JDK-4874076 : REGRESSION: CertificateParsingException for MS CRL Distribution Point
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 1.4.2
  • Priority: P3
  • Status: Closed
  • Resolution: Fixed
  • OS: linux,windows_2000,windows_xp
  • CPU: x86
  • Submitted: 2003-06-04
  • Updated: 2004-11-10
  • Resolved: 2003-06-26
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
Other
1.4.2_02 02Fixed
Related Reports
Duplicate :  
JDK-4878197 - REGRESSION: Parsing of the X.509 certiificate fails with new jre
Duplicate :  
JDK-4936768 - Sun JCE doesn't parse certificate issued by Mircosoft Certificate Server
Duplicate :  
JDK-4887933 - Unable to read my trusted store
Relates :  
JDK-4834694 - Certificate with Subject Alternative Names that include opaque URIs breaks
Description

Name: gm110360			Date: 06/04/2003


FULL PRODUCT VERSION :
java version "1.4.2-beta"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2-beta-b19)
Java HotSpot(TM) Client VM (build 1.4.2-beta-b19, mixed mode)


FULL OS VERSION :
Microsoft Windows 2000 [Version 5.00.2195]


EXTRA RELEVANT SYSTEM CONFIGURATION :
NOT APPLICABLE

A DESCRIPTION OF THE PROBLEM :
The following program throws the following CertificateParsingException.

This wasn't happening in previous versions of the JRE, specifically:
java version "1.4.1_02"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.1_02-b06)
Java HotSpot(TM) Client VM (build 1.4.1_02-b06, mixed mode)


This program contains the CA certificate of a Microsoft Certificate Server. The certificate contains two X.509 v3 extensions called  "CRL Distribution Points". One of the CRL Distribution Points contains a uniform resource identifier that is in the following Microsoft-specific form:

file://\\lea\CertEnroll\Lea%20CA.crl



STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Save the following certificate as '.\lea.cer'.

2. Create the directory '.\tools\'.

3. Create the directory '.\tools\crypto\'.

4. Save the following program as '.\tools\crypto\CertTest.java':

5. Compile CertTest.java

6. Run CertTest.java

java -cp . tools.crypto.CertTest lea.cer



ERROR MESSAGES/STACK TRACES THAT OCCUR :
java.security.cert.CertificateParsingException: java.io.IOException: java.io.IOException: Host portion is not a
valid DNS name, IPv4 address, or IPv6 address
        at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:157)
        at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1679)
        at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:173)
        at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:101)
        at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:389)
        at tools.crypto.CertTest.doTest(CertTest.java:28)
        at tools.crypto.CertTest.main(CertTest.java:42)
Caused by: java.io.IOException: java.io.IOException: Host portion is not a valid DNS name, IPv4 address, or IPv6 address
        at sun.security.x509.CertificateExtensions.parseExtension(CertificateExtensions.java:111)
        at sun.security.x509.CertificateExtensions.init(CertificateExtensions.java:78)
        at sun.security.x509.CertificateExtensions.<init>(CertificateExtensions.java:57)
        at sun.security.x509.X509CertInfo.parse(X509CertInfo.java:731)
        at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:155)
        ... 6 more
Caused by: java.io.IOException: Host portion is not a valid DNS name, IPv4 address, or IPv6 address
        at sun.security.x509.URIName.parseName(URIName.java:205)
        at sun.security.x509.URIName.<init>(URIName.java:85)
        at sun.security.x509.GeneralName.<init>(GeneralName.java:94)
        at sun.security.x509.GeneralNames.<init>(GeneralNames.java:51)
        at sun.security.x509.DistributionPoint.<init>(DistributionPoint.java:193)
        at sun.security.x509.CRLDistributionPointsExtension.<init>(CRLDistributionPointsExtension.java:126)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:274)
        at sun.security.x509.CertificateExtensions.parseExtension(CertificateExtensions.java:105)
        ... 10 more


REPRODUCIBILITY :
This bug can be reproduced always.

---------- BEGIN SOURCE ----------
Run this program using the certificate shown earlier.



/*
 * CertTest.java
 *
 * Created on May 9, 2003, 11:30 AM
 */
                                                                                                                
package tools.crypto;
                                                                                                                
import java.io.*;
import java.security.cert.*;
                                                                                                                
/**
 *
 */
public class CertTest {
    private File inputFile;
                                                                                                                
    /** Creates a new instance of CertTest */
    public CertTest(String[] args) {
        inputFile = new File(args[0]);
    }
                                                                                                                
    public void doTest() {
        try {
            CertificateFactory factory = CertificateFactory.getInstance("X.509");
            FileInputStream fis = new FileInputStream(inputFile);
            Certificate certificate = factory.generateCertificate(fis);
            if (!(certificate instanceof X509Certificate)) {
                System.out.println("Not an X.509 certificate");
                System.exit(0);
            }
            X509Certificate x509 = (X509Certificate)certificate;
            System.out.println(x509.toString());
        }
        catch (Exception e) {
            e.printStackTrace(System.out);
        }
    }
                                                                                                                
    public static void main(String[] args) {
        new CertTest(args).doTest();
    }
}

---------- END SOURCE ----------

CUSTOMER SUBMITTED WORKAROUND :
Reconfigure Microsoft Certificate Server to not generate CRL distribution points of the form:

file://\\hostname\path

Release Regression From : 1.4.1_02
The above release value was the last known release where this 
bug was known to work. Since then there has been a regression.

(Review ID: 187022) 
======================================================================
Comments
EVALUATION Parsing seems to fail when encountering the URL "file://\\lea\CertEnroll\Lea%20CA.crl" . I am not totally sure if that is a valid URL, but regardless we should not fail in this way. It would seem a good idea to ignore such a failure - either using code specifically in the CRLDP extension or generally for all extensions - so that failures parsing (non-critical) extensions are just ignored. Regardless, it would also seem appropriate to change the URIName class to use java.net.URI instead of doing its own parsing. This has caused problems before, for example see 4834694. ###@###.### 2003-06-04 The certificate parsing code has been modified to ignore errors parsing non-critical extensions, which avoids this particular failure. However, it also means that we will not utilize the CRLDP extension in these certificates. A separate bug will be filed to track the final resolution of this issue. ###@###.### 2003-06-18 One company was issuing certs with OID 2.5.29.16, which is the Private Key Usage Period, and was a non-critical extension. Without this fix, customer couldn't parse the cert file. Will refer him to 1.4.2_02. ###@###.### 2003-08-29 For those reading on the JDC, 1.4.2_02 is expected to be released in late October or early November 2003. Thanks for bearing with us. ###@###.### 2003-09-12 I see some comments have been added on the JDC. If you are seeing this problem or a similar one in 1.4.2_02 or later, please file a new bug and include the cert that is causing the exception. To make sure that you are using the intended 1.4.2 version, you may want to use "java -showversion MyProgram" and double check the version number. ###@###.### 2004-06-16 Like I said in my previous comment, if you think you still see this problem post 1.4.2_02, please file a new bug and include the cert. Posting a comment that does not include nearly enough information to reproduce is not helpful at all. ###@###.### 2004-11-10 01:31:20 GMT
10-11-2004
CONVERTED DATA BugTraq+ Release Management Values COMMIT TO FIX: 1.4.2_02 tiger FIXED IN: 1.4.2_02 tiger INTEGRATED IN: 1.4.2_02 tiger tiger-b10 VERIFIED IN: 1.4.2_02
08-07-2004