-
Type:
Bug
-
Resolution: Fixed
-
Priority:
P5
-
Affects Version/s: 1.4.1, 5.0
-
Component/s: security-libs
-
b57
-
x86
-
linux, windows_2000
Name: nt126004 Date: 02/03/2003
FULL PRODUCT VERSION :
java version "1.4.1_01"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.1_01-b01)
Java HotSpot(TM) Client VM (build 1.4.1_01-b01, mixed mode)
FULL OPERATING SYSTEM VERSION :
Microsoft Windows 2000 [Version 5.00.2195] SP2
A DESCRIPTION OF THE PROBLEM :
The certificates in my keystore (issue from UniCERT) include
a certificatePolicies extension (2.5.29.32) that contains an
object identifier starting with 2.16.764, i.e. under the country
namespace for Thailand. The DER encoding of that object
identifier, shown in hex, is
06 0E 60 85 7C 01 8B C6 F7 F5 42 01 00 64 03 01
06 says it's an object identifier, 0E is the length (decimal 14),
60 encodes the first two components ("2.16"), 85 7C encodes
the next component (".764"), 01 encodes the next component
(".1"), and 8B C6 F7 F5 42 encodes the next component
(".3101555394").
This is valid ASN.1, but the JDK 1.4.* CertificateFactory
cannot handle it; it generates an exception for any component
whose encoding is longer than 4 bytes, and this is 5 bytes.
(This limitation was probably present in JDK 1.3.* too, but the
JDK 1.3.* CertificateFactory doesn't even try to parse the
certificatePolicies extension, whereas JDK 1.4 does).
ERROR MESSAGES :
With the attatch source code and our test certificate, running with the
JDK1.4.1 the result as follows,
F:\java\test>d:\jdk141\bin\java -version
java version "1.4.1_01"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.1_01-b01)
Java HotSpot(TM) Client VM (build 1.4.1_01-b01, mixed mode)
F:\java\test>d:\jdk141\bin\java TestCert negativeOID.crt
java.security.cert.CertificateParsingException: java.io.IOException:
X509.OID, component value too big
at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:157)
at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1630)
at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:286)
at
sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java
:94)
at
java.security.cert.CertificateFactory.generateCertificate(CertificateFactory
.java:389)
at TestCert.main(TestCert.java:17)
Caused by: java.io.IOException: X509.OID, component value too big
at
sun.security.util.ObjectIdentifier.getComponent(ObjectIdentifier.java:276)
at
sun.security.util.ObjectIdentifier.initFromEncoding(ObjectIdentifier.java:17
4)
at
sun.security.util.ObjectIdentifier.<init>(ObjectIdentifier.java:144)
at sun.security.util.DerInputStream.getOID(DerInputStream.java:245)
at sun.security.x509.Extension.<init>(Extension.java:61)
at
sun.security.x509.CertificateExtensions.init(CertificateExtensions.java:77)
at
sun.security.x509.CertificateExtensions.<init>(CertificateExtensions.java:57
)
at sun.security.x509.X509CertInfo.parse(X509CertInfo.java:727)
at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:155)
... 5 more
F:\java\test>d:\jdk141\bin\java TestCert 3101024760S004001002.cer
java.security.cert.CertificateParsingException: java.io.IOException:
X509.OID, component value too big
at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:157)
at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1630)
at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:162)
at
sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java
:91)
at
java.security.cert.CertificateFactory.generateCertificate(CertificateFactory
.java:389)
at TestCert.main(TestCert.java:17)
Caused by: java.io.IOException: X509.OID, component value too big
at
sun.security.util.ObjectIdentifier.getComponent(ObjectIdentifier.java:276)
at
sun.security.util.ObjectIdentifier.initFromEncoding(ObjectIdentifier.java:17
4)
at
sun.security.util.ObjectIdentifier.<init>(ObjectIdentifier.java:144)
at sun.security.util.DerInputStream.getOID(DerInputStream.java:245)
at sun.security.x509.Extension.<init>(Extension.java:61)
at
sun.security.x509.CertificateExtensions.init(CertificateExtensions.java:77)
at
sun.security.x509.CertificateExtensions.<init>(CertificateExtensions.java:57
)
at sun.security.x509.X509CertInfo.parse(X509CertInfo.java:727)
at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:155)
... 5 more
F:\java\test>
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
import java.security.cert.*;
//import java.security.*;
import java.io.*;
public class TestCert
{
public static void main(String[] args)
{ try
{ final FileInputStream fis = new FileInputStream( args[0] );
final DataInputStream dis = new DataInputStream( fis );
CertificateFactory cf = CertificateFactory.getInstance("X.509");
final byte[] bytes = new byte[ dis.available() ];
dis.readFully( bytes );
ByteArrayInputStream bais = new ByteArrayInputStream( bytes );
while( bais.available()>0 )
{ final Certificate cert = cf.generateCertificate(bais);
System.out.println( cert.toString() );
}
}
catch( Exception e )
{ e.printStackTrace();
}
}
}
// other sample certs attached.
-----BEGIN CERTIFICATE-----
MIID0zCCArugAwIBAgIEPa4wxTANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJU
SDEqMCgGA1UEChMhUHJvY2Vzc2luZyBDZW50ZXIgQ29tcGFueSBMaW1pdGVkMRow
GAYDVQQDExFQQ0MgRGlnaXRhbCBJRCBDQTAeFw0wMjEwMTcwMzM3MjdaFw0wM
zEw
MTcwMzM3MjdaMFgxCzAJBgNVBAYTAlRIMRMwEQYDVQQKEwozMTAxMDI0NzYwMR
8w
HQYDVQQLExZQQ0MgZVBheW1lbnQgQXV0aG9yaXR5MRMwEQYDVQQDEwpTMDA0
MDAx
MDAyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCsD73C45o+Qfq8iMMB1D/t
gJ7X/jgGTOqtWKVuAQce7QYaj3lahAloFb1JtAHuCwMFgPHqZBcTcogAabgXgp1o
f1utS3J1eHCk380mYTlKrCwq3Mc2XNkqWEY6og1trXdNXTvYMRT/U5EtVMjTd99x
ARiALnJ/PLqitK44dKjbqwIDAQABo4IBKjCCASYwDgYDVR0PAQH/BAQDAgbAMBoG
DmCFfAGLxvf1QgEAZAIBBAgWBjAwMTA5ODBhBgNVHR8EWjBYMFagVKBSpFAwTjEL
MAkGA1UEBhMCVEgxKjAoBgNVBAoTIVByb2Nlc3NpbmcgQ2VudGVyIENvbXBhbnkg
TGltaXRlZDETMBEGA1UEAxMKUENDRElEIENEUDCBlAYDVR0gBIGMMIGJMIGGBg5g
hXwBi8b39UIBAGQEATB0MCAGCCsGAQUFBwIBFhRodHRwOi8vd3d3LnBjYy5jby50
aDBQBggrBgEFBQcCAjBEGkJUaGlzIGNlcnRpZmljYXRlIGlzIGlzc3VlZCBmb3Ig
dXNlIHdpdGggUENDIGVQYXltZW50IHNlcnZpY2Ugb25seS4wDQYJKoZIhvcNAQEF
BQADggEBAJHvDTaaGzgW21G7F8dBkExf79Xlj7Yq4rAueoTbXGmqKF4VTPk9qTW+
6DexaAsqoaZwg+Pu3GCDy/cn1UyRBOVc3RUjcKbVomkZHoloY2GMxuKZ9/NXBobD
KYiD23an/TyzkJldGiYIOAxbM0/gYZxadSnSWq+FiFlaxgCQpVafN2RyAJ35Lvcw
k6FoRUFY+L8U4XPUkP5kHKbnM5MF7UfFz9N/bd9p5mZhMCctIgjEn13Xirak0DIL
LhBaIeSZfjkD/SOQqae3ukQtWOpPqWHQ5F1l0KesEskWaEjrF7/2qzgfFsZxjEYn
MwAyfEQ3zkiAhz6IMBCPqXuhMm9tkRQ=
-----END CERTIFICATE-----
---------- END SOURCE ----------
(Review ID: 179085)
======================================================================
FULL PRODUCT VERSION :
java version "1.4.1_01"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.1_01-b01)
Java HotSpot(TM) Client VM (build 1.4.1_01-b01, mixed mode)
FULL OPERATING SYSTEM VERSION :
Microsoft Windows 2000 [Version 5.00.2195] SP2
A DESCRIPTION OF THE PROBLEM :
The certificates in my keystore (issue from UniCERT) include
a certificatePolicies extension (2.5.29.32) that contains an
object identifier starting with 2.16.764, i.e. under the country
namespace for Thailand. The DER encoding of that object
identifier, shown in hex, is
06 0E 60 85 7C 01 8B C6 F7 F5 42 01 00 64 03 01
06 says it's an object identifier, 0E is the length (decimal 14),
60 encodes the first two components ("2.16"), 85 7C encodes
the next component (".764"), 01 encodes the next component
(".1"), and 8B C6 F7 F5 42 encodes the next component
(".3101555394").
