From 1d4ab1410b25e5e34ecc1fd7c94c8b6844373ba6 Mon Sep 17 00:00:00 2001 From: Elliot Barlas Date: Wed, 26 Nov 2025 07:43:15 -0800 Subject: [PATCH 1/2] Add validation to DerParser for sequence length that exceeds maximum signed int --- .../org/elasticsearch/common/ssl/DerParser.java | 7 ++++++- .../security/authc/pki/RdnFieldExtractorTests.java | 13 +++++++++++++ 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/DerParser.java b/libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/DerParser.java index ad540ba336675..0162b92654e11 100644 --- a/libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/DerParser.java +++ b/libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/DerParser.java @@ -138,7 +138,12 @@ private int getLength() throws IOException { int n = derInputStream.read(bytes); if (n < num) throw new IOException("Invalid DER: length too short"); - return new BigInteger(1, bytes).intValue(); + int len = new BigInteger(1, bytes).intValue(); + if (len < 0) { + throw new IOException("Invalid DER: length larger than max-int"); + } + + return len; } /** diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/RdnFieldExtractorTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/RdnFieldExtractorTests.java index b563f6057421d..26cac4050b48c 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/RdnFieldExtractorTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/RdnFieldExtractorTests.java @@ -88,6 +88,19 @@ public void testExtractWithMalformedDerData() { assertThat(result, is(nullValue())); } + public void testSeqLengthOutOfSignedIntRange() { + byte[] malformedBytes = { + (byte) 48, // SEQUENCE + (byte) 0x84, // Length byte indicating (1) long form with (2) 4 data bytes + (byte) 0xFF, + (byte) 0xFF, + (byte) 0xFF, + (byte) 0xFF}; + + String result = RdnFieldExtractor.extract(malformedBytes, OID_CN); + assertThat(result, is(nullValue())); + } + public void testExtractWithSpecialCharacters() { assertExtractions("CN=Test\\, User, OU=R\\+D, O=Elastic\\\\Co", Map.of(OID_CN, "Test, User", OID_OU, "R+D", OID_O, "Elastic\\Co")); } From 735d297f80359cb73836c11d012040693aec9d62 Mon Sep 17 00:00:00 2001 From: elasticsearchmachine Date: Wed, 26 Nov 2025 16:32:11 +0000 Subject: [PATCH 2/2] [CI] Auto commit changes from spotless --- .../xpack/security/authc/pki/RdnFieldExtractorTests.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/RdnFieldExtractorTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/RdnFieldExtractorTests.java index 26cac4050b48c..c0e3ba2d4b899 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/RdnFieldExtractorTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/RdnFieldExtractorTests.java @@ -95,7 +95,7 @@ public void testSeqLengthOutOfSignedIntRange() { (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, - (byte) 0xFF}; + (byte) 0xFF }; String result = RdnFieldExtractor.extract(malformedBytes, OID_CN); assertThat(result, is(nullValue()));