Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8016916

UnstructuredName should support DirectoryString

    XMLWordPrintable

Details

    • b102
    • windows_7
    • Verified

    Description

      FULL PRODUCT VERSION :
      java version " 1.7.0_21 "
      Java(TM) SE Runtime Environment (build 1.7.0_21-b11)
      Java HotSpot(TM) Client VM (build 23.21-b01, mixed mode, sharing)

      ADDITIONAL OS VERSION INFORMATION :
      6.1.7601

      A DESCRIPTION OF THE PROBLEM :
      Executing keytool -printcertreq on a CSR which has requested extension X509v3 Subject Alternative Name of type PrintableString leads to the following error:
      keytool error: java.io.IOException: Value of attribute 1.2.840.113549.1.9.2 (UnstructuredName) has wrong tag: 19. Expected tags: 22.
      This is wrong, because according to the RFC 2985, unstructuredName is of type PKCS9String, which can be any either IA5String (supported by keytool) or DirectoryString (which includes PrintableString):

         unstructuredName ATTRIBUTE ::= {
                 WITH SYNTAX PKCS9String {pkcs-9-ub-unstructuredName}
                 EQUALITY MATCHING RULE pkcs9CaseIgnoreMatch
                 ID pkcs-9-at-unstructuredName
         }

         PKCS9String { INTEGER : maxSize} ::= CHOICE {
                 ia5String IA5String (SIZE(1..maxSize)),
                 directoryString DirectoryString {maxSize}
         }

      Offending code is in PKCS9Attribute class:

        300 private static final Byte[][] PKCS9_VALUE_TAGS = {
        301 null,
        302 {new Byte(DerValue.tag_IA5String)}, // EMailAddress
        303 {new Byte(DerValue.tag_IA5String)}, // UnstructuredName
        304 {new Byte(DerValue.tag_ObjectId)}, // ContentType
        305 {new Byte(DerValue.tag_OctetString)}, // MessageDigest
        306 {new Byte(DerValue.tag_UtcTime)}, // SigningTime
        307 {new Byte(DerValue.tag_Sequence)}, // Countersignature
        308 {new Byte(DerValue.tag_PrintableString),
        309 new Byte(DerValue.tag_T61String)}, // ChallengePassword
        310 {new Byte(DerValue.tag_PrintableString),
        311 new Byte(DerValue.tag_T61String)}, // UnstructuredAddress
        312 {new Byte(DerValue.tag_SetOf)}, // ExtendedCertificateAttributes
        313 {new Byte(DerValue.tag_Sequence)}, // issuerAndSerialNumber
        314 null,
        315 null,
        316 null,
        317 {new Byte(DerValue.tag_Sequence)}, // extensionRequest
        318 {new Byte(DerValue.tag_Sequence)}, // SMIMECapability
        319 {new Byte(DerValue.tag_Sequence)}, // SigningCertificate
        320 {new Byte(DerValue.tag_Sequence)} // SignatureTimestampToken
        321 };

        492 // check for illegal element tags
        493 Byte tag;
        494 for (int i=0; i < elems.length; i++) {
        495 tag = new Byte(elems[i].tag);
        496
        497 if (indexOf(tag, PKCS9_VALUE_TAGS[index], 0) == -1)
        498 throwTagException(tag);
        499 }

        820 private void throwTagException(Byte tag)
        821 throws IOException {
        822 Byte[] expectedTags = PKCS9_VALUE_TAGS[index];
        823 StringBuffer msg = new StringBuffer(100);
        824 msg.append( " Value of attribute " );
        825 msg.append(getOID().toString());
        826 msg.append( " ( " );
        827 msg.append(getName());
        828 msg.append( " ) has wrong tag: " );
        829 msg.append(tag.toString());
        830 msg.append( " . Expected tags: " );


      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      Run:
      keytool -printcertreq -v -file sample.csr

      Where sample.csr is:

