|
Description
|
FULL PRODUCT VERSION :
java version "1.4.1_01"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.1_01-b01)
Java HotSpot(TM) Client VM (build 1.4.1_01-b01, mixed mode)
FULL OPERATING SYSTEM VERSION :
customer Windows 2000 [Version 5.00.2195] SP2
A DESCRIPTION OF THE PROBLEM :
The certificates in my keystore (issue from UniCERT) include
a certificatePolicies extension (2.5.29.32) that contains an
customer identifier starting with 2.16.764, i.e. under the country
namespace for Thailand. The DER encoding of that customer
identifier, shown in hex, is
06 0E 60 85 7C 01 8B C6 F7 F5 42 01 00 64 03 01
06 says it's an customer identifier, 0E is the length (decimal 14),
60 encodes the first two components ("2.16"), 85 7C encodes
the next component (".764"), 01 encodes the next component
(".1"), and 8B C6 F7 F5 42 encodes the next component
(".3101555394").
This is valid ASN.1, but the JDK 1.4.* CertificateFactory
cannot handle it; it generates an exception for any component
whose encoding is longer than 4 bytes, and this is 5 bytes.
(This limitation was probably present in JDK 1.3.* too, but the
JDK 1.3.* CertificateFactory doesn't even try to parse the
certificatePolicies extension, whereas JDK 1.4 does).
ERROR MESSAGES :
With the attatch source code and our test certificate, running with the
JDK1.4.1 the result as follows,
F:\java\test>d:\jdk141\bin\java -version
java version "1.4.1_01"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.1_01-b01)
Java HotSpot(TM) Client VM (build 1.4.1_01-b01, mixed mode)
F:\java\test>d:\jdk141\bin\java TestCert negativeOID.crt
java.security.cert.CertificateParsingException: java.io.IOException:
X509.OID, component value too big
at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:157)
at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1630)
at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:286)
at
sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java
:94)
at
java.security.cert.CertificateFactory.generateCertificate(CertificateFactory
.java:389)
at TestCert.main(TestCert.java:17)
Caused by: java.io.IOException: X509.OID, component value too big
at
sun.security.util.ObjectIdentifier.getComponent(ObjectIdentifier.java:276)
at
sun.security.util.ObjectIdentifier.initFromEncoding(ObjectIdentifier.java:17
4)
at
sun.security.util.ObjectIdentifier.<init>(ObjectIdentifier.java:144)
at sun.security.util.DerInputStream.getOID(DerInputStream.java:245)
at sun.security.x509.Extension.<init>(Extension.java:61)
at
sun.security.x509.CertificateExtensions.init(CertificateExtensions.java:77)
at
sun.security.x509.CertificateExtensions.<init>(CertificateExtensions.java:57
)
at sun.security.x509.X509CertInfo.parse(X509CertInfo.java:727)
at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:155)
... 5 more
F:\java\test>d:\jdk141\bin\java TestCert 3101024760S004001002.cer
java.security.cert.CertificateParsingException: java.io.IOException:
X509.OID, component value too big
at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:157)
at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1630)
at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:162)
at
sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java
:91)
at
java.security.cert.CertificateFactory.generateCertificate(CertificateFactory
.java:389)
at TestCert.main(TestCert.java:17)
Caused by: java.io.IOException: X509.OID, component value too big
at
sun.security.util.ObjectIdentifier.getComponent(ObjectIdentifier.java:276)
at
sun.security.util.ObjectIdentifier.initFromEncoding(ObjectIdentifier.java:17
4)
at
sun.security.util.ObjectIdentifier.<init>(ObjectIdentifier.java:144)
at sun.security.util.DerInputStream.getOID(DerInputStream.java:245)
at sun.security.x509.Extension.<init>(Extension.java:61)
at
sun.security.x509.CertificateExtensions.init(CertificateExtensions.java:77)
at
sun.security.x509.CertificateExtensions.<init>(CertificateExtensions.java:57
)
at sun.security.x509.X509CertInfo.parse(X509CertInfo.java:727)
at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:155)
... 5 more
F:\java\test>
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
import java.security.cert.*;
//import java.security.*;
import java.io.*;
public class TestCert
{
public static void main(String[] args)
{ try
{ final FileInputStream fis = new FileInputStream( args[0] );
final DataInputStream dis = new DataInputStream( fis );
CertificateFactory cf = CertificateFactory.getInstance("X.509");
final byte[] bytes = new byte[ dis.available() ];
dis.readFully( bytes );
ByteArrayInputStream bais = new ByteArrayInputStream( bytes );
while( bais.available()>0 )
{ final Certificate cert = cf.generateCertificate(bais);
System.out.println( cert.toString() );
}
}
catch( Exception e )
{ e.printStackTrace();
}
}
}
// other sample certs attached.
