Bug ID: JDK-8037258 AIOB while parsing CRL for revoked certificate

Versions (Unresolved/Resolved/Fixed)

The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.

JDK 8	JDK 9
8u20Fixed	9 b08Fixed

JDK throws ArrayIndexOutOfBoundsException while parsing non RFC conforming CRL with revocation reason not in the range of accepted values. Checked with keytool and CertPathValidator.

with keytool:
    CRL Entry Extensions: 1
    [1]: , Error parsing this extension

Exception trace:

java.lang.ArrayIndexOutOfBoundsException: -1
        at sun.security.x509.CRLReasonCodeExtension.toString(CRLReasonCodeExtension.java:184)
        at java.lang.String.valueOf(String.java:2979)
        at java.lang.StringBuilder.append(StringBuilder.java:131)
        at java.util.AbstractMap.toString(AbstractMap.java:536)
        at java.lang.String.valueOf(String.java:2979)
        at java.lang.StringBuilder.append(StringBuilder.java:131)
        at java.security.cert.CertificateRevokedException.getMessage(CertificateRevokedException.java:173)
        at sun.security.provider.certpath.RevocationChecker.checkApprovedCRLs(RevocationChecker.java:655)
        at sun.security.provider.certpath.RevocationChecker.checkCRLs(RevocationChecker.java:567)

The problem is with CRLReasonCodeExtension class. The toString() method in this class doesn't do bounds check on reasonCode values. public String toString() { return super.toString() + " Reason Code: " + values[reasonCode]; } This method should instead call getReasonCode() which does check bounds to get reason code.

13-03-2014