, DC=abc, DC=com", "subject public key" : "RSA", "extensions" : [ { ObjectId: 1.2.840.113549.1.9.15 Criticality=false }, { ObjectId: 1.3.6.1.4.1.311.20.2 Criticality=false }, { ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false AuthorityInfoAccess [ [ accessMethod: caIssuers accessLocation: URIName: ldap:///CN=ad-bpg-AD-BPG-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ad-bpg,DC=eng,DC=abc,DC=com?cACertificate?base?objectClass=certificationAuthority ] ] }, { ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: D6 F1 27 48 76 AD FB 04 03 1E 84 A6 86 F5 CB 61 ..'Hv..........a 0010: 85 D9 6D 29 ..m) ] ] }, { ObjectId: 2.5.29.31 Criticality=false CRLDistributionPoints [ [DistributionPoint: [URIName: ldap:///CN=ad-bpg-AD-BPG-CA,CN=ad-bpg,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ad-bpg,DC=eng,DC=abc,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint] ]] }, { ObjectId: 2.5.29.37 Criticality=false ExtendedKeyUsages [ emailProtection clientAuth 1.3.6.1.4.1.311.20.2.2 ] }, { ObjectId: 2.5.29.15 Criticality=true KeyUsage [ DigitalSignature Key_Encipherment ] }, { ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ Other-Name: Unrecognized ObjectIdentifier: 1.3.6.1.4.1.311.20.2.3 RFC822Name: vlsuser-1@ad-bpg.eng.abc.com ] }, { ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 96 49 A2 D9 42 03 83 01 F7 55 0E B5 70 39 1B 47 .I..B....U..p9.G 0010: 26 E4 3F 4A &.?J ] ] } ]} ] )

[bcgit]

This output is not from BC but from the JSSE - the alternative name OID is actually a MicroSoft one as well. It's not clear that this is a BC related issue - is there some evidence to suggest that it is?

[BharathPG]

We are using BC as JSSE provider, when we use BC version 1.62 SAN's Other-Name parsing worked perfectly fine, after upgrading BC from 1.62 -> 1.64, SAN Other-Name isn't recognized anymore, and we had to revert it back to 1.62 to get it working. I also see that in 1.64 there was a fix made for Other-Name in the release note as below:

• PKIXNameConstraintValidator was throwing a NullPointerException on OtherName. This has been fixed.

Above defect fix could possibly caused the issue?

Please let me know if you need anymore logs.

[dghgit]

Assumed Resolved.