Code Review request: 8028591: NegativeArraySizeException in sun.security.util.DerInputStream.getUnalignedBitString()
Wang Weijun
weijun.wang at oracle.com
Wed Feb 26 08:09:37 UTC 2014
Hi Artem
Indefinite length is not allowed in DER so we never generate it. However, we do support reading it. I guess there must be a reason. Maybe
1. We don't have separate BerXXX classes, so basically we read both DER and BER with the same codes.
2. Most protocols require DER encoding, but maybe some do not, we need to deal with them.
3. Maybe there are vendors out there that generates non-standard DER.
Anyway, I think it's better to be tolerant, especially we have supported it ever since.
Thanks
Max
On Feb 26, 2014, at 15:41, Artem Smotrakov <artem.smotrakov at oracle.com> wrote:
> Hi Sean,
>
> Thank you for your feedback.
>
> It was confusing to me that the impl supports indefinite-length encoding for DER. According to [1], indefinite-length method shall be used for DER:
>
> ...
> 10.1
> Length forms
> The definite form of length encoding shall be used, encoded in the minimum number of octets. [Contrast with 8.1.3.2 b).]
> ...
>
> But then I found a couple of bugs for support of indefinite-length (for example [2]). Probably it is needed for real applications.
>
> I updated the diff:
> - added getDefiniteLength() methods that throw IOException in case of indefinite-length encoding
> - getLength() method, which can return a negative value, is used to decode sequences, sets in DerInputStream
> - getLength() method is also used in constructor and init() method of DerValue class that check for indefinite-length encoding
>
> Tested with available regression, JCK and SQE tests.
>
> Please take a look:
>
> http://cr.openjdk.java.net/~asmotrak/8028591/webrev.01/
>
> [1] Information technology – ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER), http://www.itu.int/ITU-T/recommendations/rec.aspx?rec=x.690
> [2] https://bugs.openjdk.java.net/browse/JDK-4119673: Need to support indefinite length DER encodings
>
> Artem
More information about the security-dev
mailing list