Code Review request: 8028591: NegativeArraySizeException in sun.security.util.DerInputStream.getUnalignedBitString()

Sean Mullan sean.mullan at oracle.com
Wed Feb 5 14:37:14 UTC 2014 

Hi Artem,

The specific fix looks fine, but there are many other calls to 
getLength() in DerInputStream that subsequently initialize an array with 
the return value, and could also cause the same issue. It seems to me 
that a better fix would be to pass a flag to the getLength method (or 
create a new method) and if the flag is true, throw an IOException if an 
indefinite length encoding is used (instead of returning -1). Then, for 
the encodings where it is illegal to use the indefinite-length method, 
change the code to call the method with the flag set to true.

--Sean

On 01/30/2014 03:47 AM, Artem Smotrakov wrote:
> Please review this fix for 9:
>
> https://bugs.openjdk.java.net/browse/JDK-8028591
> http://cr.openjdk.java.net/~asmotrak/8028591/webrev.00/
> <http://cr.openjdk.java.net/%7Easmotrak/8028591/webrev.00/>
>
> getLength() method is used to get a length of bit string. The method can
> return a negative value that means indefinite-length encoding that is
> not allowed in DER. Currently a negative value is not checked. As a
> result, NegativeArraySizeException can occur.
>
> I added the following checks in
> sun.security.util.DerInputStream.getUnalignedBitString() method:
> 1. IOException is thrown if getLength() method returns a negative value.
> 2. Empty BitArray is returned if getLength() method returns zero.
>
> I think that an empty bit string should be encoded as "03 01 00" in DER.
> I am not sure, but probably "03 00" is valid one as well. I tried both
> ones with OpenSSL asn1parse, and both ones were parsed successfully:
>
> hexdump -C emtpy_bit_string_1
> 00000000  03 01 00                                          |...|
> 00000003
> openssl asn1parse -inform der -in emtpy_bit_string_1
>      0:d=0  hl=2 l=   1 prim: BIT STRING
>
> hexdump -C emtpy_bit_string_2
> 00000000  03 00                                             |..|
> 00000002
> openssl asn1parse -inform der -in emtpy_bit_string_2
>      0:d=0  hl=2 l=   0 prim: BIT STRING
>
> 3. IOException is thrown if number of calculated valid bits is negative.
>
> Added a test case for
> test/java/security/cert/X509Certificate/X509BadCertificate.java
> (bad-cert-2.pem is corrupted self-signed certificate). Tested with
> available regression, SQE and JCK tests.
>
> Artem

More information about the security-dev mailing list