mirror of
https://github.com/openjdk/jdk.git
synced 2025-08-27 23:04:50 +02:00
8294985: SSLEngine throws IAE during parsing of X500Principal
Reviewed-by: wetmore, xuelei, mullan
This commit is contained in:
Kevin Driver
Bradford Wetmore
parent
bdd81b3182
commit
80edd5c298
4 changed files with 486 additions and 18 deletions
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright (c) 2022, Oracle and/or its affiliates. All rights reserved.
|
||||
* Copyright (c) 2022, 2023, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
|
|
@ -122,8 +122,11 @@ final class CertificateAuthoritiesExtension {
|
|||
return authorities;
|
||||
}
|
||||
|
||||
// This method will throw IllegalArgumentException if the
|
||||
// X500Principal cannot be parsed.
|
||||
X500Principal[] getAuthorities() {
|
||||
X500Principal[] principals = new X500Principal[authorities.size()];
|
||||
|
||||
int i = 0;
|
||||
for (byte[] encoded : authorities) {
|
||||
principals[i++] = new X500Principal(encoded);
|
||||
|
|
@ -138,8 +141,12 @@ final class CertificateAuthoritiesExtension {
|
|||
"\"certificate authorities\": '['\n{0}']'", Locale.ENGLISH);
|
||||
StringBuilder builder = new StringBuilder(512);
|
||||
for (byte[] encoded : authorities) {
|
||||
X500Principal principal = new X500Principal(encoded);
|
||||
builder.append(principal.toString());
|
||||
try {
|
||||
X500Principal principal = new X500Principal(encoded);
|
||||
builder.append(principal.toString());
|
||||
} catch (IllegalArgumentException iae) {
|
||||
builder.append("unparseable distinguished name: " + iae);
|
||||
}
|
||||
builder.append("\n");
|
||||
}
|
||||
Object[] messageFields = {
|
||||
|
|
@ -277,7 +284,13 @@ final class CertificateAuthoritiesExtension {
|
|||
new CertificateAuthoritiesSpec(shc, buffer);
|
||||
|
||||
// Update the context.
|
||||
shc.peerSupportedAuthorities = spec.getAuthorities();
|
||||
try {
|
||||
shc.peerSupportedAuthorities = spec.getAuthorities();
|
||||
} catch (IllegalArgumentException iae) {
|
||||
shc.conContext.fatal(Alert.DECODE_ERROR, "The distinguished " +
|
||||
"names of the peer's certificate authorities could " +
|
||||
"not be parsed", iae);
|
||||
}
|
||||
shc.handshakeExtensions.put(
|
||||
SSLExtension.CH_CERTIFICATE_AUTHORITIES, spec);
|
||||
|
||||
|
|
@ -398,7 +411,13 @@ final class CertificateAuthoritiesExtension {
|
|||
new CertificateAuthoritiesSpec(chc, buffer);
|
||||
|
||||
// Update the context.
|
||||
chc.peerSupportedAuthorities = spec.getAuthorities();
|
||||
try {
|
||||
chc.peerSupportedAuthorities = spec.getAuthorities();
|
||||
} catch (IllegalArgumentException iae) {
|
||||
chc.conContext.fatal(Alert.DECODE_ERROR, "The distinguished " +
|
||||
"names of the peer's certificate authorities could " +
|
||||
"not be parsed", iae);
|
||||
}
|
||||
chc.handshakeExtensions.put(
|
||||
SSLExtension.CR_CERTIFICATE_AUTHORITIES, spec);
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright (c) 2015, 2022, Oracle and/or its affiliates. All rights reserved.
|
||||
* Copyright (c) 2015, 2023, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
|
|
@ -198,9 +198,12 @@ final class CertificateRequest {
|
|||
return ClientCertificateType.getKeyTypes(types);
|
||||
}
|
||||
|
||||
// This method will throw IllegalArgumentException if the
|
||||
// X500Principal cannot be parsed.
