Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

8296742: Illegal X509 Extension should not be created #11137

Closed
wants to merge 10 commits into from

Conversation

wangweij
Copy link
Contributor

@wangweij wangweij commented Nov 14, 2022

Inside JDK we support a lot of X.509 certificate extensions. Almost every extension has a rule about what is legal or not. For example, the names in SubjectAlternativeNameExtension cannot be missing or empty. Usually, a rule is enforced in the encode() method, where the extension value is assigned null for illegal extension and the method throws an IOException. However, before the encode() method is called, the illegal extension can always be created successfully, whether from a constructor using extension components (For example, new SubjectAlternativeNameExtension(names)) or using the encoded value (for example, new SubjectAlternativeNameExtension(derEncoding)).

This code change tries to prevent illegal extensions from being created right from the beginning but the solution is not complete. Precisely, for constructors using extension components, new checks are added to ensure the correct components are provided and the extension can be encoded correctly. Fortunately, most of these conditions are already met inside JDK calls to them. The only exception is inside the keytool -gencrl command where the reason code of a revoked certificate could be zero. This has been fixed in this code change. There are some constructors having no arguments at all. These are useless and also removed.

On the other hand, constructors using the encoded value are complicated. Some of them check for legal values, some do not. However, since the encoding is read from the argument and already stored inside the object, there is no need to calculate the encoding in the encode() method and this method always succeed.

In short, while we cannot ensure the extensions created are perfectly legal, we ensure their encode() methods are always able to find a non-null extension value to write out.

More fine comments in the code change.


Progress

  • Change must be properly reviewed (1 review required, with at least 1 Reviewer)
  • Change must not contain extraneous whitespace
  • Commit message must refer to an issue

Issue

  • JDK-8296742: Illegal X509 Extension should not be created

Reviewers

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk pull/11137/head:pull/11137
$ git checkout pull/11137

Update a local copy of the PR:
$ git checkout pull/11137
$ git pull https://git.openjdk.org/jdk pull/11137/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 11137

View PR using the GUI difftool:
$ git pr show -t 11137

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/11137.diff

@bridgekeeper
Copy link

bridgekeeper bot commented Nov 14, 2022

👋 Welcome back weijun! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

@openjdk openjdk bot added the rfr Pull request is ready for review label Nov 14, 2022
@openjdk
Copy link

openjdk bot commented Nov 14, 2022

@wangweij The following label will be automatically applied to this pull request:

  • security

When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command.

@openjdk openjdk bot added the security security-dev@openjdk.org label Nov 14, 2022
ext.setExtension("Reason", new CRLReasonCodeExtension(Integer.parseInt(id.substring(d+1))));
int code = Integer.parseInt(id.substring(d+1));
if (code == 0) {
throw new Exception("Reason code cannot be 0");
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the only behavior change made. Please note that even if reason code 0 was accepted before this change, the extension could not be encoded and the CRL would not be created. After this change, the above exception will be thrown in an earlier stage.

@mlbridge
Copy link

mlbridge bot commented Nov 14, 2022

@@ -4631,6 +4635,9 @@ private CertificateExtensions createV3Extensions(
continue;
}
int exttype = oneOf(name, extSupported);
if (exttype != -1 && value != null && value.isEmpty()) {
throw new Exception(rb.getString("Illegal.value.") + extstr);
}
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Due to a special rule. "".split(",") returns a single element String[1] { "" }, and this "" will be rejected by keytool. The check above is added to be more clear.


if (updated) {
encodeThis();
}
Copy link
Contributor Author

@wangweij wangweij Nov 14, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the only extension where encodeThis() might be called (and thus set extensionVaue to null) even if the extension is created from an encoding. The updated flag is added to make sure the re-encoding is only done when there is a real modification. In this case, at least one of permitted and excluded is not null and a non-null encoding can be calculated.

In fact, because of this merge method, this is also the only extension that cannot be easily rewritten into an immutable class. This can be considered in a future enhancement.

@wangweij
Copy link
Contributor Author

Sigh. Found 2 wrong variables used. I'll add a regression test.

only in patch2:
unchanged:
Copy link
Member

@seanjmullan seanjmullan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A couple of initial comments, will finish review later.

@mcpowers
Copy link
Contributor

LGTM

Copy link
Member

@seanjmullan seanjmullan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

More comments.

