8234042: Better factory production of certificates

Reviewed-by: weijun, rhalade, mschoene

src/java.base/macosx/classes/apple/security/KeychainStore.java

@@ -215,6 +215,9 @@ public final class KeychainStore extends KeyStoreSpi {
 
             // Get the Algorithm ID next
             DerValue[] value = in.getSequence(2);
+            if (value.length < 1 || value.length > 2) {
+                throw new IOException("Invalid length for AlgorithmIdentifier");
+            }
             AlgorithmId algId = new AlgorithmId(value[0].getOID());
             String algName = algId.getName();
 

src/java.base/share/classes/java/security/PKCS12Attribute.java

@@ -254,6 +254,9 @@ public final class PKCS12Attribute implements KeyStore.Entry.Attribute {
     private void parse(byte[] encoded) throws IOException {
         DerInputStream attributeValue = new DerInputStream(encoded);
         DerValue[] attrSeq = attributeValue.getSequence(2);
+        if (attrSeq.length != 2) {
+            throw new IOException("Invalid length for PKCS12Attribute");
+        }
         ObjectIdentifier type = attrSeq[0].getOID();
         DerInputStream attrContent =
             new DerInputStream(attrSeq[1].toByteArray());

src/java.base/share/classes/sun/security/pkcs/ContentInfo.java

@@ -116,6 +116,9 @@ public class ContentInfo {
         DerValue[] contents;
 
         typeAndContent = derin.getSequence(2);
+        if (typeAndContent.length < 1 || typeAndContent.length > 2) {
+            throw new ParsingException("Invalid length for ContentInfo");
+        }
 
         // Parse the content type
         type = typeAndContent[0];
@@ -135,6 +138,9 @@ public class ContentInfo {
                 disTaggedContent
                     = new DerInputStream(taggedContent.toByteArray());
                 contents = disTaggedContent.getSet(1, true);
+                if (contents.length != 1) {
+                    throw new ParsingException("ContentInfo encoding error");
+                }
                 content = contents[0];
             }
         }

src/java.base/share/classes/sun/security/pkcs/SignerInfo.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2019, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2020, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -144,6 +144,9 @@ public class SignerInfo implements DerEncoder {
 
         // issuerAndSerialNumber
         DerValue[] issuerAndSerialNumber = derin.getSequence(2);
+        if (issuerAndSerialNumber.length != 2) {
+            throw new ParsingException("Invalid length for IssuerAndSerialNumber");
+        }
         byte[] issuerBytes = issuerAndSerialNumber[0].toByteArray();
         issuerName = new X500Name(new DerValue(DerValue.tag_Sequence,
                                                issuerBytes));

src/java.base/share/classes/sun/security/pkcs12/MacData.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999, 2007, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2020, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -59,10 +59,16 @@ class MacData {
         throws IOException, ParsingException
     {
         DerValue[] macData = derin.getSequence(2);
+        if (macData.length < 2 || macData.length > 3) {
+            throw new ParsingException("Invalid length for MacData");
+        }
 
         // Parse the digest info
         DerInputStream digestIn = new DerInputStream(macData[0].toByteArray());
         DerValue[] digestInfo = digestIn.getSequence(2);
+        if (digestInfo.length != 2) {
+            throw new ParsingException("Invalid length for DigestInfo");
+        }
 
         // Parse the DigestAlgorithmIdentifier.
         AlgorithmId digestAlgorithmId = AlgorithmId.parse(digestInfo[0]);

src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java

@@ -383,6 +383,9 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
                 DerInputStream in = val.toDerInputStream();
                 int i = in.getInteger();
                 DerValue[] value = in.getSequence(2);
+                if (value.length < 1 || value.length > 2) {
+                    throw new IOException("Invalid length for AlgorithmIdentifier");
+                }
                 AlgorithmId algId = new AlgorithmId(value[0].getOID());
                 String keyAlgo = algId.getName();
 
@@ -2034,11 +2037,17 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
                 DerInputStream edi =
                                 safeContents.getContent().toDerInputStream();
                 int edVersion = edi.getInteger();
-                DerValue[] seq = edi.getSequence(2);
+                DerValue[] seq = edi.getSequence(3);
+                if (seq.length != 3) {
+                    // We require the encryptedContent field, even though
+                    // it is optional
+                    throw new IOException("Invalid length for EncryptedContentInfo");
+                }
                 ObjectIdentifier edContentType = seq[0].getOID();
                 eAlgId = seq[1].toByteArray();
                 if (!seq[2].isContextSpecific((byte)0)) {
-                   throw new IOException("encrypted content not present!");
+                    throw new IOException("unsupported encrypted content type "
+                                          + seq[2].tag);
                 }
                 byte newTag = DerValue.tag_OctetString;
                 if (seq[2].isConstructed())
@@ -2379,6 +2388,9 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
             } else if (bagId.equals(CertBag_OID)) {
                 DerInputStream cs = new DerInputStream(bagValue.toByteArray());
                 DerValue[] certValues = cs.getSequence(2);
+                if (certValues.length != 2) {
+                    throw new IOException("Invalid length for CertBag");
+                }
                 ObjectIdentifier certId = certValues[0].getOID();
                 if (!certValues[1].isContextSpecific((byte)0)) {
                     throw new IOException("unsupported PKCS12 cert value type "
@@ -2394,6 +2406,9 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
             } else if (bagId.equals(SecretBag_OID)) {
                 DerInputStream ss = new DerInputStream(bagValue.toByteArray());
                 DerValue[] secretValues = ss.getSequence(2);
+                if (secretValues.length != 2) {
+                    throw new IOException("Invalid length for SecretBag");
+                }
                 ObjectIdentifier secretId = secretValues[0].getOID();
                 if (!secretValues[1].isContextSpecific((byte)0)) {
                     throw new IOException(
@@ -2432,6 +2447,9 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
                     byte[] encoded = attrSet[j].toByteArray();
                     DerInputStream as = new DerInputStream(encoded);
                     DerValue[] attrSeq = as.getSequence(2);
+                    if (attrSeq.length != 2) {
+                        throw new IOException("Invalid length for Attribute");
+                    }
                     ObjectIdentifier attrId = attrSeq[0].getOID();
                     DerInputStream vs =
                         new DerInputStream(attrSeq[1].toByteArray());

src/java.base/share/classes/sun/security/provider/certpath/OCSPResponse.java

@@ -258,7 +258,7 @@ public final class OCSPResponse {
         DerInputStream basicOCSPResponse =
             new DerInputStream(derIn.getOctetString());
 
-        DerValue[] seqTmp = basicOCSPResponse.getSequence(2);
+        DerValue[] seqTmp = basicOCSPResponse.getSequence(3);
         if (seqTmp.length < 3) {
             throw new IOException("Unexpected BasicOCSPResponse value");
         }