Skip to content

Commit

Permalink
8267617: Certificate's IP x509 NameConstraints raises ArrayIndexOutOf…
Browse files Browse the repository at this point in the history
…BoundsException

Reviewed-by: mullan
  • Loading branch information
djelinski committed Dec 6, 2022
1 parent 923c746 commit 2a243a3
Show file tree
Hide file tree
Showing 2 changed files with 86 additions and 5 deletions.
13 changes: 8 additions & 5 deletions src/java.base/share/classes/sun/security/x509/IPAddressName.java
Original file line number Diff line number Diff line change
Expand Up @@ -401,11 +401,12 @@ else if (inputName.equals(this))
else {
IPAddressName otherName = (IPAddressName)inputName;
byte[] otherAddress = otherName.address;
if (otherAddress.length == 4 && address.length == 4)
if ((otherAddress.length == 4 && address.length == 4) ||
(otherAddress.length == 16 && address.length == 16)) {
// Two host addresses
constraintType = NAME_SAME_TYPE;
else if ((otherAddress.length == 8 && address.length == 8) ||
(otherAddress.length == 32 && address.length == 32)) {
} else if ((otherAddress.length == 8 && address.length == 8) ||
(otherAddress.length == 32 && address.length == 32)) {
// Two subnet addresses
// See if one address fully encloses the other address
boolean otherSubsetOfThis = true;
Expand Down Expand Up @@ -440,7 +441,8 @@ else if (thisSubsetOfOther)
constraintType = NAME_WIDENS;
else
constraintType = NAME_SAME_TYPE;
} else if (otherAddress.length == 8 || otherAddress.length == 32) {
} else if ((otherAddress.length == 8 && address.length == 4) ||
(otherAddress.length == 32 && address.length == 16)) {
//Other is a subnet, this is a host address
int i = 0;
int maskOffset = otherAddress.length/2;
Expand All @@ -454,7 +456,8 @@ else if (thisSubsetOfOther)
constraintType = NAME_WIDENS;
else
constraintType = NAME_SAME_TYPE;
} else if (address.length == 8 || address.length == 32) {
} else if ((otherAddress.length == 4 && address.length == 8) ||
(otherAddress.length == 16 && address.length == 32)) {
//This is a subnet, other is a host address
int i = 0;
int maskOffset = address.length/2;
Expand Down
78 changes: 78 additions & 0 deletions test/jdk/sun/security/x509/IPAddressName/ConstrainsTest.java
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
/*
* Copyright (c) 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/

import org.testng.annotations.DataProvider;
import org.testng.annotations.Test;
import sun.security.x509.GeneralNameInterface;
import sun.security.x509.IPAddressName;

import java.io.IOException;

import static org.testng.Assert.assertEquals;

/*
* @test
* @summary Verify IPAddressName.constrains
* @bug 8267617
* @modules java.base/sun.security.x509
* @run testng ConstrainsTest
*/
public class ConstrainsTest {

IPAddressName ipv4Addr = new IPAddressName("127.0.0.1");
IPAddressName ipv4Mask = new IPAddressName("127.0.0.0/255.0.0.0");
IPAddressName ipv6Addr = new IPAddressName("::1");
IPAddressName ipv6Mask = new IPAddressName("::/0");

public ConstrainsTest() throws IOException {
}

@DataProvider(name = "names")
public Object[][] names() {
Object[][] data = {
{ipv4Addr, ipv4Addr, GeneralNameInterface.NAME_MATCH},
{ipv4Addr, ipv4Mask, GeneralNameInterface.NAME_WIDENS},
{ipv4Addr, ipv6Addr, GeneralNameInterface.NAME_SAME_TYPE},
{ipv4Addr, ipv6Mask, GeneralNameInterface.NAME_SAME_TYPE},
{ipv4Mask, ipv4Addr, GeneralNameInterface.NAME_NARROWS},
{ipv4Mask, ipv4Mask, GeneralNameInterface.NAME_MATCH},
{ipv4Mask, ipv6Addr, GeneralNameInterface.NAME_SAME_TYPE},
{ipv4Mask, ipv6Mask, GeneralNameInterface.NAME_SAME_TYPE},
{ipv6Addr, ipv4Addr, GeneralNameInterface.NAME_SAME_TYPE},
{ipv6Addr, ipv4Mask, GeneralNameInterface.NAME_SAME_TYPE},
{ipv6Addr, ipv6Addr, GeneralNameInterface.NAME_MATCH},
{ipv6Addr, ipv6Mask, GeneralNameInterface.NAME_WIDENS},
{ipv6Mask, ipv4Addr, GeneralNameInterface.NAME_SAME_TYPE},
{ipv6Mask, ipv4Mask, GeneralNameInterface.NAME_SAME_TYPE},
{ipv6Mask, ipv6Addr, GeneralNameInterface.NAME_NARROWS},
{ipv6Mask, ipv6Mask, GeneralNameInterface.NAME_MATCH},
};
return data;
}

@Test(dataProvider = "names")
public void testNameContains(IPAddressName addr1, IPAddressName addr2, int result) throws IOException {
assertEquals(addr1.constrains(addr2), result);
}

}

1 comment on commit 2a243a3

@openjdk-notifier
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please sign in to comment.