*/
public CertificatePoliciesExtension(Boolean critical,
List<PolicyInformation> certPolicies) throws IOException {
if (certPolicies == null || certPolicies.isEmpty()) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You should probably also change PolicyInformation(CertificatePolicyId policyIdentifier, Set<PolicyQualifierInfo> policyQualifiers) to check for a null policyIdentifier and an empty policyQualifiers set.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll check about null policyIdentifier. According to https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.4, policyQualifiers is OPTIONAL so it can be empty.

if (extensionValue == null)
throw new IOException("No value to encode for the extension!");
Objects.requireNonNull(extensionId,
"Null OID to encode for the extension!");
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would probably drop the exclamation points. And change "Null OID" to "No OID".

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK.

throws IOException {
if (permitted == null && excluded == null) {
throw new IllegalArgumentException(
"permitted and exclude cannot both be null");
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/exclude/excluded/

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you want to add similar checks to the GeneralSubtree and GeneralSubtrees ctors?

Copy link
Contributor Author

@wangweij wangweij Nov 22, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll add a check in GeneralSubtree to reject a null name. GeneralSubtrees is complicated. The intersect and reduce methods make it mutable, so I have to retain all the add and remove methods. Fortunately, its encode method still allows an empty tree. If we want to be RFC 5128-compliant and reject the empty tree, I suggest we fix it in a new bug.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok.

@@ -75,25 +75,19 @@ private void encodeThis() throws IOException {
/**
* Create a PolicyMappings with the List of CertificatePolicyMap.
*
* @param maps the List of CertificatePolicyMap.
* @param maps the List of CertificatePolicyMap, cannot be null or empty.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you want to add similar null checks to the CertificatePolicyMap ctor?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes.

* @exception IOException on error.
*/
public SubjectAlternativeNameExtension(Boolean critical, GeneralNames names)
throws IOException {
throws IOException {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

GeneralNames should probably also be modified so that it cannot contain an empty or null List.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It still has add which is used in multiple places. I'll see if I can remove this method and make it immutable.

* @throws IOException on error
*/
public SubjectInfoAccessExtension(
List<AccessDescription> accessDescriptions) throws IOException {
if (accessDescriptions == null || accessDescriptions.isEmpty()) {
throw new IllegalArgumentException(
"AccessDescription cannot be null or empty");
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/AccessDescription/accessDescriptions/

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK.

@@ -73,7 +73,7 @@ private void encodeThis() throws IOException {
* @param octetString the octet string identifying the key identifier.
*/
public SubjectKeyIdentifierExtension(byte[] octetString)
throws IOException {
throws IOException {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you want to change the KeyIdentifer ctor to check for null instead of letting it throw NPE?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll let it throw NPE. As long as there's no way to create a KeyIdentifer with a null array inside, I'm not eager to change the exception type.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok.

@seanjmullan
Copy link
Member

A general comment is that since we are adding checks for illegal values to the *Extension classes, we should probably go one step further and do the same for all the classes in sun.security.x509 package. I'm ok if you want to handle this as a separate issue though.

@wangweij
Copy link
Contributor Author

A general comment is that since we are adding checks for illegal values to the *Extension classes, we should probably go one step further and do the same for all the classes in sun.security.x509 package. I'm ok if you want to handle this as a separate issue though.

I see. I'll work on making GeneralNames immutable within this issue. The NameConstraintsExtension and GeneralSubtrees case is complicated where mutability is still needed by the merge action.

@wangweij
Copy link
Contributor Author

Oh, when parsing a SubjectAlternativeNameExtension or an IssuerAlternativeNameExtension, an empty GeneralNames is returned when the content is empty. I would like to study more about it in another bug.

@wangweij
Copy link
Contributor Author

New commit pushed. Haven't touched GeneralSubtrees and GeneralNames.

@seanjmullan
Copy link
Member

Oh, when parsing a SubjectAlternativeNameExtension or an IssuerAlternativeNameExtension, an empty GeneralNames is returned when the content is empty. I would like to study more about it in another bug.

Ok.

Copy link
Member

@seanjmullan seanjmullan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Other than the comments about the test bugids, LGTM, if these are the last changes you are making. So I'm approving.

@@ -25,22 +25,30 @@
* @test
* @summary Change default criticality of policy mappings and policy constraints
certificate extensions
* @bug 8059916
* @bug 8059916 8296742
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think the bugid needs to be listed here. This has nothing to do with what is being tested, it is just a side-effect of the internal API behavior changing, and details can be seen in the commit log, if needed.

