Code Review request: 8028591: NegativeArraySizeException in sun.security.util.DerInputStream.getUnalignedBitString()

Thu, 30 Jan 2014 00:49:26 -0800 

Please review this fix for 9:

https://bugs.openjdk.java.net/browse/JDK-8028591
http://cr.openjdk.java.net/~asmotrak/8028591/webrev.00/ <http://cr.openjdk.java.net/%7Easmotrak/8028591/webrev.00/> 


getLength() method is used to get a length of bit string. The method can 
return a negative value that means indefinite-length encoding that is 
not allowed in DER. Currently a negative value is not checked. As a 
result, NegativeArraySizeException can occur.



I added the following checks in 
sun.security.util.DerInputStream.getUnalignedBitString() method:

1. IOException is thrown if getLength() method returns a negative value.
2. Empty BitArray is returned if getLength() method returns zero.


I think that an empty bit string should be encoded as "03 01 00" in DER. 
I am not sure, but probably "03 00" is valid one as well. I tried both 
ones with OpenSSL asn1parse, and both ones were parsed successfully:


hexdump -C emtpy_bit_string_1
00000000  03 01 00                                          |...|
00000003
openssl asn1parse -inform der -in emtpy_bit_string_1
    0:d=0  hl=2 l=   1 prim: BIT STRING

hexdump -C emtpy_bit_string_2
00000000  03 00                                             |..|
00000002
openssl asn1parse -inform der -in emtpy_bit_string_2
    0:d=0  hl=2 l=   0 prim: BIT STRING

3. IOException is thrown if number of calculated valid bits is negative.


Added a test case for 
test/java/security/cert/X509Certificate/X509BadCertificate.java 
(bad-cert-2.pem is corrupted self-signed certificate). Tested with 
available regression, SQE and JCK tests.


Artem






















					Reply via email to