|
||||
X500Principal[] getAuthorities() {
|
||||
X500Principal[] principals = new X500Principal[authorities.size()];
|
||||
int i = 0;
|
||||
|
||||
for (byte[] encoded : authorities) {
|
||||
principals[i++] = new X500Principal(encoded);
|
||||
}
|
||||
|
|
@ -254,8 +257,12 @@ final class CertificateRequest {
|
|||
|
||||
List<String> authorityNames = new ArrayList<>(authorities.size());
|
||||
for (byte[] encoded : authorities) {
|
||||
X500Principal principal = new X500Principal(encoded);
|
||||
authorityNames.add(principal.toString());
|
||||
try {
|
||||
X500Principal principal = new X500Principal(encoded);
|
||||
authorityNames.add(principal.toString());
|
||||
} catch (IllegalArgumentException iae) {
|
||||
authorityNames.add("unparseable distinguished name: " + iae);
|
||||
}
|
||||
}
|
||||
Object[] messageFields = {
|
||||
typeNames,
|
||||
|
|
@ -370,12 +377,23 @@ final class CertificateRequest {
|
|||
|
||||
X509ExtendedKeyManager km = chc.sslContext.getX509KeyManager();
|
||||
String clientAlias = null;
|
||||
if (chc.conContext.transport instanceof SSLSocketImpl) {
|
||||
clientAlias = km.chooseClientAlias(crm.getKeyTypes(),
|
||||
crm.getAuthorities(), (SSLSocket)chc.conContext.transport);
|
||||
} else if (chc.conContext.transport instanceof SSLEngineImpl) {
|
||||
clientAlias = km.chooseEngineClientAlias(crm.getKeyTypes(),
|
||||
crm.getAuthorities(), (SSLEngine)chc.conContext.transport);
|
||||
|
||||
try {
|
||||
if (chc.conContext.transport instanceof SSLSocketImpl) {
|
||||
clientAlias = km.chooseClientAlias(crm.getKeyTypes(),
|
||||
crm.getAuthorities(),
|
||||
(SSLSocket) chc.conContext.transport);
|
||||
} else if (chc.conContext.transport instanceof SSLEngineImpl) {
|
||||
clientAlias =
|
||||
km.chooseEngineClientAlias(crm.getKeyTypes(),
|
||||
crm.getAuthorities(),
|
||||
(SSLEngine) chc.conContext.transport);
|
||||
}
|
||||
} catch (IllegalArgumentException iae) {
|
||||
chc.conContext.fatal(Alert.DECODE_ERROR,
|
||||
"The distinguished names of the peer's "
|
||||
+ "certificate authorities could not be parsed",
|
||||
iae);
|
||||
}
|
||||
|
||||
|
||||
|
|
@ -512,9 +530,12 @@ final class CertificateRequest {
|
|||
return ClientCertificateType.getKeyTypes(types);
|
||||
}
|
||||
|
||||
// This method will throw IllegalArgumentException if the
|
||||
// X500Principal cannot be parsed.
|
||||
X500Principal[] getAuthorities() {
|
||||
X500Principal[] principals = new X500Principal[authorities.size()];
|
||||
int i = 0;
|
||||
|
||||
for (byte[] encoded : authorities) {
|
||||
principals[i++] = new X500Principal(encoded);
|
||||
}
|
||||
|
|
@ -579,8 +600,13 @@ final class CertificateRequest {
|
|||
|
||||
List<String> authorityNames = new ArrayList<>(authorities.size());
|
||||
for (byte[] encoded : authorities) {
|
||||
X500Principal principal = new X500Principal(encoded);
|
||||
authorityNames.add(principal.toString());
|
||||
try {
|
||||
X500Principal principal = new X500Principal(encoded);
|
||||
authorityNames.add(principal.toString());
|
||||
} catch (IllegalArgumentException iae) {
|
||||
authorityNames.add("unparseable distinguished name: " +
|
||||
iae);
|
||||
}
|
||||
}
|
||||
Object[] messageFields = {
|
||||
typeNames,
|
||||
|
|
@ -717,8 +743,13 @@ final class CertificateRequest {
|
|||
chc.peerRequestedSignatureSchemes = sss;
|
||||
chc.peerRequestedCertSignSchemes = sss; // use the same schemes
|
||||
chc.handshakeSession.setPeerSupportedSignatureAlgorithms(sss);
|
||||
chc.peerSupportedAuthorities = crm.getAuthorities();
|
||||
|
||||
try {
|
||||
chc.peerSupportedAuthorities = crm.getAuthorities();
|
||||
} catch (IllegalArgumentException iae) {
|
||||
chc.conContext.fatal(Alert.DECODE_ERROR, "The "
|
||||
+ "distinguished names of the peer's certificate "
|
||||
+ "authorities could not be parsed", iae);
|
||||
}
|
||||
// For TLS 1.2, we no longer use the certificate_types field
|
||||
// from the CertificateRequest message to directly determine
|
||||
// the SSLPossession. Instead, the choosePossession method
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue