8336665: CCE in X509CRLImpl$TBSCertList.getCertIssuer

Mark Powers · Mark Powers · commit ca1700b8bf3b · 2024-10-24T23:09:45.000Z
Reviewed-by: mullan
diff --git a/src/java.base/share/classes/sun/security/x509/X509CRLImpl.java b/src/java.base/share/classes/sun/security/x509/X509CRLImpl.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2023, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2024, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -280,14 +280,20 @@ public X500Principal getIssuerX500Principal() {
          *   prevCertIssuer if it does not exist
          */
         private X500Principal getCertIssuer(X509CRLEntryImpl entry,
-                                            X500Principal prevCertIssuer) {
+                X500Principal prevCertIssuer) throws CRLException {
 
             CertificateIssuerExtension ciExt =
                     entry.getCertificateIssuerExtension();
             if (ciExt != null) {
                 GeneralNames names = ciExt.getNames();
-                X500Name issuerDN = (X500Name) names.get(0).getName();
-                return issuerDN.asX500Principal();
+                Iterator<GeneralName> itr = names.iterator();
+                while (itr.hasNext()) {
+                    if (itr.next().getName() instanceof X500Name issuerDN) {
+                        return issuerDN.asX500Principal();
+                    }
+                }
+                throw new CRLException("Parsing error: CertificateIssuer "
+                         + "field does not contain an X.500 DN");
             } else {
                 return prevCertIssuer;
             }
diff --git a/test/jdk/sun/security/x509/X509CRLImpl/UnexpectedCCE.java b/test/jdk/sun/security/x509/X509CRLImpl/UnexpectedCCE.java
@@ -0,0 +1,83 @@
+/*
+ * Copyright (c) 2024, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8336665
+ * @summary Verify that generateCRLs method does not throw ClassCastException.
+ *          It should throw CRLException instead.
+ * @library /test/lib
+ */
+import java.security.NoSuchProviderException;
+import java.security.cert.*;
+import java.io.ByteArrayInputStream;
+import java.util.Base64;
+
+import jdk.test.lib.Utils;
+
+public class UnexpectedCCE {
+    static CertificateFactory cf = null;
+
+    public static void main(String[] av ) throws CertificateException,
+           NoSuchProviderException {
+
+        // Fuzzed data input stream looks like an x509.OIDName
+        // in the CertificateIssuerExtension. A CRLException is thrown
+        // because an X500Name is expected.
+        byte[] encoded_1 = Base64.getDecoder().decode("""
+            MIIBljCCAVMCAQEwCwYHKoZIzjgEAwUAMC0xEzARBgoJkiaJk/IsZAEZEwNjb20xFjA\
+            UBgoJkiaJjvIsZAEZEwZ0ZXN0Q0EXDTAzMDcxNTE2MjAwNVoXDTAzMDcyMDE2MjAwNV\
+            owgdIwUwIBBBcNMDMwNzE1MTYyMDAzWjA/MD0GA1UdHQEB/wQzMDGILzETMBEGCgmSJ\
+            omT8ixkARkMA2NvbTEYMBYGCgmSJomT8ixkARkTCGNlcnRzUlVTMBICAQMXDTAzMDcx\
+            NTE2MjAwNFowUwIBAhcNMDMwNzE1MTYyMDA0WjA/MD0GA1UdIQEB/wQzMDEwGAYDVQQ\
+            DExEwDyqGMDEUMgAwgDAuRQA1MRYGCgmSJomT8ixkARkTCG15VGVzdENBMBICAQEXDT\
+            AzMDcxNTE2MjAwNFqgHzAdMA8GA1UdHAEB/wQFMAOEAf8wCgYDVR0UAwACAQIwCwYHK\
+            oZIzjgEAwUAAzAAMC0CFBaZDryEEOr8Cw7sOAAAAKaDgtHcAhUAkUenJpwYZgS6IPjy\
+            AjZG+RfHdO4=""");
+
+        // Fuzzed data input stream looks like an x509.X400Address
+        // in the CertificateIssuerExtension. A CRLException is thrown
+        // because an X500Name is expected.
+        byte[] encoded_2 = Base64.getDecoder().decode("""
+            MIIBljCCAVMCAQEwCwYHKoZIzjgEAwUAMC0xEzARBgoJkiaJk/IsZAEZEwNjb20xFjA\
+            UBgoJkiaJk/IsZAEZEwZ0ZXN0J0EXDTAzMDcxNTE2MjAwNVoXDTAzMDcyMDE2MjAwNV\
+            owgdIwUwIBBBcNMDMwNzE1MTYyMDA0WjA/MD0GA1UdHQEB/wQzMDGkLzETMBEGCgmSJ\
+            omT8ixkARkTA2NvbTEYMBYGCgmSJomT8ixkARkTCGNlcnRzUlVTMBICAQMXDTAzMDcx\
+            NTE2MjAwNFowUwIBAhcNMDMwNzE1MTYyMDA0WjA/MD0GA1UdHQEB/wQzMDGjLzETMBE\
+            GCgmSJomT8ixkARkTA2NvGG0wMRYGCgmSJomT8ixkARkTCG15VGVzdENBMBICAQEXDT\
+            AzMDcxNTE2MjAwNVqgHzAdMGAGA1UdHAEB/wQFMAOEAf8wCgYDVR0UBAMCAQIwCwYHK\
+            oZIzjgEAwUAAzAAMC0CFBaZDryEEOr8Cw7sJa07gqaDgtHcAhUAkUenJpwYZgS6IPjy\
+            AjZG+RfHdO4=""");
+
+        cf = CertificateFactory.getInstance("X.509", "SUN");
+
+        run(encoded_1);
+        run(encoded_2);
+    }
+
+    private static void run(byte[] buf) {
+        Utils.runAndCheckException(
+                () -> cf.generateCRLs(new ByteArrayInputStream(buf)),
+                CRLException.class);
+    }
+}
