archive/jdk
1
0
Fork 0
mirror of https://github.com/openjdk/jdk.git synced 2025-08-28 15:24:43 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

8236191: Enhance OID processing

Browse source 
Reviewed-by: jnimeh, weijun, ahgross, rhalade
This commit is contained in:
Xue-Lei Andrew Fan 2020-03-05 14:59:34 -08:00
parent fa3d79c2f8
commit 8fdbb29079
1 changed files with 53 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

62
src/java.base/share/classes/sun/security/util/ObjectIdentifier.java
View file

@ -52,6 +52,25 @@ import java.util.concurrent.ConcurrentHashMap;
*/
public final class ObjectIdentifier implements Serializable {
/*
* The maximum encoded OID length, excluding the ASN.1 encoding tag and
* length.
*
* In theory, there is no maximum size for OIDs. However, there are some
* limitation in practice.
*
* RFC 5280 mandates support for OIDs that have arc elements with values
* that are less than 2^28 (that is, they MUST be between 0 and
* 268,435,455, inclusive), and implementations MUST be able to handle
* OIDs with up to 20 elements (inclusive). Per RFC 5280, an encoded
* OID should be less than 80 bytes for safe interoperability.
*
* This class could be used for protocols other than X.509 certificates.
* To be safe, a relatively large but still reasonable value is chosen
* as the restriction in JDK.
*/
private static final int MAXIMUM_OID_SIZE = 4096; // 2^12
/**
* We use the DER value (no tag, no length) as the internal format
* @serial
@ -118,7 +137,13 @@ public final class ObjectIdentifier implements Serializable {
if (componentLen > comp.length) {
componentLen = comp.length;
}
// Check the estimated size before it is too later.
checkOidSize(componentLen);
init(comp, componentLen);
} else {
checkOidSize(encoding.length);
}
}
@ -203,6 +228,8 @@ public final class ObjectIdentifier implements Serializable {
}
start = end + 1;
count++;
checkOidSize(pos);
} while (end != -1);
checkCount(count);
@ -250,11 +277,13 @@ public final class ObjectIdentifier implements Serializable {
);
int len = in.getDefiniteLength();
checkOidSize(len);
if (len > in.available()) {
throw new IOException("ObjectIdentifier() -- length exceeds" +
throw new IOException("ObjectIdentifier length exceeds " +
"data available. Length: " + len + ", Available: " +
in.available());
}
encoding = new byte[len];
in.getBytes(encoding);
check(encoding);
@ -267,26 +296,32 @@ public final class ObjectIdentifier implements Serializable {
*/
ObjectIdentifier(DerInputBuffer buf) throws IOException {
DerInputStream in = new DerInputStream(buf);
encoding = new byte[in.available()];
int len = in.available();
checkOidSize(len);
encoding = new byte[len];
in.getBytes(encoding);
check(encoding);
}
private void init(int[] components, int length) {
private void init(int[] components, int length) throws IOException {
int pos = 0;
byte[] tmp = new byte[length*5+1]; // +1 for empty input
byte[] tmp = new byte[length * 5 + 1]; // +1 for empty input
if (components[1] < Integer.MAX_VALUE - components[0]*40)
pos += pack7Oid(components[0]*40+components[1], tmp, pos);
else {
if (components[1] < Integer.MAX_VALUE - components[0] * 40) {
pos += pack7Oid(components[0] * 40 + components[1], tmp, pos);
} else {
BigInteger big = BigInteger.valueOf(components[1]);
big = big.add(BigInteger.valueOf(components[0]*40));
big = big.add(BigInteger.valueOf(components[0] * 40));
pos += pack7Oid(big, tmp, pos);
}
for (int i=2; i<length; i++) {
for (int i = 2; i < length; i++) {
pos += pack7Oid(components[i], tmp, pos);
checkOidSize(pos);
}
encoding = new byte[pos];
System.arraycopy(tmp, 0, encoding, 0, pos);
}
@ -690,4 +725,13 @@ public final class ObjectIdentifier implements Serializable {
"oid component #" + (i+1) + " must be non-negative ");
}
}
private static void checkOidSize(int oidLength) throws IOException {
if (oidLength > MAXIMUM_OID_SIZE) {
throw new IOException(
"ObjectIdentifier encoded length exceeds " +
"the restriction in JDK (OId length(>=): " + oidLength +
", Restriction: " + MAXIMUM_OID_SIZE + ")");
}
}
}