-
Bug
-
Resolution: Unresolved
-
P4
-
None
-
15, 16
A DESCRIPTION OF THE PROBLEM :
Invalid certificates with incorrectly encoded certificates will return a sanitised value for subjectalternativenames. This will match against a predictable string.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
subjectAlternativeNames values should either obey the ASN.1 definitions, fail, or drop the result.
https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/security/cert/X509Certificate.html#getSubjectAlternativeNames()
dNSName [2] IA5String,
ACTUAL -
[[2, ���.com], [2, ���.com]]
---------- BEGIN SOURCE ----------
import java.io.ByteArrayInputStream
import java.nio.charset.StandardCharsets
import java.security.cert.CertificateFactory
import java.security.cert.X509Certificate
private fun certificate(certificate: String): X509Certificate {
return CertificateFactory.getInstance("X.509").generateCertificate(
ByteArrayInputStream(certificate.toByteArray(StandardCharsets.UTF_8))) as X509Certificate
}
fun main() {
val certificateString = """
-----BEGIN CERTIFICATE-----
MIIBSDCB86ADAgECAhRLR4TGgXBegg0np90FZ1KPeWpDtjANBgkqhkiG9w0BAQsF
ADASMRAwDgYDVQQDDAdmb28uY29tMCAXDTIwMTAyOTA2NTkwNVoYDzIxMjAxMDA1
MDY1OTA1WjASMRAwDgYDVQQDDAdmb28uY29tMFwwDQYJKoZIhvcNAQEBBQADSwAw
SAJBALQcTVW9aW++ClIV9/9iSzijsPvQGEu/FQOjIycSrSIheZyZmR8bluSNBq0C
9fpalRKZb0S2tlCTi5WoX8d3K30CAwEAAaMfMB0wGwYDVR0RBBQwEoIH4oShLmNv
bYIH4oSqLmNvbTANBgkqhkiG9w0BAQsFAANBAA1+/eDvSUGv78iEjNW+1w3OPAwt
Ij1qLQ/YI8OogZPMk7YY46/ydWWp7UpD47zy/vKmm4pOc8Glc8MoDD6UADs=
-----END CERTIFICATE-----
""".trimIndent()
val certificate = certificate(certificateString)
println(certificate.subjectAlternativeNames)
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
After reading subjectAlternativeNames, strip any non ascii character names.
FREQUENCY : always
Invalid certificates with incorrectly encoded certificates will return a sanitised value for subjectalternativenames. This will match against a predictable string.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
subjectAlternativeNames values should either obey the ASN.1 definitions, fail, or drop the result.
https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/security/cert/X509Certificate.html#getSubjectAlternativeNames()
dNSName [2] IA5String,
ACTUAL -
[[2, ���.com], [2, ���.com]]
---------- BEGIN SOURCE ----------
import java.io.ByteArrayInputStream
import java.nio.charset.StandardCharsets
import java.security.cert.CertificateFactory
import java.security.cert.X509Certificate
private fun certificate(certificate: String): X509Certificate {
return CertificateFactory.getInstance("X.509").generateCertificate(
ByteArrayInputStream(certificate.toByteArray(StandardCharsets.UTF_8))) as X509Certificate
}
fun main() {
val certificateString = """
-----BEGIN CERTIFICATE-----
MIIBSDCB86ADAgECAhRLR4TGgXBegg0np90FZ1KPeWpDtjANBgkqhkiG9w0BAQsF
ADASMRAwDgYDVQQDDAdmb28uY29tMCAXDTIwMTAyOTA2NTkwNVoYDzIxMjAxMDA1
MDY1OTA1WjASMRAwDgYDVQQDDAdmb28uY29tMFwwDQYJKoZIhvcNAQEBBQADSwAw
SAJBALQcTVW9aW++ClIV9/9iSzijsPvQGEu/FQOjIycSrSIheZyZmR8bluSNBq0C
9fpalRKZb0S2tlCTi5WoX8d3K30CAwEAAaMfMB0wGwYDVR0RBBQwEoIH4oShLmNv
bYIH4oSqLmNvbTANBgkqhkiG9w0BAQsFAANBAA1+/eDvSUGv78iEjNW+1w3OPAwt
Ij1qLQ/YI8OogZPMk7YY46/ydWWp7UpD47zy/vKmm4pOc8Glc8MoDD6UADs=
-----END CERTIFICATE-----
""".trimIndent()
val certificate = certificate(certificateString)
println(certificate.subjectAlternativeNames)
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
After reading subjectAlternativeNames, strip any non ascii character names.
FREQUENCY : always
- links to
-
Review
openjdk/jdk/6928