Code Review request: 8028591: NegativeArraySizeException in

Artem Smotrakov artem.smotrakov at
Thu Jan 30 00:47:18 PST 2014

Please review this fix for 9: 

getLength() method is used to get a length of bit string. The method can 
return a negative value that means indefinite-length encoding that is 
not allowed in DER. Currently a negative value is not checked. As a 
result, NegativeArraySizeException can occur.

I added the following checks in method:
1. IOException is thrown if getLength() method returns a negative value.
2. Empty BitArray is returned if getLength() method returns zero.

I think that an empty bit string should be encoded as "03 01 00" in DER. 
I am not sure, but probably "03 00" is valid one as well. I tried both 
ones with OpenSSL asn1parse, and both ones were parsed successfully:

hexdump -C emtpy_bit_string_1
00000000  03 01 00                                          |...|
openssl asn1parse -inform der -in emtpy_bit_string_1
     0:d=0  hl=2 l=   1 prim: BIT STRING

hexdump -C emtpy_bit_string_2
00000000  03 00                                             |..|
openssl asn1parse -inform der -in emtpy_bit_string_2
     0:d=0  hl=2 l=   0 prim: BIT STRING

3. IOException is thrown if number of calculated valid bits is negative.

Added a test case for 
(bad-cert-2.pem is corrupted self-signed certificate). Tested with 
available regression, SQE and JCK tests.


More information about the security-dev mailing list