JDK-8032573 : CertificateFactory.getInstance("X.509").generateCertificates(InputStream) does not throw CertificateException for invalid input
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 7u45,8,9
  • Priority: P3
  • Status: Closed
  • Resolution: Fixed
  • OS: windows_7
  • Submitted: 2014-01-02
  • Updated: 2017-05-17
  • Resolved: 2014-10-16
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 7 JDK 8 JDK 9
7u80Fixed 8u40Fixed 9 b36Fixed
Related Reports
Relates :  
JDK-8146592 - X509Factory throws IllegalArgumentException if parsing error occured
Description
FULL PRODUCT VERSION :
JDK1.7.0_45

ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows [Version 6.1.7601]

A DESCRIPTION OF THE PROBLEM :
In JDK1.7.0_45, CertificateFactory.getInstance("X.509").generateCertificates(in) do not throw CertificateException for invalid input. But in jdk1.6.0_45, it can throw CertificateException for invalid input.
See following JUnit test code:
@org.junit.Test
public void testGenerateCertificates() throws Exception {
byte[] invalidCertBytes = "this is not valid x509 certficate byte array"
.getBytes();
CertificateFactory cf = CertificateFactory.getInstance("X.509");
/*
 * Following suppose throw CertificateException. For jdk1.6.0_45_32bit,
 * following code can throw CertificateException. But for
 * jdk1.7.0_45_64bit, it just return a empty collection.
 */
Collection<? extends Certificate> certs = cf
.generateCertificates(new ByteArrayInputStream(invalidCertBytes));
System.out.println(certs.isEmpty());
}

REGRESSION.  Last worked in version 6u45

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Run the JUnit test code against JDK1.7.0_45.

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Throw CertificateException
ACTUAL -
Return a empty collection.

REPRODUCIBILITY :
This bug can be reproduced always.
Comments
I believe it was a combination of fixes for JDK-6535697 and JDK-6813340 that created this issue.
23-01-2015
which fix caused this regression ?
23-01-2015
SQE OK to take regression bug fix to PSU15_02
21-01-2015
7u80-critical-request justification: PSU15_02-critical-request justification: - Fix for Release : 7u80 - Justification : This backport had been prepared and reviewed in Dec 2014, but wasn't integrated for some reason. - Risk Analysis : Low (the fix consists mostly of making the input stream handling more accurate, no significant changes). - Webrev : http://cr.openjdk.java.net/~mbankal/8032573/webrev.00/ - Testing (done/to-be-done) : the fix includes regression tests. - Back ports (done/to-be-done) : has already been backported into 8u40, 8u45, 7u85 - FX Impact : none
21-01-2015
The affected test case could pass in nightly reult: DetectInvalidEncoding.java http://aurora.ru.oracle.com/functional/faces/RunDetails.xhtml?names=669066.CORELIBS-JDK-NIGHTLY-JTREG-14 ,verified it.
26-12-2014
The differing behavior across Java versions happens with other methods as well, CertificateFactory.generateCRLs() is one example, probably because these CF methods use sun.security.provider.X509Factory.readOneBlock() to obtain data from the InputStream.
03-09-2014
Running with 8u20 and JDK9 behaviour is similar to 7u55
16-05-2014
Running the testcase above with 7u55 prints true i.e. returns an empty collection With 6u71 there is no exception thrown though
14-05-2014