JDK-7024771 : "\\<>" in attribute value part of X500Principal constructor parameter makes strange effect
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 6
  • Priority: P4
  • Status: Closed
  • Resolution: Fixed
  • OS: linux
  • CPU: x86
  • Submitted: 2011-03-04
  • Updated: 2020-02-26
  • Resolved: 2012-09-12
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 8 Other
8 b04Fixed openjdk7uFixed
Related Reports
Duplicate :  
JDK-7024767 - Some unquoted special character are allowed by X500Principal constructor
Description
Accordingly with BNF in RFC and RFC 2253 and X500Principal constructor javadoc IAE must be thrown in following call:

new X500Principal("CN=prefix\\<>suffix")

It is not thrown and surprisingly following getName() call on created instance returns "CN=prefix\\<". So all characters after "\\<>" are dropped.
Comments
EVALUATION Changeset: d1c04dac850d Author: mullan Date: 2011-08-29 12:22 -0400 URL: http://hg.openjdk.java.net/jdk8/tl/jdk/rev/d1c04dac850d
29-08-2011
SUGGESTED FIX http://cr.openjdk.java.net/~mullan/webrevs/7024771/webrev.00/ A couple of notes on the webrev: - I have removed support for DNs which use <> as delimiters, ex "<CN=foo>". This is an obscure syntax that I have never seen used in practice, and our parser wouldn't accept this anyway - we had only partially implemented support for it - which was related to the cause of this bug. - I have also removed some dead code for strict RFC 1779 parsing. It wasn't being used by any other code.
29-08-2011
EVALUATION What is happening is that the code is treating '>' as an end-of-marker for DNs, and then ignoring any characters after it. This is an obscure syntax that is vaguely alluded to in section 2.2 of RFC 1779 which permits DNs to be surrounded in <> : "In running text, this would be written as <CN=Christian Huitema;O=INRIA; C=FR>." However, I have never seen this type of format in a DN used in practice. Furthermore, we don't properly support it - new X500Principal("<CN=prefix>") will throw an exception: Exception in thread "main" java.lang.IllegalArgumentException: improperly specified input name: <CN=prefix> at java.lang.Throwable.fillInStackTrace(Throwable.java:782) at java.lang.Throwable.<init>(Throwable.java:265) at java.lang.Exception.<init>(Exception.java:66) at java.lang.RuntimeException.<init>(RuntimeException.java:62) at java.lang.IllegalArgumentException.<init>(IllegalArgumentException.java:53) at javax.security.auth.x500.X500Principal.<init>(X500Principal.java:169) at javax.security.auth.x500.X500Principal.<init>(X500Principal.java:121) at Test7024771.main(Test7024771.java:7) Caused by: java.io.IOException: Invalid keyword "<CN" at java.lang.Throwable.fillInStackTrace(Throwable.java:782) at java.lang.Throwable.<init>(Throwable.java:265) at java.lang.Exception.<init>(Exception.java:66) at java.io.IOException.<init>(IOException.java:58) at sun.security.x509.AVAKeyword.getOID(AVA.java:1275) at sun.security.x509.AVA.<init>(AVA.java:192) at sun.security.x509.AVA.<init>(AVA.java:145) at sun.security.x509.RDN.<init>(RDN.java:145) at sun.security.x509.X500Name.parseDN(X500Name.java:933) at sun.security.x509.X500Name.<init>(X500Name.java:163) at javax.security.auth.x500.X500Principal.<init>(X500Principal.java:167) ... 2 more Therefore, my evaluation is that we should not support these types of DNs and we should change the code to not treat '>' as a delimiter.
19-08-2011