      -----BEGIN CERTIFICATE REQUEST-----
      MIIDszCCApsCAQAwgaAxCzAJBgNVBAYTAlBMMQswCQYDVQQIEwJNWjERMA8GA1UE
      BxMIV2Fyc3phd2ExCzAJBgNVBAoTAk1GMQswCQYDVQQLEwJESTEnMCUGA1UEAxMe
      dGVzdC1icmFta2EuZWRla2xhcmFjamUuZ292LnBsMS4wLAYJKoZIhvcNAQkBFh9p
      bmZvLmUtZGVrbGFyYWNqZUBtb2ZuZXQuZ292LnBsMIIBIjANBgkqhkiG9w0BAQEF
      AAOCAQ8AMIIBCgKCAQEAvML+UgwkE2YQHMazIvPnZSmTJ5tAL/3nP7P2K3ulpzN0
      qk7/mutI4AS4KoDJVa9Ty9ruIYvSx0COApOSVOWZ7eKTRaPGrImIfoTnHQxLAvQZ
      7HtroJCkNM+i5SZNLE+FLpRHPHYPJ1tyWG+Y3kRZpMhfJfZR94FQTQYJYxaem0PU
      TO3uBPAo6UB0jMgfUQiFxhiFstwhpzpDKVUXBH9RSTw4AEu/MO6+lap1I3OUVAU6
      xOfHUKLM+589kZP+fKmT8VvOHxogBy7hisx3QMUhcCWXwNs+HLYIggpCPeZZKFVH
      45G1moq8/R3jBW7iycJZcNnl35txyRdsA5cxYtD9SQIDAQABoIHMMCEGCSqGSIb3
      DQEJAjEUExJyZXF1ZXN0VGVzdFdpdGhFeHQwgaYGCSqGSIb3DQEJDjGBmDCBlTAL
      BgNVHQ8EBAMCBkAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMIMC0GA1Ud
      EQEB/wQjMCGBH2luZm8uZS1kZWtsYXJhY2plQG1vZm5ldC5nb3YucGwwEQYJYIZI
      AYb4QgEBBAQDAgXgMCUGCWCGSAGG+EIBDQQYFhZjZXJ0aWZpY2F0ZVRlc3RXaXRo
      RXh0MA0GCSqGSIb3DQEBBQUAA4IBAQCKR3SBvYBPJdC7j/6L0y2Lq1jhnFKAoP0f
      2yyWB27WcLNKgYSqlnMB1bMv2nbZwnZAed9xk3KESYaAhSMVD0xc3pwW2Hzqz9NJ
      jKGd9YmcEHMqbYhNTg+Yvzz8pnr9QO6vMLqliL53CME2GYBnQwN2Lizlncb7jyNt
      jtzEJ3LVgOTfOb0OhYTIEuM5OYE5bvyowz8WmpxBvBCT6uIc5EW6WCeqttwlitoh
      PJ9s9XjdJuNs89vjnodmxsDHN/+DjDgy4odCyoe9qErAaIzQ/wdqVjayxqTwKtj+
      WpaYAbcmBKkNGjbyat/qnFS/otSo4oiNWSvxeSZp0LX0tItLGutW
      -----END CERTIFICATE REQUEST-----


      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
              Attributes:
                  unstructuredName :requestTestWithExt
              Requested Extensions:
                  X509v3 Key Usage:
                      Non Repudiation
                  X509v3 Extended Key Usage:
                      TLS Web Client Authentication, Time Stamping
                  X509v3 Subject Alternative Name: critical
                      email:info.e-deklaracje@mofnet.gov.pl
                  Netscape Cert Type:
                      SSL Client, SSL Server, S/MIME
                  Netscape Comment:
                      certificateTestWithExt

      ACTUAL -
      keytool error: java.io.IOException: Value of attribute 1.2.840.113549.1.9.2 (UnstructuredName) has wrong tag: 19. Expected tags: 22.

      ERROR MESSAGES/STACK TRACES THAT OCCUR :
      keytool error: java.io.IOException: Value of attribute 1.2.840.113549.1.9.2 (UnstructuredName) has wrong tag: 19. Expected tags: 22.
      java.io.IOException: Value of attribute 1.2.840.113549.1.9.2 (UnstructuredName) has wrong tag: 19. Expected tags: 22.
              at sun.security.pkcs.PKCS9Attribute.throwTagException(Unknown Source)
              at sun.security.pkcs.PKCS9Attribute.<init>(Unknown Source)
              at sun.security.pkcs.PKCS10Attribute.<init>(Unknown Source)
              at sun.security.pkcs.PKCS10Attributes.<init>(Unknown Source)
              at sun.security.pkcs.PKCS10.<init>(Unknown Source)
              at sun.security.tools.KeyTool.doPrintCertReq(Unknown Source)
              at sun.security.tools.KeyTool.doCommands(Unknown Source)
              at sun.security.tools.KeyTool.run(Unknown Source)
              at sun.security.tools.KeyTool.main(Unknown Source)

      REPRODUCIBILITY :
      This bug can be reproduced always.

      CUSTOMER SUBMITTED WORKAROUND :
      Use openssl.

      Attachments

        Activity

          People

            juh Jason Uh (Inactive)
            webbuggrp Webbug Group
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: