WrenSecurity · pavelhoral · Jul 17, 2025 · pavelhoral · Jul 24, 2025 · pavelhoral
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -7,7 +7,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        java: [11, 17]
+        java: [21]
     name: "Java ${{ matrix.java }} build"
     steps:
       - uses: actions/checkout@v4

diff --git a/Dockerfile b/Dockerfile
@@ -3,7 +3,7 @@ FROM --platform=$BUILDPLATFORM debian:bullseye-slim AS project-build
 # Install build dependencies
 RUN \
   apt-get update && \
-  apt-get install -y --no-install-recommends openjdk-17-jdk maven unzip chromium git && \
+  apt-get install -y --no-install-recommends openjdk-21-jdk maven unzip chromium git && \
   # Workaround Chromium binary path for arm64 (see https://github.com/puppeteer/puppeteer/blob/v4.0.0/src/Launcher.ts#L110)
   ln -s /usr/bin/chromium /usr/bin/chromium-browser
 

diff --git a/...ion/openam-auth-cert/src/main/java/com/sun/identity/authentication/modules/cert/Cert.java b/...ion/openam-auth-cert/src/main/java/com/sun/identity/authentication/modules/cert/Cert.java
@@ -25,7 +25,7 @@
  * $Id: Cert.java,v 1.14 2009/03/13 20:54:42 beomsuk Exp $
  *
  * Portions Copyrighted 2013-2017 ForgeRock AS.
- * Portions Copyrighted 2022 Wren Security
+ * Portions Copyrighted 2022-2025 Wren Security
  */
 
 package com.sun.identity.authentication.modules.cert;
@@ -62,6 +62,7 @@
 import com.sun.identity.security.cert.AMCertPath;
 import com.sun.identity.security.cert.AMCertStore;
 import com.sun.identity.security.cert.AMLDAPCertStoreParameters;
+import com.sun.identity.security.cert.JdkProviderUtils;
 import com.sun.identity.shared.datastruct.CollectionHelper;
 import com.sun.identity.shared.encode.Base64;
 
@@ -563,14 +564,11 @@ private void getTokenFromSubjectAltExt(X509Certificate cert)
                 new X509CertImpl(cert.getEncoded());
             X509CertInfo cinfo = 
                 new X509CertInfo(certImpl.getTBSCertificate());
-            CertificateExtensions exts = (CertificateExtensions) 
-                            cinfo.get(X509CertInfo.EXTENSIONS);
-            SubjectAlternativeNameExtension altNameExt = 
-                (SubjectAlternativeNameExtension)
-                    exts.get(SubjectAlternativeNameExtension.NAME);
+            CertificateExtensions exts = JdkProviderUtils.getExtensions(cinfo);
+            SubjectAlternativeNameExtension altNameExt = JdkProviderUtils.getSanExtension(exts);
 
             if (altNameExt != null) {
-                GeneralNames names = altNameExt.get(SubjectAlternativeNameExtension.SUBJECT_NAME);
+                GeneralNames names = JdkProviderUtils.getSubjectNames(altNameExt);
 
                 Iterator itr = names.iterator();
                 while ((userTokenId == null) && itr.hasNext()) {

diff --git a/openam-certs/src/main/java/com/sun/identity/security/cert/AMCRLStore.java b/openam-certs/src/main/java/com/sun/identity/security/cert/AMCRLStore.java
@@ -25,19 +25,21 @@
  * $Id: AMCRLStore.java,v 1.7 2009/01/28 05:35:12 ww203982 Exp $
  *
  * Portions Copyrighted 2013-2016 ForgeRock AS.
+ * Portions Copyrighted 2025 Wren Security
  */
 package com.sun.identity.security.cert;
 
 import static org.forgerock.openam.utils.Time.*;
 
 import com.forgerock.opendj.ldap.controls.TransactionIdControl;
 import com.iplanet.security.x509.CertUtils;
-import com.iplanet.security.x509.IssuingDistributionPointExtension;
 import com.sun.identity.common.HttpURLConnectionManager;
 import com.sun.identity.shared.encode.URLEncDec;
 import sun.security.x509.CRLDistributionPointsExtension;
 import sun.security.x509.DistributionPoint;
+import sun.security.x509.DistributionPointName;
 import sun.security.x509.GeneralNames;
+import sun.security.x509.IssuingDistributionPointExtension;
 import sun.security.x509.PKIXExtensions;
 import sun.security.x509.X509CertImpl;
 
