RFR: 8264864: Multiple byte tag not supported by ASN.1 encoding [v3]
Jamil Nimeh
jnimeh at openjdk.java.net
Thu Apr 8 17:22:13 UTC 2021
On Thu, 8 Apr 2021 17:10:13 GMT, Weijun Wang <weijun at openjdk.org> wrote:
>> src/java.base/share/classes/sun/security/util/DerValue.java line 322:
>>
>>> 320: tag = buf[pos++];
>>> 321: if ((tag & 0x1f) == 0x1f) {
>>> 322: throw new IOException("Tag number over 30 is not supported");
>>
>> Would it be useful for these types of exception messages to either display the offending tag value or perhaps the tag offset? Just thinking it might be a nice thing for the recipient to know where in the DER encoding the issue is.
>
> I don't want to go on reading the following bytes to find out what the intended tag number is, because that somehow shows I do understand the encoding _a lot_ but still don't want to support it (well, actually I only understand _a little_). There are only 2 kinds of tags: one <= 30 and one >= 31. IMHO, the message has already expressed the meaning that we only support the 1st one.
>
> An alternative message I can think of is "Unsupported tag byte: 0xBF", but it looks too cryptic.
I think that is fair. If you don't want to read ahead like that, what about using the "offset" or "pos" field to give a message like "Tag number over 30 at offset NN is not supported" (something like that, at least) Maybe don't worry about the tag value itself, but at least the position in the data stream. Just a suggestion only, no strong feelings about this either way.
-------------
PR: https://git.openjdk.java.net/jdk/pull/3391
More information about the security-dev
mailing list