-----BEGIN CERTIFICATE-----
MIID0zCCArugAwIBAgIEPa4wxTANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJU
SDEqMCgGA1UEChMhUHJvY2Vzc2luZyBDZW50ZXIgQ29tcGFueSBMaW1pdGVkMRow
GAYDVQQDExFQQ0MgRGlnaXRhbCBJRCBDQTAeFw0wMjEwMTcwMzM3MjdaFw0wM
zEw
MTcwMzM3MjdaMFgxCzAJBgNVBAYTAlRIMRMwEQYDVQQKEwozMTAxMDI0NzYwMR
8w
HQYDVQQLExZQQ0MgZVBheW1lbnQgQXV0aG9yaXR5MRMwEQYDVQQDEwpTMDA0
MDAx
MDAyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCsD73C45o+Qfq8iMMB1D/t
gJ7X/jgGTOqtWKVuAQce7QYaj3lahAloFb1JtAHuCwMFgPHqZBcTcogAabgXgp1o
f1utS3J1eHCk380mYTlKrCwq3Mc2XNkqWEY6og1trXdNXTvYMRT/U5EtVMjTd99x
ARiALnJ/PLqitK44dKjbqwIDAQABo4IBKjCCASYwDgYDVR0PAQH/BAQDAgbAMBoG
DmCFfAGLxvf1QgEAZAIBBAgWBjAwMTA5ODBhBgNVHR8EWjBYMFagVKBSpFAwTjEL
MAkGA1UEBhMCVEgxKjAoBgNVBAoTIVByb2Nlc3NpbmcgQ2VudGVyIENvbXBhbnkg
TGltaXRlZDETMBEGA1UEAxMKUENDRElEIENEUDCBlAYDVR0gBIGMMIGJMIGGBg5g
hXwBi8b39UIBAGQEATB0MCAGCCsGAQUFBwIBFhRodHRwOi8vd3d3LnBjYy5jby50
aDBQBggrBgEFBQcCAjBEGkJUaGlzIGNlcnRpZmljYXRlIGlzIGlzc3VlZCBmb3Ig
dXNlIHdpdGggUENDIGVQYXltZW50IHNlcnZpY2Ugb25seS4wDQYJKoZIhvcNAQEF
BQADggEBAJHvDTaaGzgW21G7F8dBkExf79Xlj7Yq4rAueoTbXGmqKF4VTPk9qTW+
6DexaAsqoaZwg+Pu3GCDy/cn1UyRBOVc3RUjcKbVomkZHoloY2GMxuKZ9/NXBobD
KYiD23an/TyzkJldGiYIOAxbM0/gYZxadSnSWq+FiFlaxgCQpVafN2RyAJ35Lvcw
k6FoRUFY+L8U4XPUkP5kHKbnM5MF7UfFz9N/bd9p5mZhMCctIgjEn13Xirak0DIL
LhBaIeSZfjkD/SOQqae3ukQtWOpPqWHQ5F1l0KesEskWaEjrF7/2qzgfFsZxjEYn
MwAyfEQ3zkiAhz6IMBCPqXuhMm9tkRQ=
-----END CERTIFICATE-----
---------- END SOURCE ----------
(Review ID: 179085)
======================================================================
Posted Date : 2006-04-27 01:53:32.0
|
|
Evaluation
|
The report is correct. We internally use ints to store the components, which limits us to at most 32 bits. Large components are very rare as small values are just as good and easier to remember. However, the spec allows arbitrarily large values and our code should be fixed.
xxxxx@xxxxx 2003-02-04
Even worse, the ObjectIdentider.encode() only encodes each component into a 4-byte buffer, which means it can be at most 28 bits. try new org.ietf.jgss.Oid("1.2.3.268435456").getDER().
Posted Date : 2006-04-27 01:53:32.0
Fixed, now components can be arbitraty large integers.
Posted Date : 2009-04-08 05:59:08.0
http://hg.openjdk.java.net/jdk7/tl/jdk/rev/a31f5f824580
Posted Date : 2009-04-08 05:59:08.0
|
|
Comments
|
Submitted On 18-MAY-2008
For us in Australia this issue manifests itself when you try open an ATO (Australian Tax Office - same as IRS in USA) issued certificate it goes bang. The reason for this is most OIDs in an ATO issued cert have the ATO ABN in them. i.e.
Policy Identifier = 1.2.36.824753556.1.0.200.1.5
The 824753556 is the ATO ABN and is the problem here.
So, at the moment we cannot use standard Java certificate manipulation libraries with ATO certificates. This is a relatively large problem in Australia for obvious reasons. Any chance we can get the priority on this raised?
Submitted On 19-MAY-2008
James-C
OK, my 2 cents worth as well.
Not being able to use standard Java platform libraries to deal with certificates from the Australian Tax Office is unfortunate...
PLEASE NOTE: JDK6 is formerly known as Project Mustang
|
