Code Review request: 8028591: NegativeArraySizeException in sun.security.util.DerInputStream.getUnalignedBitString()
Wang Weijun
weijun.wang at oracle.com
Wed Feb 26 08:15:13 UTC 2014
Oh, I might have mis-read your webrev. I take back my words below. Will read it again.
Thanks
Max
On Feb 26, 2014, at 16:09, Wang Weijun <weijun.wang at oracle.com> wrote:
>
> Anyway, I think it's better to be tolerant, especially we have supported it ever since.
>
> Thanks
> Max
>
>
>
> On Feb 26, 2014, at 15:41, Artem Smotrakov <artem.smotrakov at oracle.com> wrote:
>
>> Hi Sean,
>>
>> Thank you for your feedback.
>>
>> It was confusing to me that the impl supports indefinite-length encoding for DER. According to [1], indefinite-length method shall be used for DER:
>>
>> ...
>> 10.1
>> Length forms
>> The definite form of length encoding shall be used, encoded in the minimum number of octets. [Contrast with 8.1.3.2 b).]
>> ...
>>
>> But then I found a couple of bugs for support of indefinite-length (for example [2]). Probably it is needed for real applications.
>>
>> I updated the diff:
>> - added getDefiniteLength() methods that throw IOException in case of indefinite-length encoding
>> - getLength() method, which can return a negative value, is used to decode sequences, sets in DerInputStream
>> - getLength() method is also used in constructor and init() method of DerValue class that check for indefinite-length encoding
>>
>> Tested with available regression, JCK and SQE tests.
>>
>> Please take a look:
>>
>> http://cr.openjdk.java.net/~asmotrak/8028591/webrev.01/
>>
>> [1] Information technology – ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER), http://www.itu.int/ITU-T/recommendations/rec.aspx?rec=x.690
>> [2] https://bugs.openjdk.java.net/browse/JDK-4119673: Need to support indefinite length DER encodings
>>
>> Artem
>
More information about the security-dev
mailing list