RFR: 8296736: Some PKCS9Attribute can be created but cannot be encoded [v2]

[Valerie Peng]

On Thu, 10 Nov 2022 02:43:21 GMT, Weijun Wang <weijun at openjdk.org> wrote:

>> One `PKCS9Attribute` can be created but cannot be encoded. Since the `SigningCertificateInfo::parse` method has not fully parsed the data (`PolicyInformation` is left out), this code change add the encoding itself as a field to the `SigningCertificateInfo` class so we can encode it.
>> 
>> After this change, unsupported `PKCSAttribute` object simply cannot be created. The `new(DerValue)` constructor rejects them (type 9-13, 15) in a `switch` block, and the `new(ObjectIdentifier, Object)` constructor rejects them because `VALUE_CLASSES` for them are null.
>> 
>> In the `encode()` method, we now throw `IllegalArgumentException` for these types and they will not happen.
>
> Weijun Wang has updated the pull request incrementally with one additional commit since the last revision:
> 
>   make class package private

src/java.base/share/classes/sun/security/pkcs/PKCS9Attribute.java line 381:

> 379:         index = indexOf(oid, PKCS9_OIDS, 1);
> 380:         Class<?> clazz = index == -1 ? BYTE_ARRAY_CLASS: VALUE_CLASSES[index];
> 381:         if (clazz == null || !clazz.isInstance(value)) {

If my reading of the current impl is correct, if clazz is null, the attribute is not supported. The error message seems a bit misleading as it's not really due to the value itself, but the attribute is not supported. Is it just for avoiding NPE and changing it into IAE?

-------------

PR: https://git.openjdk.org/jdk/pull/11070