United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
Bug ID: JDK-6418433 org.ietf.jgss.Oid constructor accepts invalid values (and rejects valid values)
JDK-6418433 : org.ietf.jgss.Oid constructor accepts invalid values (and rejects valid values)

Details
Type:
Bug
Submit Date:
2006-04-26
Status:
Resolved
Updated Date:
2010-11-04
Project Name:
JDK
Resolved Date:
2006-05-13
Component:
security-libs
OS:
linux,windows_xp
Sub-Component:
java.security
CPU:
x86
Priority:
P3
Resolution:
Fixed
Affected Versions:
5.0
Fixed Versions:

Related Reports
Backport:
Backport:
Backport:
Duplicate:
Relates:
Relates:

Sub Tasks

Description
FULL PRODUCT VERSION :
java version "1.5.0"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0-b64)
Java HotSpot(TM) Client VM (build 1.5.0-b64, mixed mode)


ADDITIONAL OS VERSION INFORMATION :
Linux miguel 2.6.12-12mdksmp #1 SMP Fri Sep 9 17:43:23 CEST 2005 i686 Intel(R) Pentium(R) 4 CPU 2.60GHz unknown GNU/Linux

A DESCRIPTION OF THE PROBLEM :
Class org.ietf.jgss.Oid has a constructor with a String parameter. This constructor accepts oids with negative values, when this value is the last component of the oid. It seems to correctly reject negative values in the rest of the components of the oid.
An ArrayIndexOutOfBoundsException is then thrown when the getDER() method is invoked.

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Calling the constructor with the string "1.2.3.-4" will construct an invalid object
org.ietf.jgss.Oid oid = new Oid("1.2.3.-4")

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
It should have thrown GSSException, like
GSSException: Improperly formatted Object Identifier String - 1.2.3.-4
	at org.ietf.jgss.Oid.<init>(Oid.java:54)
	at TestOid.main(TestOid.java:15)
ACTUAL -
The exception is not thrown. If you later call oid.getDER(), you get
Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: 4
	at sun.security.util.ObjectIdentifier.putComponent(ObjectIdentifier.java:314)
	at sun.security.util.ObjectIdentifier.encode(ObjectIdentifier.java:266)
	at sun.security.util.DerOutputStream.putOID(DerOutputStream.java:262)
	at org.ietf.jgss.Oid.getDER(Oid.java:163)
	at TestOid.main(TestOid.java:17)

REPRODUCIBILITY :
This bug can be reproduced always.

---------- BEGIN SOURCE ----------
import org.ietf.jgss.GSSException;
import org.ietf.jgss.Oid;

public class TestOid {

	/**
	 * @param args
	 * @throws GSSException
	 */
	public static void main(String[] args){
		String[] oids = {"1.2.-3.4", "1.2.3.-4"};
		for (String s:oids){
			Oid oid;
			try {
				oid = new Oid(s);
				System.out.println("Invalid oid: "+oid);
			} catch (GSSException e) {
				e.printStackTrace();
				System.out.println(s+" was correctly detected as invalid");
			}
		}
	}

}

---------- END SOURCE ----------

                                    

Comments
EVALUATION

Underlying j2se OID code is too permissive.
                                     
2006-05-08
EVALUATION

In fact, the bug not only accepts invalid OIDs (mentioned by bug reporters), but also rejects valid OIDs (like 2.40.3.4). Needed to be backport to 5.0 update releases.

This bug is reported again from an external customer as http://monaco.sfbay/detail.jsf?cr=6524763
6524763 org.ietf.jgss.Oid does not handle proper OID's i.e. 2.40.3.8
                                     
2007-02-14



Hardware and Software, Engineered to Work Together