Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-4936768

Sun JCE doesn't parse certificate issued by Mircosoft Certificate Server

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: P4 P4
    • None
    • 1.4.2
    • security-libs



      Name: rmT116609 Date: 10/13/2003


      FULL PRODUCT VERSION :
      java version "1.4.2"
      Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2-b28)
      Java HotSpot(TM) Client VM (build 1.4.2-b28, mixed mode)

      FULL OS VERSION :
      Linux plato 2.4.20-18.9 #1 Thu May 29 07:08:16 EDT 2003 i686 i686 i386 GNU/Linux

      A DESCRIPTION OF THE PROBLEM :
      When using keytool to view or import the certificate below it fails with:
      sun.security.pkcs.ParsingException: X509.ObjectIdentifier() -- data isn't an object ID (tag = 48)

      The problem can also be reproduced programatically:

          CertificateFactory cf = CertificateFactory.getInstance("X.509");
          Certificate cert = cf.generateCertificate(new FileInputStream("...."));

      However if one installs the BouncyCastle JCE and uses
          CertificateFactory cf = CertificateFactory.getInstance("X.509", "BC");
          Certificate cert = cf.generateCertificate(new FileInputStream("...."));

      it works fine.

      Here is the "offending" certificate:

      -----BEGIN CERTIFICATE-----
      MIIEkTCCBDugAwIBAgIKHwbsTgAAAAAADzANBgkqhkiG9w0BAQUFADCBkDEqMCgG
      CSqGSIb3DQEJARYbc2VyZ2UuY2hlZ29yaWFuQGhzbnRlY2guY29tMQswCQYDVQQG
      EwJBVTEMMAoGA1UECBMDVklDMRIwEAYDVQQHEwlNZWxib3VybmUxEDAOBgNVBAoT
      B0xhbmRhdGExEDAOBgNVBAsTB0xhbmRyZWcxDzANBgNVBAMTBmxyc2IwMzAeFw0w
      MzA5MDMwNjIxMzJaFw0wNDA4MjgwMTMwMTlaME0xCzAJBgNVBAYTAkFVMQ4wDAYD
      VQQHEwVQZXJ0aDEXMBUGA1UEChMOQVJDVVMgU29mdHdhcmUxFTATBgNVBAMTDGFy
      Y3VzLmNvbS5hdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArnFM5bmv7yiS
      QBuW1+nta1CqHBQf8RtZ9tRd/G1TXjNaDby+tDzQuoDxczh3G2zeaayWoXHN3Vrf
      1ywyapjmzpIa3M4lz9NjPRCfJNc35bEbjyC8DrIl5KCZ1xcmQ337wSBxgVG65mpd
      sTvgHr7ScW1AQLaQPsi7yhj4xoNnSsUCAwEAAaOCAnMwggJvMB0GA1UdDgQWBBR2
      yysuMrfmMRsr3+DKEYP3idg+3zCBzAYDVR0jBIHEMIHBgBTJ9sWoZBZl+tqAIN6a
      SY0zfR06RKGBlqSBkzCBkDEqMCgGCSqGSIb3DQEJARYbc2VyZ2UuY2hlZ29yaWFu
      QGhzbnRlY2guY29tMQswCQYDVQQGEwJBVTEMMAoGA1UECBMDVklDMRIwEAYDVQQH
      EwlNZWxib3VybmUxEDAOBgNVBAoTB0xhbmRhdGExEDAOBgNVBAsTB0xhbmRyZWcx
      DzANBgNVBAMTBmxyc2IwM4IQQgY4b2o3JIxC2s5zW4htHjCBlQYDVR0fBIGNMIGK
      MEKgQKA+hjxodHRwOi8vbHJzYjAzLmxhbmRhdGEudmljLmdvdi5hdS5sb2NhbC9D
      ZXJ0RW5yb2xsL2xyc2IwMy5jcmwwRKBCoECGPmZpbGU6Ly9cXExSU0IwMy5sYW5k
      YXRhLnZpYy5nb3YuYXUubG9jYWxcQ2VydEVucm9sbFxscnNiMDMuY3JsMIHmBggr
      BgEFBQcBAQSB2TCB1jBoBggrBgEFBQcwAoZcaHR0cDovL2xyc2IwMy5sYW5kYXRh
      LnZpYy5nb3YuYXUubG9jYWwvQ2VydEVucm9sbC9MUlNCMDMubGFuZGF0YS52aWMu
      Z292LmF1LmxvY2FsX2xyc2IwMy5jcnQwagYIKwYBBQUHMAKGXmZpbGU6Ly9cXExS
      U0IwMy5sYW5kYXRhLnZpYy5nb3YuYXUubG9jYWxcQ2VydEVucm9sbFxMUlNCMDMu
      bGFuZGF0YS52aWMuZ292LmF1LmxvY2FsX2xyc2IwMy5jcnQwDQYJKoZIhvcNAQEF
      BQADQQDRehNYMY5zzfRz5aM5JQbBdUQ+ju2TKp8vlrvS7LGz1x8rJ4CtMGV7HvsU
      XIV7CoWVM7PvLhF2D6/W04pe+H6P
      -----END CERTIFICATE-----

