RFR: 8294985: SSLEngine throws IAE during parsing of X500Principal [v3]
Xue-Lei Andrew Fan
xuelei at openjdk.org
Mon May 1 07:41:23 UTC 2023
On Fri, 28 Apr 2023 19:15:59 GMT, Kevin Driver <kdriver at openjdk.org> wrote:
>> Fixes: [JDK-8294985](https://bugs.openjdk.org/browse/JDK-8294985)
>
> Kevin Driver has updated the pull request incrementally with one additional commit since the last revision:
>
> Update src/java.base/share/classes/sun/security/ssl/CertificateAuthoritiesExtension.java
>
> Co-authored-by: Daniel Jelinski <djelinski1 at gmail.com>
There are two blocks called CertificateAuthoritiesSpec.getAuthorities(). Another call is in the CRCertificateAuthoritiesConsumer inner class. Did you check if both should be updated? Or Is it possible to update the getAuthorities() implementation directly?
There are similar code in CertificateRequest. Did you have a chance to look at if it is impacted as well?
Basically, the issue is caused by the X500Principal constructor with DER bytes. It may be good to check the call to the constructor and handle the IAE accordingly as well, for example in the CertificateAuthoritiesSpec.toString() method.
-------------
Changes requested by xuelei (Reviewer).
PR Review: https://git.openjdk.org/jdk/pull/13466#pullrequestreview-1407415460
More information about the security-dev
mailing list