-
Type:
Bug
-
Resolution: Duplicate
-
Priority:
P4
-
None
-
Affects Version/s: 5.0
-
Component/s: security-libs
-
x86
-
linux
FULL PRODUCT VERSION :
java version "1.5.0"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0-b64)
Java HotSpot(TM) Client VM (build 1.5.0-b64, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Linux miguel 2.6.12-12mdksmp #1 SMP Fri Sep 9 17:43:23 CEST 2005 i686 Intel(R) Pentium(R) 4 CPU 2.60GHz unknown GNU/Linux
A DESCRIPTION OF THE PROBLEM :
One of the constructors of javax.crypto.EncryptedPrivateKeyInfo accepts an algorithm name in the form of a string. If the string represents an Object Identifier, and one of the components is greater than Integer.MAX_VALUE, a NumberFormatException is thrown. Component values less than or equal to Integer.MAX_VALUE are accepted, but for values greater than or equal to 2**28 (that is 1 << 28) calling the method getEncoded() causes ArrayIndexOutOfBoundsException to be thrown.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Call the constructor of EncryptedPrivateKeyInfo with a string with an OID with a component with a value between 2**28 and Integer.MAX_VALUE
2. Call the method getEncoded()
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The method getEncoded() should return the encoding of the constructed object. If the OID is invalid, it should have been rejected in the constructor.
ACTUAL -
The constructor accepts the values between 2**28 and Integer.MAX_VALUE, but the method getEncoded() throws ArrayIndexOutOfBoundsException
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
import java.io.IOException;
import java.security.NoSuchAlgorithmException;
import java.util.Arrays;
import javax.crypto.EncryptedPrivateKeyInfo;
public class TestEPKI {
public static void main(String[] args) throws NoSuchAlgorithmException, IOException {
EncryptedPrivateKeyInfo epki = new EncryptedPrivateKeyInfo("1.2."+((1<<28)-1), new byte[8]);
System.out.println(epki.getAlgName());
System.out.println(Arrays.toString(epki.getEncoded()));
epki = new EncryptedPrivateKeyInfo("1.2."+(1<<28), new byte[8]);
System.out.println(epki.getAlgName());
System.out.println(Arrays.toString(epki.getEncoded()));
}
}
---------- END SOURCE ----------
java version "1.5.0"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0-b64)
Java HotSpot(TM) Client VM (build 1.5.0-b64, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Linux miguel 2.6.12-12mdksmp #1 SMP Fri Sep 9 17:43:23 CEST 2005 i686 Intel(R) Pentium(R) 4 CPU 2.60GHz unknown GNU/Linux
A DESCRIPTION OF THE PROBLEM :
One of the constructors of javax.crypto.EncryptedPrivateKeyInfo accepts an algorithm name in the form of a string. If the string represents an Object Identifier, and one of the components is greater than Integer.MAX_VALUE, a NumberFormatException is thrown. Component values less than or equal to Integer.MAX_VALUE are accepted, but for values greater than or equal to 2**28 (that is 1 << 28) calling the method getEncoded() causes ArrayIndexOutOfBoundsException to be thrown.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Call the constructor of EncryptedPrivateKeyInfo with a string with an OID with a component with a value between 2**28 and Integer.MAX_VALUE
2. Call the method getEncoded()
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The method getEncoded() should return the encoding of the constructed object. If the OID is invalid, it should have been rejected in the constructor.
ACTUAL -
The constructor accepts the values between 2**28 and Integer.MAX_VALUE, but the method getEncoded() throws ArrayIndexOutOfBoundsException
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
import java.io.IOException;
import java.security.NoSuchAlgorithmException;
import java.util.Arrays;
import javax.crypto.EncryptedPrivateKeyInfo;
public class TestEPKI {
public static void main(String[] args) throws NoSuchAlgorithmException, IOException {
EncryptedPrivateKeyInfo epki = new EncryptedPrivateKeyInfo("1.2."+((1<<28)-1), new byte[8]);
System.out.println(epki.getAlgName());
System.out.println(Arrays.toString(epki.getEncoded()));
epki = new EncryptedPrivateKeyInfo("1.2."+(1<<28), new byte[8]);
System.out.println(epki.getAlgName());
System.out.println(Arrays.toString(epki.getEncoded()));
}
}
---------- END SOURCE ----------
- duplicates
-
-
- Resolved
-