This is valid ASN.1, but the JDK 1.4.* CertificateFactory
cannot handle it; it generates an exception for any component
whose encoding is longer than 4 bytes, and this is 5 bytes.
(This limitation was probably present in JDK 1.3.* too, but the
JDK 1.3.* CertificateFactory doesn't even try to parse the
certificatePolicies extension, whereas JDK 1.4 does).
ERROR MESSAGES :
With the attatch source code and our test certificate, running with the
JDK1.4.1 the result as follows,
F:\java\test>d:\jdk141\bin\java -version
java version "1.4.1_01"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.1_01-b01)
Java HotSpot(TM) Client VM (build 1.4.1_01-b01, mixed mode)
F:\java\test>d:\jdk141\bin\java TestCert negativeOID.crt
java.security.cert.CertificateParsingException: java.io.IOException:
X509.OID, component value too big
at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:157)
at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1630)
at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:286)
at
sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java
:94)
at
java.security.cert.CertificateFactory.generateCertificate(CertificateFactory
.java:389)
at TestCert.main(TestCert.java:17)
Caused by: java.io.IOException: X509.OID, component value too big
at
sun.security.util.ObjectIdentifier.getComponent(ObjectIdentifier.java:276)
at
sun.security.util.ObjectIdentifier.initFromEncoding(ObjectIdentifier.java:17
4)
at
sun.security.util.ObjectIdentifier.<init>(ObjectIdentifier.java:144)
at sun.security.util.DerInputStream.getOID(DerInputStream.java:245)
at sun.security.x509.Extension.<init>(Extension.java:61)
at
sun.security.x509.CertificateExtensions.init(CertificateExtensions.java:77)
at
sun.security.x509.CertificateExtensions.<init>(CertificateExtensions.java:57
)
at sun.security.x509.X509CertInfo.parse(X509CertInfo.java:727)
at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:155)
... 5 more
F:\java\test>d:\jdk141\bin\java TestCert 3101024760S004001002.cer
java.security.cert.CertificateParsingException: java.io.IOException:
X509.OID, component value too big
at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:157)
at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1630)
at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:162)
at
sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java
:91)
at
java.security.cert.CertificateFactory.generateCertificate(CertificateFactory
.java:389)
at TestCert.main(TestCert.java:17)
Caused by: java.io.IOException: X509.OID, component value too big
at
sun.security.util.ObjectIdentifier.getComponent(ObjectIdentifier.java:276)
at
sun.security.util.ObjectIdentifier.initFromEncoding(ObjectIdentifier.java:17
4)
at
sun.security.util.ObjectIdentifier.<init>(ObjectIdentifier.java:144)
at sun.security.util.DerInputStream.getOID(DerInputStream.java:245)
at sun.security.x509.Extension.<init>(Extension.java:61)
at
sun.security.x509.CertificateExtensions.init(CertificateExtensions.java:77)
at
sun.security.x509.CertificateExtensions.<init>(CertificateExtensions.java:57
)
at sun.security.x509.X509CertInfo.parse(X509CertInfo.java:727)
at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:155)
... 5 more
F:\java\test>
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
import java.security.cert.*;
//import java.security.*;
import java.io.*;
public class TestCert
{
public static void main(String[] args)
{ try
{ final FileInputStream fis = new FileInputStream( args[0] );
final DataInputStream dis = new DataInputStream( fis );
CertificateFactory cf = CertificateFactory.getInstance("X.509");
final byte[] bytes = new byte[ dis.available() ];
dis.readFully( bytes );
ByteArrayInputStream bais = new ByteArrayInputStream( bytes );
while( bais.available()>0 )
{ final Certificate cert = cf.generateCertificate(bais);
System.out.println( cert.toString() );
}
}
catch( Exception e )
{ e.printStackTrace();
}
}
}
// other sample certs attached.
