JDK-6418433 : org.ietf.jgss.Oid constructor accepts invalid values (and rejects valid values)
  • Type: Bug
  • Status: Resolved
  • Resolution: Fixed
  • Component: security-libs
  • Sub-Component: java.security
  • Priority: P3
  • Affected Version: 5.0
  • OS: linux,windows_xp
  • CPU: x86
  • Submit Date: 2006-04-26
  • Updated Date: 2010-11-04
  • Resolved Date: 2006-05-13
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availabitlity Release.

To download the current JDK release, click here.
Other JDK 6
1.4.2_19-revResolved 6 b85Resolved
Related Reports
Duplicate :  
Relates :  
Relates :  
Description
FULL PRODUCT VERSION :
java version "1.5.0"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0-b64)
Java HotSpot(TM) Client VM (build 1.5.0-b64, mixed mode)


ADDITIONAL OS VERSION INFORMATION :
Linux miguel 2.6.12-12mdksmp #1 SMP Fri Sep 9 17:43:23 CEST 2005 i686 Intel(R) Pentium(R) 4 CPU 2.60GHz unknown GNU/Linux

A DESCRIPTION OF THE PROBLEM :
Class org.ietf.jgss.Oid has a constructor with a String parameter. This constructor accepts oids with negative values, when this value is the last component of the oid. It seems to correctly reject negative values in the rest of the components of the oid.
An ArrayIndexOutOfBoundsException is then thrown when the getDER() method is invoked.

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Calling the constructor with the string "1.2.3.-4" will construct an invalid object
org.ietf.jgss.Oid oid = new Oid("1.2.3.-4")

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
It should have thrown GSSException, like
GSSException: Improperly formatted Object Identifier String - 1.2.3.-4
	at org.ietf.jgss.Oid.<init>(Oid.java:54)
	at TestOid.main(TestOid.java:15)
ACTUAL -
The exception is not thrown. If you later call oid.getDER(), you get
Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: 4
	at sun.security.util.ObjectIdentifier.putComponent(ObjectIdentifier.java:314)
	at sun.security.util.ObjectIdentifier.encode(ObjectIdentifier.java:266)
	at sun.security.util.DerOutputStream.putOID(DerOutputStream.java:262)
	at org.ietf.jgss.Oid.getDER(Oid.java:163)
	at TestOid.main(TestOid.java:17)

REPRODUCIBILITY :
This bug can be reproduced always.

---------- BEGIN SOURCE ----------
import org.ietf.jgss.GSSException;
import org.ietf.jgss.Oid;

public class TestOid {

	/**
	 * @param args
	 * @throws GSSException
	 */
	public static void main(String[] args){
		String[] oids = {"1.2.-3.4", "1.2.3.-4"};
		for (String s:oids){
			Oid oid;
			try {
				oid = new Oid(s);
				System.out.println("Invalid oid: "+oid);
			} catch (GSSException e) {
				e.printStackTrace();
				System.out.println(s+" was correctly detected as invalid");
			}
		}
	}

}

---------- END SOURCE ----------

Comments
EVALUATION In fact, the bug not only accepts invalid OIDs (mentioned by bug reporters), but also rejects valid OIDs (like 2.40.3.4). Needed to be backport to 5.0 update releases. This bug is reported again from an external customer as http://monaco.sfbay/detail.jsf?cr=6524763 6524763 org.ietf.jgss.Oid does not handle proper OID's i.e. 2.40.3.8
2007-02-14

EVALUATION Underlying j2se OID code is too permissive.
2006-05-08