@@ -346,7 +348,7 @@ private IssuingDistributionPointExtension getCRLIDPExt(X509CRL crl) {
                     crl.getExtensionValue(
                             PKIXExtensions.IssuingDistributionPoint_Id.toString());
             if (ext != null) {
-                idpExt = new IssuingDistributionPointExtension(ext);
+                idpExt = new IssuingDistributionPointExtension(true, ext);
             }
         } catch (Exception e) {
             debug.error("Error finding CRL distribution Point configured: ", e);
@@ -371,10 +373,10 @@ private IssuingDistributionPointExtension getCRLIDPExt(X509CRL crl) {
 
         List dps = null;
         try {
-            dps = (List) dpExt.get(CRLDistributionPointsExtension.POINTS);
-        } catch (IOException ioex) {
+            dps = JdkProviderUtils.getDistributionPoints(dpExt);
+        } catch (Exception ex) {
             if (debug.warningEnabled()) {
-                debug.warning("AMCRLStore.getUpdateCRLFromCrlDP: ", ioex);
+                debug.warning("AMCRLStore.getUpdateCRLFromCrlDP: ", ex);
             }
         }
 
@@ -415,8 +417,12 @@ private IssuingDistributionPointExtension getCRLIDPExt(X509CRL crl) {
      * @param idpExt
      */
     private synchronized X509CRL getUpdateCRLFromCrlIDP(IssuingDistributionPointExtension idpExt) {
-
-        GeneralNames gName = idpExt.getFullName();
+        DistributionPointName dpName = idpExt.getDistributionPoint();
+        if (dpName == null) {
+            return null;
+        }
+
+        GeneralNames gName = dpName.getFullName();
         if (gName == null) {
             return null;
         }

diff --git a/openam-certs/src/main/java/com/sun/identity/security/cert/JdkProviderUtils.java b/openam-certs/src/main/java/com/sun/identity/security/cert/JdkProviderUtils.java
@@ -0,0 +1,66 @@
+/*
+ * The contents of this file are subject to the terms of the Common Development and
+ * Distribution License (the License). You may not use this file except in compliance with the
+ * License.
+ *
+ * You can obtain a copy of the License at legal/CDDLv1.1.txt. See the License for the
+ * specific language governing permission and limitations under the License.
+ *
+ * When distributing Covered Software, include this CDDL Header Notice in each file and include
+ * the License file at legal/CDDLv1.1.txt. If applicable, add the following below the CDDL
+ * Header, with the fields enclosed by brackets [] replaced by your own identifying
+ * information: "Portions copyright [year] [name of copyright owner]".
+ *
+ * Copyright Wren Security 2025
+ */
+package com.sun.identity.security.cert;
+
+import java.lang.reflect.Method;
+import java.util.List;
+import sun.security.x509.CRLDistributionPointsExtension;
+import sun.security.x509.CertificateExtensions;
+import sun.security.x509.DistributionPoint;
+import sun.security.x509.GeneralNames;
+import sun.security.x509.SubjectAlternativeNameExtension;
+import sun.security.x509.X509CertInfo;
+
+/**
+ * Utility methods for maintaining compatibility with older supported JDK versions.
+ */
+public final class JdkProviderUtils {
+
+    private static final int JAVA_VERSION = Runtime.version().feature();
+
+    public static List<DistributionPoint> getDistributionPoints(CRLDistributionPointsExtension extension) throws Exception {
+        if (JAVA_VERSION < 20) {
+            Method getter = CRLDistributionPointsExtension.class.getMethod("get", String.class);
+            return (List<DistributionPoint>) getter.invoke(extension, "points");
+        }
+        return extension.getDistributionPoints();
+    }
+
+    public static CertificateExtensions getExtensions(X509CertInfo certInfo) throws Exception {
+        if (JAVA_VERSION < 20) {
+            Method getter = X509CertInfo.class.getMethod("get", String.class);
+            return (CertificateExtensions) getter.invoke(certInfo, X509CertInfo.EXTENSIONS);
+        }
+        return certInfo.getExtensions();
+    }
+
+    public static SubjectAlternativeNameExtension getSanExtension(CertificateExtensions extensions) throws Exception {
+        if (JAVA_VERSION < 20) {
+            Method getter = CertificateExtensions.class.getMethod("get", String.class);
+            return (SubjectAlternativeNameExtension) getter.invoke(extensions, SubjectAlternativeNameExtension.NAME);
+        }
+        return (SubjectAlternativeNameExtension) extensions.getExtension(SubjectAlternativeNameExtension.NAME);
+    }
+
+    public static GeneralNames getSubjectNames(SubjectAlternativeNameExtension extension) throws Exception {
+        if (JAVA_VERSION < 20) {
+            Method getter = SubjectAlternativeNameExtension.class.getMethod("get", String.class);
+            return (GeneralNames) getter.invoke(extension, "subject_name");
+        }
+        return extension.getNames();
+    }
+
+}