8336665: CCE in X509CRLImpl$TBSCertList.getCertIssuer

Reviewed-by: mullan
2025-08-26 14:24:46 +02:00 · 2024-10-24 23:09:45 +00:00 · 2024-10-24 23:09:45 +00:00 · ca1700b8bf
commit ca1700b8bf
parent d1540e2a49
2 changed files with 93 additions and 4 deletions
--- a/src/java.base/share/classes/sun/security/x509/X509CRLImpl.java
+++ b/src/java.base/share/classes/sun/security/x509/X509CRLImpl.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2023, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2024, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -280,14 +280,20 @@ public class X509CRLImpl extends X509CRL implements DerEncoder {
         *   prevCertIssuer if it does not exist
         */
        private X500Principal getCertIssuer(X509CRLEntryImpl entry,
-                                            X500Principal prevCertIssuer) {
+                X500Principal prevCertIssuer) throws CRLException {

            CertificateIssuerExtension ciExt =
                    entry.getCertificateIssuerExtension();
            if (ciExt != null) {
                GeneralNames names = ciExt.getNames();
-                X500Name issuerDN = (X500Name) names.get(0).getName();
-                return issuerDN.asX500Principal();
+                Iterator<GeneralName> itr = names.iterator();
+                while (itr.hasNext()) {
+                    if (itr.next().getName() instanceof X500Name issuerDN) {
+                        return issuerDN.asX500Principal();
+                    }
+                }
+                throw new CRLException("Parsing error: CertificateIssuer "
+                         + "field does not contain an X.500 DN");
            } else {
                return prevCertIssuer;
            }