-
Bug
-
Resolution: Fixed
-
P4
-
6u10
-
b12
-
x86
-
windows_xp
-
Verified
FULL PRODUCT VERSION :
$ java -version
java version "1.6.0_04"
Java(TM) SE Runtime Environment (build 1.6.0_04-b12)
Java HotSpot(TM) Client VM (build 10.0-b19, mixed mode)
(but also in later JREs)
A DESCRIPTION OF THE PROBLEM :
The encoding for the OtherName form of a X509 GeneralName is
OtherName ::= SEQUENCE {
type-id OBJECT IDENTIFIER,
value [0] EXPLICIT ANY DEFINED BY type-id }
And this is what should be returned when an OtherName is included in the SubjectAlternativeName field of an X509 certificate by the getSubjectAlternativeNames() method of the java.security.cert.X509Certificate class.
What is actually being returned is
SEQUENCE {
OID,
[0] {
[0] the value
}
}
The problem is in the sun certificate implementation. Specifically in sun.security.x509.OtherName. In the constructor OtherName(DerValue derval), the instance variable nameValue, instead of being set to the tagged value (the ANY), is set to the wrapped value ([0] ANY) - basically the second value in the sequence.
When its encoded to be returned, the code in the encode routine adds the extraneous tag.
This can't be fixed by fixing the encode routine as one of the other constructors provides the OID and ANY value as arguments.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Use an X509 certificate factory to create a certificate object from a cert with an OtherName. SubjectAltName
X509Certificate cert = cf.generateCertificate(inputstream);
Retrieve the subjectAltName using and print out the encoding.
Collection<List<?>> names = cert.getSubjectAlternativeNames()
Dump the byte array you get as the second object of the OtherName List<?> and compare it to the encoding from the cert - cert.getEncoded();
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
This is a diff for sun/security/x509/OtherName.java that provides a possible fix.
This maintains backwards compatibility in case the inner value wasn't actually wrapped with a [0] tag.
76c76,79
< nameValue = val.toByteArray();
---
> if (val.isContextSpecific() && val.getTag() == 0)
> nameValue = val.toDerInputStream().getDerValue().toByteArray();
> else
> nameValue = val.toByteArray();
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Use the getExtension() method and start at a higher level to decode the name.
$ java -version
java version "1.6.0_04"
Java(TM) SE Runtime Environment (build 1.6.0_04-b12)
Java HotSpot(TM) Client VM (build 10.0-b19, mixed mode)
(but also in later JREs)
A DESCRIPTION OF THE PROBLEM :
The encoding for the OtherName form of a X509 GeneralName is
OtherName ::= SEQUENCE {
type-id OBJECT IDENTIFIER,
value [0] EXPLICIT ANY DEFINED BY type-id }
And this is what should be returned when an OtherName is included in the SubjectAlternativeName field of an X509 certificate by the getSubjectAlternativeNames() method of the java.security.cert.X509Certificate class.
What is actually being returned is
SEQUENCE {
OID,
[0] {
[0] the value
}
}
The problem is in the sun certificate implementation. Specifically in sun.security.x509.OtherName. In the constructor OtherName(DerValue derval), the instance variable nameValue, instead of being set to the tagged value (the ANY), is set to the wrapped value ([0] ANY) - basically the second value in the sequence.
When its encoded to be returned, the code in the encode routine adds the extraneous tag.
This can't be fixed by fixing the encode routine as one of the other constructors provides the OID and ANY value as arguments.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Use an X509 certificate factory to create a certificate object from a cert with an OtherName. SubjectAltName
X509Certificate cert = cf.generateCertificate(inputstream);
Retrieve the subjectAltName using and print out the encoding.
Collection<List<?>> names = cert.getSubjectAlternativeNames()
Dump the byte array you get as the second object of the OtherName List<?> and compare it to the encoding from the cert - cert.getEncoded();
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
This is a diff for sun/security/x509/OtherName.java that provides a possible fix.
This maintains backwards compatibility in case the inner value wasn't actually wrapped with a [0] tag.
76c76,79
< nameValue = val.toByteArray();
---
> if (val.isContextSpecific() && val.getTag() == 0)
> nameValue = val.toDerInputStream().getDerValue().toByteArray();
> else
> nameValue = val.toByteArray();
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Use the getExtension() method and start at a higher level to decode the name.
