8264864: Multiple byte tag not supported by ASN.1 encoding

wangweij · wangweij · commit 3d2b4cc56777 · 2021-04-08T21:26:05.000Z
Reviewed-by: xuelei
diff --git a/src/java.base/share/classes/sun/security/util/DerValue.java b/src/java.base/share/classes/sun/security/util/DerValue.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2020, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2021, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -221,6 +221,9 @@ public boolean isConstructed(byte constructedTag) {
      * Creates a new DerValue by specifying all its fields.
      */
     DerValue(byte tag, byte[] buffer, int start, int end, boolean allowBER) {
+        if ((tag & 0x1f) == 0x1f) {
+            throw new IllegalArgumentException("Tag number over 30 is not supported");
+        }
         this.tag = tag;
         this.buffer = buffer;
         this.start = start;
@@ -315,6 +318,9 @@ public DerValue(byte[] encoding) throws IOException {
         }
         int pos = offset;
         tag = buf[pos++];
+        if ((tag & 0x1f) == 0x1f) {
+            throw new IOException("Tag number over 30 at " + offset + " is not supported");
+        }
         int lenByte = buf[pos++];
 
         int length;
@@ -388,6 +394,9 @@ public DerValue(byte[] encoding) throws IOException {
     // arg to control whether DER checks are enforced.
     DerValue(InputStream in, boolean allowBER) throws IOException {
         this.tag = (byte)in.read();
+        if ((tag & 0x1f) == 0x1f) {
+            throw new IOException("Tag number over 30 is not supported");
+        }
         int length = DerInputStream.getLength(in);
         if (length == -1) { // indefinite length encoding found
             if (!allowBER) {
@@ -1140,6 +1149,9 @@ public static boolean isPrintableStringChar(char ch) {
      * @param val the tag value
      */
     public static byte createTag(byte tagClass, boolean form, byte val) {
+        if (val < 0 || val > 30) {
+            throw new IllegalArgumentException("Tag number over 30 is not supported");
+        }
         byte tag = (byte)(tagClass | val);
         if (form) {
             tag |= (byte)0x20;
diff --git a/test/jdk/sun/security/util/DerValue/WideTag.java b/test/jdk/sun/security/util/DerValue/WideTag.java
@@ -0,0 +1,70 @@
+/*
+ * Copyright (c) 2021, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8264864
+ * @summary Multiple byte tag not supported by ASN.1 encoding
+ * @modules java.base/sun.security.util
+ * @library /test/lib
+ */
+
+import jdk.test.lib.Utils;
+import sun.security.util.DerInputStream;
+import sun.security.util.DerValue;
+
+import java.io.IOException;
+
+public class WideTag {
+
+    public static void main(String[] args) throws Exception {
+
+        // Small ones
+        DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte)30);
+        DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte)0);
+
+        // Big ones
+        Utils.runAndCheckException(
+                () -> DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte)31),
+                IllegalArgumentException.class);
+        Utils.runAndCheckException(
+                () -> DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte)222),
+                IllegalArgumentException.class);
+
+        // We don't accept number 31
+        Utils.runAndCheckException(() -> new DerValue((byte)0xbf, new byte[10]),
+                IllegalArgumentException.class);
+
+        // CONTEXT [98] size 97. Not supported. Should fail.
+        // Before this fix, it was interpreted as CONTEXT [31] size 98.
+        byte[] wideDER = new byte[100];
+        wideDER[0] = (byte)0xBF;
+        wideDER[1] = (byte)98;
+        wideDER[2] = (byte)97;
+
+        Utils.runAndCheckException(() -> new DerValue(wideDER),
+                IOException.class);
+        Utils.runAndCheckException(() -> new DerInputStream(wideDER).getDerValue(),
+                IOException.class);
+    }
+}
