Can you give some suggestion about how build a Hacked JDK for The Malformed Certificates tests

zaiyao liu zaiyao.liu at
Wed Mar 19 11:55:30 UTC 2014

Hi team,

I am developing The Malformed Certificates tests, this test  exist to 
test JDK's SSL  ability to withstand attack in the form of deliberately 
1.3 million malformed ASN.1-encoded data.
Detail please refer test plan:

The idea is to "attack" an JDK SSL/SMIME process by sending it 
intentionally malformed certificates (or malformed SMIME messages), and 
ensure that the process under attack does not:

  * crash
  * leak
  * accept any of the bad certs or messages as if they were good

To do the Malformed Certificates tests with SSL certs, I should launch 
two JVM, one as "JDK under test", the other as "attack JDK",

I want to use JDK8 as attack JDK, and this JDK should be modified to 
allow use of invalid certificates, I have try to use following code to 
generate invalid certificate:

public class X509CertificateLoad {

      * Load a X509 certificate from file.
     public static void main(String[] args) throws Exception {
         FileInputStream fis = new FileInputStream(args[0]);
         CertificateFactory cf = CertificateFactory.getInstance("X509");
         X509Certificate cert = (X509Certificate) 

got following error:
         X509Certificate cert = (X509Certificate) 

Can you give some suggestion about how to bypass this kind of check to 
generator a certificate for invalid certificate? (I will use this 
invalid to attack normal JDK).



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the security-dev mailing list