JDK-6418422 : javax.crypto.EncryptedPrivateKeyInfo constructor accepts invalid oids
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.crypto
  • Affected Version: 5.0
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • OS: linux
  • CPU: x86
  • Submitted: 2006-04-26
  • Updated: 2010-11-04
  • Resolved: 2006-05-13
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 6
6 b85Fixed
Related Reports
Relates :  
JDK-6418425 - javax.crypto.EncryptedPrivateKeyInfo constructor throws NumberFormatException
Relates :  
JDK-6418433 - org.ietf.jgss.Oid constructor accepts invalid values (and rejects valid values)
Description
FULL PRODUCT VERSION :
java version "1.5.0"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0-b64)
Java HotSpot(TM) Client VM (build 1.5.0-b64, mixed mode)


ADDITIONAL OS VERSION INFORMATION :
Linux miguel 2.6.12-12mdksmp #1 SMP Fri Sep 9 17:43:23 CEST 2005 i686 Intel(R) Pentium(R) 4 CPU 2.60GHz unknown GNU/Linux


A DESCRIPTION OF THE PROBLEM :
One of the constructors of EncryptedPrivateKeyInfo expects an algorithm name or oid, passed as a string. The constructor accepts oids with negative components, when the negative value is the last component of the oid. That is, "1.2.3.-4" is accepted, but "1.2.-3.4" is rejected (as it should be). In the first case, calling the method getEncoded() causes the throwing of ArrayIndexOutOfBoundException.

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Call the constructor with a string of the form "1.2.3.-4"

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
It should throw NoSuchAlgorithmException, like
java.security.NoSuchAlgorithmException: Invalid ObjectIdentifier 1.2.3.-4
	at sun.security.x509.AlgorithmId.get(AlgorithmId.java:100)
	at javax.crypto.EncryptedPrivateKeyInfo.<init>(DashoA12275)
	at TestOid.main(TestOid.java:20)
ACTUAL -
No exception is thrown

REPRODUCIBILITY :
This bug can be reproduced always.

---------- BEGIN SOURCE ----------
import java.security.NoSuchAlgorithmException;
import javax.crypto.EncryptedPrivateKeyInfo;

public class TestOid {

	/**
	 * @param args
	 * @throws IOException
	 * @throws GSSException
	 */
	public static void main(String[] args){
		String[] oids = {"1.2.-3.4", "1.2.3.-4"};
		for (String s:oids){
			EncryptedPrivateKeyInfo epki;
			try {
				epki = new EncryptedPrivateKeyInfo(s,new byte[8]);
				System.out.println(s+ " has not been detected as invalid");
			} catch (NoSuchAlgorithmException e) {
				e.printStackTrace();
				System.out.println(s+ " has been detected as invalid");
			}
		}
	}

}

---------- END SOURCE ----------
Comments
EVALUATION The three related CRs are 6418422 (this one), 6418425, and 6418433.
26-04-2006
EVALUATION Underlying j2se OID code is too permissive. This bug needs to be fixed at the same time as the corresponding JGSS and j2se bug. Offhand, I don't have those bug numbers, but perhaps Jon does.
26-04-2006