-
Bug
-
Resolution: Fixed
-
P3
-
1.4.0
-
beta
-
sparc
-
solaris_2.6
Name: asR10047 Date: 11/21/2000
X509CertSelector.setNameConstraints(byte[] bytes) sets the name constraints
selection criterion. It does not work when 'bytes' is an array of DER encoded empty ASN.1
SEQUENCE structure.
See JavaDoc comments for that method:
public void setNameConstraints(byte[] bytes)
throws java.io.IOException
[...]
The name constraints are specified as a byte array. This byte array should
contain the DER encoded form of the name constraints, as they would appear in
the NameConstraints structure defined in RFC 2459 and X.509. The ASN.1
definition of this structure appears below.
NameConstraints ::= SEQUENCE {
permittedSubtrees [0] GeneralSubtrees OPTIONAL,
excludedSubtrees [1] GeneralSubtrees OPTIONAL }
----------------------------------------------------------------------------
According to the ASN.1 definition the NameConstraints could be defined as
an empty SEQUENCE that is the following array of bytes { 0x30, 0x00}.
When that array passed to the setNameConstraints() method unexpected
exception is thrown.
Here is the example demonstrating the bug:
------------------ Test.java -----------------
import java.security.cert.*;
public class X509CertSelectorTest {
public static void main(String[] argv) {
X509CertSelector certSel = new X509CertSelector();
byte[] data = { 0x30, 0x00}; // An empty SEQUENCE
try {
certSel.setNameConstraints( data);
} catch(Exception e) {
e.printStackTrace();
}
System.exit(0);
}
}
-------------- Output from the test -----------------
java.lang.NullPointerException
at sun.security.x509.NameConstraintsExtension.<init>(NameConstraintsExtension.java:144)
at java.security.cert.X509CertSelector.setNameConstraints(X509CertSelector.java:931)
at X509CertSelectorTest.main(X509CertSelectorTest.java:7)
------------------------------------------------------
======================================================================