-----BEGIN CERTIFICATE-----
MIID0zCCArugAwIBAgIEPa4wxTANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJU
SDEqMCgGA1UEChMhUHJvY2Vzc2luZyBDZW50ZXIgQ29tcGFueSBMaW1pdGVkMRow
GAYDVQQDExFQQ0MgRGlnaXRhbCBJRCBDQTAeFw0wMjEwMTcwMzM3MjdaFw0wM
zEw
MTcwMzM3MjdaMFgxCzAJBgNVBAYTAlRIMRMwEQYDVQQKEwozMTAxMDI0NzYwMR
8w
HQYDVQQLExZQQ0MgZVBheW1lbnQgQXV0aG9yaXR5MRMwEQYDVQQDEwpTMDA0
MDAx
MDAyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCsD73C45o+Qfq8iMMB1D/t
gJ7X/jgGTOqtWKVuAQce7QYaj3lahAloFb1JtAHuCwMFgPHqZBcTcogAabgXgp1o
f1utS3J1eHCk380mYTlKrCwq3Mc2XNkqWEY6og1trXdNXTvYMRT/U5EtVMjTd99x
ARiALnJ/PLqitK44dKjbqwIDAQABo4IBKjCCASYwDgYDVR0PAQH/BAQDAgbAMBoG
DmCFfAGLxvf1QgEAZAIBBAgWBjAwMTA5ODBhBgNVHR8EWjBYMFagVKBSpFAwTjEL
MAkGA1UEBhMCVEgxKjAoBgNVBAoTIVByb2Nlc3NpbmcgQ2VudGVyIENvbXBhbnkg
TGltaXRlZDETMBEGA1UEAxMKUENDRElEIENEUDCBlAYDVR0gBIGMMIGJMIGGBg5g
hXwBi8b39UIBAGQEATB0MCAGCCsGAQUFBwIBFhRodHRwOi8vd3d3LnBjYy5jby50
aDBQBggrBgEFBQcCAjBEGkJUaGlzIGNlcnRpZmljYXRlIGlzIGlzc3VlZCBmb3Ig
dXNlIHdpdGggUENDIGVQYXltZW50IHNlcnZpY2Ugb25seS4wDQYJKoZIhvcNAQEF
BQADggEBAJHvDTaaGzgW21G7F8dBkExf79Xlj7Yq4rAueoTbXGmqKF4VTPk9qTW+
6DexaAsqoaZwg+Pu3GCDy/cn1UyRBOVc3RUjcKbVomkZHoloY2GMxuKZ9/NXBobD
KYiD23an/TyzkJldGiYIOAxbM0/gYZxadSnSWq+FiFlaxgCQpVafN2RyAJ35Lvcw
k6FoRUFY+L8U4XPUkP5kHKbnM5MF7UfFz9N/bd9p5mZhMCctIgjEn13Xirak0DIL
LhBaIeSZfjkD/SOQqae3ukQtWOpPqWHQ5F1l0KesEskWaEjrF7/2qzgfFsZxjEYn
MwAyfEQ3zkiAhz6IMBCPqXuhMm9tkRQ=
-----END CERTIFICATE-----
---------- END SOURCE ----------
(Review ID: 179085)
======================================================================
- duplicates
-
-
- Closed
-