Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-4433342

JVM hardcoded cast to sun.security.x509.X500Name fails

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: P3 P3
    • None
    • 1.3.0
    • security-libs



      Name: boT120536 Date: 04/03/2001


      java version "1.3.1-beta"
      Java(TM) 2 Runtime Environment, Standard Edition (build 1.3.1-beta-b15)
      Java HotSpot(TM) Client VM (build 1.3.1beta-b15, mixed mode)

      This doesn't really require code as it is a logic error.

      Baltimore provide a Java Security toolkit, one of the implementations in our
      provider is CertificateFactory.X509. This means that if an app calls
      CertificateFactory.getInstance("X509") then it will get our implementation if
      our provider ("JCRYPTO") is higher than ("SUN").

      We got a support call from a customer where they are using JCRYPTO as the
      primary provider and they are using the Java Help classes.

      This is the stacktrace they supplied to us:

      java.lang.ClassCastException: com.baltimore.jpkiplus.x509.Name
      at sun.security.pkcs.PKCS7.getCertificate(PKCS7.java:578)
      at sun.security.pkcs.SignerInfo.getCertificate(SignerInfo.java:207)
      at sun.security.pkcs.SignerInfo.verify(SignerInfo.java:333)
      at sun.security.pkcs.PKCS7.verify(PKCS7.java:472)
      at sun.security.pkcs.PKCS7.verify(PKCS7.java:489)
      at sun.security.util.SignatureFileVerifier.process
      (SignatureFileVerifier.java:152)
      at java.util.jar.JarVerifier.processEntry(JarVerifier.java:288)
      at java.util.jar.JarVerifier.update(JarVerifier.java:201)
      at java.util.jar.JarFile.initializeVerifierssed
      (DefaultButtonModel.java:250)
      at javax.swing.plaf.basic.BasicButtonListener.mouseReleased
      (BasicButtonListener.java:204)
      at java.awt.Component.processMouseEvent(Component.java:3160)
      at java.awt.Component.processEvent(Component.java, Compiled Code)
      at java.awt.Container.processEvent(Container.java, Compiled Code)
      at java.awt.Component.dispatchEventImpl(Component.java, Compiled Code)
      at java.awt.Container.dispatchEventImpl(Container.java, Compiled Code)
      at java.awt.Component.dispatchEvent(Component.java, Compiled Code)
      at java.awt.LightweightDispatcher.retargetMouseEvent(Container.java,
      Compiled Code)
      at java.awt.LightweightDispatcher.processMouseEvent(Container.java:1827)
      at java.awt.LightweightDispatcher.dispatchEvent(Container.java,
      Compiled Code)
      at java.awt.Container.dispatchEventImpl(Container.java, Compiled Code)
      at java.awt.Window.dispatchEventImpl(Window.java, Compiled Code)
      at java.awt.Component.dispatchEvent(Component.java, Compiled Code)
      at java.awt.EventQueue.dispatchEvent(EventQueue.java, Compiled Code)
      at java.awt.EventDispatchThread.pumpOneEvent(EventDispatchThread.java,
      Compiled Code)
      at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:92)
      at java.awt.EventDispatchThread.run(EventDispatchThread.java:83)

      Which looked like the return value from a Certificate.getIssuer or getSubject
      (in the JCRYPTO case is com.baltimore.jpkiplus.x509.Name) is not being used as
      a java.security.principal. but is being cast to some other type without having
      checked that it is that type.

      Using javap -c sun.security.pkcs.PKCS7 shows where the problem lies:

      Method java.security.cert.X509Certificate getCertificate
      (sun.security.util.BigInt, sun.security.x509.X500Name)
         0 aload_0
         1 getfield #81 <Field java.security.cert.X509Certificate certificates[]>
         4 ifnull 81
         7 iconst_0
         8 istore_3
         9 goto 72
        12 aload_0
        13 getfield #81 <Field java.security.cert.X509Certificate certificates[]>
        16 iload_3
        17 aaload
        18 astore 4
        20 aload 4
        22 invokevirtual #101 <Method java.security.Principal getIssuerDN()>
        25 checkcast #49 <Class sun.security.x509.X500Name>
        28 astore 5
        30 aload 4
      ...

      at line 25 the com.baltimore.jpkiplus.x509.Name is cast to a
      sun.security.x509.X500Name and fails.

      It looks like all that is done with the returned value is a .equals
      (otherX500Name) which could have been done without the casting.

      It looks like it was probably there in 1.2.x from when
      java.security.Certificate was deprecated in favour of
      java.security.cert.Certificate.

      It's a very bad bug as it prevents us from shipping an implementation of
      CertificateFactory.X509 without warning that there are issues with the Java
      Runtime.

      It should either deal correctly with the return of getIssuerDN() or when the
      certificates were created the CertificateFactory.getInstance("X.509") should
      have specified "SUN" as the provider.

      (Review ID: 119948)
      ======================================================================

            Unassigned Unassigned
            bonealsunw Bret O'neal (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated:
              Resolved:
              Imported:
              Indexed: