JDK-8175029 : StackOverflowError in X509CRL and X509Certificate.verify(PublicKey, Provider)
- Type: Bug
- Component: security-libs
- Sub-Component: java.security
- Affected Version: 8
- Priority: P2
- Status: Resolved
- Resolution: Fixed
- Submitted: 2017-02-15
- Updated: 2020-06-09
- Resolved: 2017-03-31
The Version table provides details related to the release that this issue/RFE will be addressed.
Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.
To download the current JDK release, click here.
Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.
To download the current JDK release, click here.
| JDK 10 | JDK 8 | Other |
|---|---|---|
10 b04Fixed  |
8u251Fixed |
openjdk8u252Fixed |
Related Reports
|
Relates :
|
Description
X509Certificate.verify(PublicKey, Provider) was added in JDK-7026347.
Probably almost everyone uses the implementation in subclass X509CertImpl but a default implementation is provided in the base class.
The default implementation X509Certificate.verify(key, provider) calls X509CertificateImpl.verify(this, key, provider) which in turn calls cert.verify(key, provider) with resultant infinite recursion. To demonstrate, any subclass of X509Certificate that does not override verify will do:
import java.math.BigInteger;
import java.security.Principal;
import java.security.Provider;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.Set;
public class X509Bug {
static class StubX509Certificate extends X509Certificate {
static final UnsupportedOperationException uoe
= new UnsupportedOperationException("Stub!");
public Set<String> getCriticalExtensionOIDs() { throw uoe; }
public byte[] getExtensionValue(String oid) { throw uoe; }
public Set<String> getNonCriticalExtensionOIDs() { throw uoe; }
public boolean hasUnsupportedCriticalExtension() { throw uoe; }
public void checkValidity() { throw uoe; }
public void checkValidity(Date date) { throw uoe; }
public int getVersion() { throw uoe; }
public BigInteger getSerialNumber() { throw uoe; }
public Principal getIssuerDN() { throw uoe; }
public Principal getSubjectDN() { throw uoe; }
public Date getNotBefore() { throw uoe; }
public Date getNotAfter() { throw uoe; }
public byte[] getTBSCertificate() { throw uoe; }
public byte[] getSignature() { throw uoe; }
public String getSigAlgName() { throw uoe; }
public String getSigAlgOID() { throw uoe; }
public byte[] getSigAlgParams() { throw uoe; }
public boolean[] getIssuerUniqueID() { throw uoe; }
public boolean[] getSubjectUniqueID() { throw uoe; }
public boolean[] getKeyUsage() { throw uoe; }
public int getBasicConstraints() { throw uoe; }
public byte[] getEncoded() { throw uoe; }
public void verify(PublicKey key) { throw uoe; }
public void verify(PublicKey key, String sigProvider) { throw uoe; }
public String toString() { throw uoe; }
public PublicKey getPublicKey() { throw uoe; }
}
public static void main(String[] args) throws Exception {
new StubX509Certificate().verify(null, (Provider) null);
}
}
$ java X509Bug |& head -5
Exception in thread "main" java.lang.StackOverflowError
at java.base/sun.security.x509.X509CertImpl.verify(X509CertImpl.java:506)
at java.base/java.security.cert.X509Certificate.verify(X509Certificate.java:676)
at java.base/sun.security.x509.X509CertImpl.verify(X509CertImpl.java:506)
at java.base/java.security.cert.X509Certificate.verify(X509Certificate.java:676)
Comments
|