JDK-8172244 : AIOOBE in KeyStore.getCertificateAlias on Windows
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 8u111,9
  • Priority: P4
  • Status: Resolved
  • Resolution: Fixed
  • OS: windows
  • CPU: generic
  • Submitted: 2016-12-23
  • Updated: 2017-12-12
  • Resolved: 2017-05-25
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 10
10 b09Fixed
Related Reports
Relates :  
JDK-8139436 - sun.security.mscapi.KeyStore might load incomplete data
Description
FULL PRODUCT VERSION :
1.8.0_102-b14, Oracle Corporation, Java HotSpot(TM) 64-Bit Server VM
1.8.0_111-b14, Oracle Corporation, Java HotSpot(TM) Client VM

ADDITIONAL OS VERSION INFORMATION :
Windows 10 64-Bit

A DESCRIPTION OF THE PROBLEM :
This is an upstream bug report for:
https://josm.openstreetmap.de/ticket/13855
https://josm.openstreetmap.de/ticket/13862
https://josm.openstreetmap.de/ticket/14154

(please add josm-found label as per Quality Outreach)

Three of our users encountered an ArrayIndexOutOfBoundsException on Windows 10, with JRE 8u102 (64-bit) and 8u111 (32-bit).

The stacktrace is:
java.lang.ArrayIndexOutOfBoundsException: 0
	at sun.security.mscapi.KeyStore.engineGetCertificateAlias(KeyStore.java:634)
	at sun.security.mscapi.KeyStore$ROOT.engineGetCertificateAlias(KeyStore.java:61)
	at java.security.KeyStore.getCertificateAlias(Unknown Source)

KeyStore.getCertificateAlias is not supposed to throw this exception but return null is the supplied argument is not found.

We think this is maybe related to JDK-8139436 / JDK-8148848 but the issue happens with JRE that should include the fix.


ERROR MESSAGES/STACK TRACES THAT OCCUR :
java.lang.ArrayIndexOutOfBoundsException: 0
	at sun.security.mscapi.KeyStore.engineGetCertificateAlias(KeyStore.java:634)
	at sun.security.mscapi.KeyStore$ROOT.engineGetCertificateAlias(KeyStore.java:61)
	at java.security.KeyStore.getCertificateAlias(Unknown Source)

REPRODUCIBILITY :
This bug can be reproduced occasionally.
Comments
Additional information from submitter: Unfortunately this is the kind of problems we can't reproduce ourselves. It was reported by three of our customers: https://josm.openstreetmap.de/ticket/13855 The source code which triggers the bug is here: https://josm.openstreetmap.de/browser/josm/trunk/src/org/openstreetmap/josm/tools/PlatformHookWindows.java#L330
06-01-2017
This bug is not reproduced, but while analyzing the code there is a chance of AIOOBE. This is the portion of code which is having issue: public String engineGetCertificateAlias(Certificate cert) { for (KeyEntry entry : entries) { if (entry.certChain != null && entry.certChain[0].equals(cert)) { return entry.getAlias(); } } return null; } We are checking entry.certChain is null or not , but we are not checking whether entry.certChain.length>0 or not as we are doing in the API engineGetCertificate(). As the same code is there in JDK9 also added affected version as 9 also.
05-01-2017
JDK-8139436 is resolved and working fine in builds 8u92, 8u101, 8u102 and succeeding releases. Also it is resolved in JDK9-ea build 94 onwards. AIOOBE mentioned in bug JDK-8139436 is happening from API sun.security.mscapi.KeyStore.engineGetCertificate(). But in this incident, AIOOBE is happening from sun.security.mscapi.KeyStore.engineGetCertificateAlias() . So these two issues are related, but not exact duplicate.
04-01-2017