Code Review request: 8028591: NegativeArraySizeException in sun.security.util.DerInputStream.getUnalignedBitString()
Xuelei Fan
xuelei.fan at oracle.com
Wed Feb 26 09:39:53 UTC 2014
FYI.
It common to encode as DER, and decode as BER. BER is still a popular
format. For example, PKCS#7 is BER based, and JDK accept PKCS#7
records. See the usage section of this wiki [*] for more protocols that
use BER encoding.
It's better to avoid the update that the DER APIs cannot be used to
decode BER any more.
[*] http://en.wikipedia.org/wiki/X.690
On 2/26/2014 4:15 PM, Wang Weijun wrote:
> Oh, I might have mis-read your webrev. I take back my words below. Will read it again.
>
> Thanks
> Max
>
> On Feb 26, 2014, at 16:09, Wang Weijun <weijun.wang at oracle.com> wrote:
>
>>
>> Anyway, I think it's better to be tolerant, especially we have supported it ever since.
>>
>> Thanks
>> Max
>>
>>
>>
>> On Feb 26, 2014, at 15:41, Artem Smotrakov <artem.smotrakov at oracle.com> wrote:
>>
>>> Hi Sean,
>>>
>>> Thank you for your feedback.
>>>
>>> It was confusing to me that the impl supports indefinite-length encoding for DER. According to [1], indefinite-length method shall be used for DER:
>>>
>>> ...
>>> 10.1
>>> Length forms
>>> The definite form of length encoding shall be used, encoded in the minimum number of octets. [Contrast with 8.1.3.2 b).]
>>> ...
>>>
>>> But then I found a couple of bugs for support of indefinite-length (for example [2]). Probably it is needed for real applications.
>>>
>>> I updated the diff:
>>> - added getDefiniteLength() methods that throw IOException in case of indefinite-length encoding
>>> - getLength() method, which can return a negative value, is used to decode sequences, sets in DerInputStream
>>> - getLength() method is also used in constructor and init() method of DerValue class that check for indefinite-length encoding
>>>
>>> Tested with available regression, JCK and SQE tests.
>>>
>>> Please take a look:
>>>
>>> http://cr.openjdk.java.net/~asmotrak/8028591/webrev.01/
>>>
>>> [1] Information technology – ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER), http://www.itu.int/ITU-T/recommendations/rec.aspx?rec=x.690
>>> [2] https://bugs.openjdk.java.net/browse/JDK-4119673: Need to support indefinite length DER encodings
>>>
>>> Artem
>>
>
More information about the security-dev
mailing list