RFR: 8294985: SSLEngine throws IAE during parsing of X500Principal [v3]
Kevin Driver
kdriver at openjdk.org
Wed May 3 22:14:17 UTC 2023
On Fri, 28 Apr 2023 19:15:59 GMT, Kevin Driver <kdriver at openjdk.org> wrote:
>> Fixes: [JDK-8294985](https://bugs.openjdk.org/browse/JDK-8294985)
>
> Kevin Driver has updated the pull request incrementally with one additional commit since the last revision:
>
> Update src/java.base/share/classes/sun/security/ssl/CertificateAuthoritiesExtension.java
>
> Co-authored-by: Daniel Jelinski <djelinski1 at gmail.com>
As for other examples of the `X500Principal(byte[] ..)` constructor being called in TLS packages, here are the ones that don't seem to be handled nicely currently:
- `consume` in `CertificateAuthoritiesExtension.CRCertificateAuthoritiesConsumer` (could throw IAE, which is an uncaught RuntimeException)
- `toString` in `CertificateAuthoritiesExtension.CertificateAuthoritiesSpec` (could throw IAE, which is an uncaught RuntimeException)
- `consume` in `CertificateRequest.T10CertificateRequestConsumer` (could throw IAE, which is an uncaught RuntimeException)
- `toString` in `CertificateRequest.T10CertificateRequestMessage` (could throw IAE, which is an uncaught RuntimeException)
- `consume` in `CertificateRequest.T12CertificateRequestConsumer` (could throw IAE, which is an uncaught RuntimeException)
- `toString` in `CertificateRequest.T12CertificateRequestMessage` (could throw IAE, which is an uncaught RuntimeException)
I will look at making related changes in these spots as well.
@XueleiFan wrt your other question about updating the `getAuthorities` method, I considered this, but it looks like it would involve changing a method signature for that method. This may be fine, but similar changes would need to be made in all the above places anyway, I suspect, unless we can pass information about the context in order to throw an `SSL(Protocol)Exception` and have that bubble-up to where `IOException`s are usually checked.
@seanjmullan @XueleiFan thoughts on that?
-------------
PR Comment: https://git.openjdk.org/jdk/pull/13466#issuecomment-1533818757
More information about the security-dev
mailing list