      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      Save the certificate in the bug report to a file and use keytool -printcert -file ...

      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      That the certificate will be parsed without an exception being thrown.
      ACTUAL -
      See bug report

      ERROR MESSAGES/STACK TRACES THAT OCCUR :
      sun.security.pkcs.ParsingException: X509.ObjectIdentifier() -- data isn't an object ID (tag = 48)
              at sun.security.pkcs.PKCS7.parse(PKCS7.java:118)
              at sun.security.pkcs.PKCS7.<init>(PKCS7.java:68)
              at sun.security.provider.X509Factory.parseX509orPKCS7Cert(X509Factory.java:530)
              at sun.security.provider.X509Factory.engineGenerateCertificates(X509Factory.java:407)
              at java.security.cert.CertificateFactory.generateCertificates(CertificateFactory.java:511)
              at sun.security.tools.KeyTool.doPrintCert(KeyTool.java:1021)
              at sun.security.tools.KeyTool.doCommands(KeyTool.java:539)
              at sun.security.tools.KeyTool.run(KeyTool.java:124)
              at sun.security.tools.KeyTool.main(KeyTool.java:118)
      Caused by: java.io.IOException: X509.ObjectIdentifier() -- data isn't an object ID (tag = 48)
              at sun.security.util.ObjectIdentifier.<init>(ObjectIdentifier.java:134)
              at sun.security.util.DerInputStream.getOID(DerInputStream.java:250)
              at sun.security.pkcs.ContentInfo.<init>(ContentInfo.java:120)
              at sun.security.pkcs.PKCS7.parse(PKCS7.java:136)
              at sun.security.pkcs.PKCS7.parse(PKCS7.java:115)
              ... 8 more


      REPRODUCIBILITY :
      This bug can be reproduced always.

      ---------- BEGIN SOURCE ----------
      import java.io.*;
      import java.security.cert.Certificate;
      import java.security.cert.CertificateFactory;

      public class certtest {
        public static void main(String args[]) throws Throwable {

          ByteArrayInputStream in = new ByteArrayInputStream(certstr.getBytes());

          CertificateFactory cf = CertificateFactory.getInstance("X.509");
          // CertificateFactory cf = CertificateFactory.getInstance("X.509". "BC"); // This works !!!
          Certificate cert = cf.generateCertificate(in);
          System.out.println(cert.toString());
        }

        private static String certstr =
        "-----BEGIN CERTIFICATE-----\n"
        + "MIIEkTCCBDugAwIBAgIKHwbsTgAAAAAADzANBgkqhkiG9w0BAQUFADCBkDEqMCgG\n"
        + "CSqGSIb3DQEJARYbc2VyZ2UuY2hlZ29yaWFuQGhzbnRlY2guY29tMQswCQYDVQQG\n"
        + "EwJBVTEMMAoGA1UECBMDVklDMRIwEAYDVQQHEwlNZWxib3VybmUxEDAOBgNVBAoT\n"
        + "B0xhbmRhdGExEDAOBgNVBAsTB0xhbmRyZWcxDzANBgNVBAMTBmxyc2IwMzAeFw0w\n"
        + "MzA5MDMwNjIxMzJaFw0wNDA4MjgwMTMwMTlaME0xCzAJBgNVBAYTAkFVMQ4wDAYD\n"
        + "VQQHEwVQZXJ0aDEXMBUGA1UEChMOQVJDVVMgU29mdHdhcmUxFTATBgNVBAMTDGFy\n"
        + "Y3VzLmNvbS5hdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArnFM5bmv7yiS\n"
        + "QBuW1+nta1CqHBQf8RtZ9tRd/G1TXjNaDby+tDzQuoDxczh3G2zeaayWoXHN3Vrf\n"
        + "1ywyapjmzpIa3M4lz9NjPRCfJNc35bEbjyC8DrIl5KCZ1xcmQ337wSBxgVG65mpd\n"
        + "sTvgHr7ScW1AQLaQPsi7yhj4xoNnSsUCAwEAAaOCAnMwggJvMB0GA1UdDgQWBBR2\n"
        + "yysuMrfmMRsr3+DKEYP3idg+3zCBzAYDVR0jBIHEMIHBgBTJ9sWoZBZl+tqAIN6a\n"
        + "SY0zfR06RKGBlqSBkzCBkDEqMCgGCSqGSIb3DQEJARYbc2VyZ2UuY2hlZ29yaWFu\n"
        + "QGhzbnRlY2guY29tMQswCQYDVQQGEwJBVTEMMAoGA1UECBMDVklDMRIwEAYDVQQH\n"
        + "EwlNZWxib3VybmUxEDAOBgNVBAoTB0xhbmRhdGExEDAOBgNVBAsTB0xhbmRyZWcx\n"
        + "DzANBgNVBAMTBmxyc2IwM4IQQgY4b2o3JIxC2s5zW4htHjCBlQYDVR0fBIGNMIGK\n"
        + "MEKgQKA+hjxodHRwOi8vbHJzYjAzLmxhbmRhdGEudmljLmdvdi5hdS5sb2NhbC9D\n"
        + "ZXJ0RW5yb2xsL2xyc2IwMy5jcmwwRKBCoECGPmZpbGU6Ly9cXExSU0IwMy5sYW5k\n"
        + "YXRhLnZpYy5nb3YuYXUubG9jYWxcQ2VydEVucm9sbFxscnNiMDMuY3JsMIHmBggr\n"
        + "BgEFBQcBAQSB2TCB1jBoBggrBgEFBQcwAoZcaHR0cDovL2xyc2IwMy5sYW5kYXRh\n"
        + "LnZpYy5nb3YuYXUubG9jYWwvQ2VydEVucm9sbC9MUlNCMDMubGFuZGF0YS52aWMu\n"
        + "Z292LmF1LmxvY2FsX2xyc2IwMy5jcnQwagYIKwYBBQUHMAKGXmZpbGU6Ly9cXExS\n"
        + "U0IwMy5sYW5kYXRhLnZpYy5nb3YuYXUubG9jYWxcQ2VydEVucm9sbFxMUlNCMDMu\n"
        + "bGFuZGF0YS52aWMuZ292LmF1LmxvY2FsX2xyc2IwMy5jcnQwDQYJKoZIhvcNAQEF\n"
        + "BQADQQDRehNYMY5zzfRz5aM5JQbBdUQ+ju2TKp8vlrvS7LGz1x8rJ4CtMGV7HvsU\n"
        + "XIV7CoWVM7PvLhF2D6/W04pe+H6P\n"
        + "-----END CERTIFICATE-----\n";

      }
      ---------- END SOURCE ----------

      CUSTOMER SUBMITTED WORKAROUND :
      Use the BouncyCastle provider instead
      (Incident Review ID: 201773)
      ======================================================================

            andreas Andreas Sterbenz
            rmandalasunw Ranjith Mandala (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated:
              Resolved:
              Imported:
              Indexed: