RFR: 8264864: Multiple byte tag not supported by ASN.1 encoding [v2]

Xue-Lei Andrew Fan xuelei at openjdk.java.net
Thu Apr 8 03:52:31 UTC 2021

On Thu, 8 Apr 2021 01:33:56 GMT, Weijun Wang <weijun at openjdk.org> wrote:

>> This code change does not intend to support multiple byte tags. Instead, it aims to fail more gracefully when such a tag is encountered. For `DerValue` constructors from an encoding (type I), an `IOException` will be thrown since it's already in the throws clause. For constructors from tag and value (type II), an `IllegalArgumentException` will be thrown. All existing type II callers inside JDK use tag numbers smaller than 31.
> Weijun Wang has updated the pull request incrementally with one additional commit since the last revision:
>   make sure test fails before code change

src/java.base/share/classes/sun/security/util/DerValue.java line 322:

> 320:         tag = buf[pos++];
> 321:         if ((tag & 0x1f) == 0x1f) {
> 322:             throw new IOException("Tag number cannot exceed 30");

It may be safe if not support multiple bytes tag in the current implementation of JDK, especially the ASN.1 implementation is private.  However, multiple bytes tag is a legal form of ASN.1 encoding, I think.  It would be nice to have a comment to state that this form is not support yet, and we may consider it in the future if needed.  It may be helpful for future code maintenance.

The exception message, "Tag number cannot exceed 30", may be not accuracy.  I think tag number can exceed 30 per the specification, but JDK does not support it yet because we did not run into such tags in practice.  I may use some words like: "Tag number exceed 30 is not supported".


PR: https://git.openjdk.java.net/jdk/pull/3391

More information about the security-dev mailing list