@@ -23,7 +23,7 @@

/*
* @test
* @bug 8049237 8242151
* @bug 8049237 8242151 8296742
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I also don't think the bugid needs to be listed here, for same reason.

throws IOException {
if (permitted == null && excluded == null) {
throw new IllegalArgumentException(
"permitted and exclude cannot both be null");
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok.

@@ -73,7 +73,7 @@ private void encodeThis() throws IOException {
* @param octetString the octet string identifying the key identifier.
*/
public SubjectKeyIdentifierExtension(byte[] octetString)
throws IOException {
throws IOException {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok.

@openjdk
Copy link

openjdk bot commented Nov 22, 2022

@wangweij This change now passes all automated pre-integration checks.

ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details.

After integration, the commit message for the final commit will be:

8296742: Illegal X509 Extension should not be created

Reviewed-by: mullan

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 190 new commits pushed to the master branch:

  • a6c418e: 8297168: Provide a bulk OopHandle release mechanism with the ServiceThread
  • 4a544bb: 8297091: New langtools test jdk/javadoc/doclet/testValueTag/TestValueFormats.java fails on machines with unexpected number format
  • b6dddf4: 8239801: [macos] java/awt/Focus/UnaccessibleChoice/AccessibleChoiceTest.java fails
  • 260e4dc: 8295011: EC point multiplication improvement for secp256r1
  • fb6c992: 8296957: One more cast in SAFE_SIZE_NEW_ARRAY2
  • ccc6e16: 8291067: macOS should use O_CLOEXEC instead of FD_CLOEXEC
  • 0ac5b55: 8297349: Parallel: Use correct claim value for CLD oop iteration in PSScavengeCLDClosure
  • 932bf35: 8297333: Parallel: Remove unused methods in PCIterateMarkAndPushClosure
  • 42c2037: 8297382: Test fails to compile after JDK-8288047
  • 6d6046b: 8252713: jtreg time out of CtrlASCII.java seems to hang the Xserver.
  • ... and 180 more: https://git.openjdk.org/jdk/compare/27527b49752110fcfca285a1b6dd995d5d103fe5...master

As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

➡️ To integrate this PR with the above commit message to the master branch, type /integrate in a new comment.

@openjdk openjdk bot added the ready Pull request is ready to be integrated label Nov 22, 2022
@wangweij
Copy link
Contributor Author

/integrate

@openjdk
Copy link

openjdk bot commented Nov 22, 2022

Going to push as commit e174558.
Since your change was applied there have been 190 commits pushed to the master branch:

  • a6c418e: 8297168: Provide a bulk OopHandle release mechanism with the ServiceThread
  • 4a544bb: 8297091: New langtools test jdk/javadoc/doclet/testValueTag/TestValueFormats.java fails on machines with unexpected number format
  • b6dddf4: 8239801: [macos] java/awt/Focus/UnaccessibleChoice/AccessibleChoiceTest.java fails
  • 260e4dc: 8295011: EC point multiplication improvement for secp256r1
  • fb6c992: 8296957: One more cast in SAFE_SIZE_NEW_ARRAY2
  • ccc6e16: 8291067: macOS should use O_CLOEXEC instead of FD_CLOEXEC
  • 0ac5b55: 8297349: Parallel: Use correct claim value for CLD oop iteration in PSScavengeCLDClosure
  • 932bf35: 8297333: Parallel: Remove unused methods in PCIterateMarkAndPushClosure
  • 42c2037: 8297382: Test fails to compile after JDK-8288047
  • 6d6046b: 8252713: jtreg time out of CtrlASCII.java seems to hang the Xserver.
  • ... and 180 more: https://git.openjdk.org/jdk/compare/27527b49752110fcfca285a1b6dd995d5d103fe5...master

Your commit was automatically rebased without conflicts.

@openjdk openjdk bot added the integrated Pull request has been integrated label Nov 22, 2022
@openjdk openjdk bot closed this Nov 22, 2022
@openjdk openjdk bot removed ready Pull request is ready to be integrated rfr Pull request is ready for review labels Nov 22, 2022
@openjdk
Copy link

openjdk bot commented Nov 22, 2022

@wangweij Pushed as commit e174558.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.

@wangweij wangweij deleted the 8296742 branch November 25, 2022 23:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
integrated Pull request has been integrated security security-dev@openjdk.org
3 participants