Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

8295068: SSLEngine throws NPE parsing CertificateRequests #14778

Closed
wants to merge 3 commits into from

Conversation

driverkt
Copy link
Member

@driverkt driverkt commented Jul 5, 2023

JDK-8295068: an NPE is thrown when an invalid id is found to match up a ClientCertificateType; rather than throwing the NPE, we now ignore an id which does match a ClientCertificateType.


Progress

  • Change must be properly reviewed (1 review required, with at least 1 Reviewer)
  • Change must not contain extraneous whitespace
  • Commit message must refer to an issue

Issue

  • JDK-8295068: SSLEngine throws NPE parsing CertificateRequests (Bug - P4)

Reviewers

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk.git pull/14778/head:pull/14778
$ git checkout pull/14778

Update a local copy of the PR:
$ git checkout pull/14778
$ git pull https://git.openjdk.org/jdk.git pull/14778/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 14778

View PR using the GUI difftool:
$ git pr show -t 14778

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/14778.diff

Webrev

Link to Webrev Comment

… up a ClientCertificateType; rather than throwing the NPE, we now throw an IllegalArgumentException. This does not seem to be a scenario where recovery is possible or desired, so the IAE should be the proper behavior.
@bridgekeeper
Copy link

bridgekeeper bot commented Jul 5, 2023

👋 Welcome back kdriver! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

@driverkt driverkt changed the title JDK-8295068: an NPE is thrown wn when an invalid id is found to match… 8295068: SSLEngine throws NPE parsing CertificateRequests Jul 5, 2023
@openjdk openjdk bot added the rfr Pull request is ready for review label Jul 5, 2023
@openjdk
Copy link

openjdk bot commented Jul 5, 2023

@driverkt The following label will be automatically applied to this pull request:

  • security

When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command.

@openjdk openjdk bot added the security security-dev@openjdk.org label Jul 5, 2023
@openjdk
Copy link

openjdk bot commented Jul 5, 2023

@driverkt This issue is referenced in the PR title - it will now be updated.

@mlbridge
Copy link

mlbridge bot commented Jul 5, 2023

Webrevs

@@ -128,6 +128,10 @@ private static String[] getKeyTypes(byte[] ids) {
ArrayList<String> keyTypes = new ArrayList<>(3);
for (byte id : ids) {
ClientCertificateType cct = ClientCertificateType.valueOf(id);
if(cct == null) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if(cct == null) {
if (cct == null) {

Comment on lines 132 to 134
throw new IllegalArgumentException(id + " was " +
"not a valid ClientCertificateType id");
}
Copy link
Member

@XueleiFan XueleiFan Jul 6, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It may not comply to TLS specification if throwing exception here. Unknown types should be ignored for compatibility.

- if (cct.isAvailable) {
+ if (cct != null && cct.isAvailable) {

Copy link
Member Author

@driverkt driverkt Jul 6, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@XueleiFan It looks like the relevant bit of the RFC (as you point out) is this:

For historical reasons, the names of some client certificate types
      include the algorithm used to sign the certificate.  For example,
      in earlier versions of TLS, rsa_fixed_dh meant a certificate
      signed with RSA and containing a static DH key.  In TLS 1.2, this
      functionality has been obsoleted by the
      supported_signature_algorithms, and the certificate type no longer
      restricts the algorithm used to sign the certificate.  For
      example, if the server sends dss_fixed_dh certificate type and
      {{sha1, dsa}, {sha1, rsa}} signature types, the client MAY reply
      with a certificate containing a static DH key, signed with RSA-
      SHA1.

I had noticed the comments beginning on line 757 in CertificateRequest:

// For TLS 1.2, we no longer use the certificate_types field
// from the CertificateRequest message to directly determine
// the SSLPossession.  Instead, the choosePossession method
// will use the accepted signature schemes in the message to
// determine the set of acceptable certificate types to select from.

I noted that the id byte generated by the test case was 0x72, and this is definitely not a recognized/supported type in JSSE ["Values in the range 64-223 (decimal) inclusive are assigned via Specification Required"].

I chose IllegalArgumentException because it seemed values so far "out of range" would be undesirable, and perhaps I misinterpreted the commented paragraph above as implying that the id value needed to be one of the set of "acceptable certificate types".

After referring back to the RFC, I agree that your proposed fix seems more in line with the intent of the RFC.

Copy link
Member

@XueleiFan XueleiFan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks good to me. Thank you for the update.

@openjdk
Copy link

openjdk bot commented Jul 6, 2023

@driverkt This change now passes all automated pre-integration checks.

ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details.

After integration, the commit message for the final commit will be:

8295068: SSLEngine throws NPE parsing CertificateRequests

Reviewed-by: xuelei

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 12 new commits pushed to the master branch:

  • ec7da91: 8240567: MethodTooLargeException thrown while creating a jlink image
  • 97e99f0: 8311087: PhiNode::wait_for_region_igvn should break early
  • 7173c30: 8307766: Linux: Provide the option to override the timer slack
  • 356067d: 8311489: Remove unused dirent_md files
  • 3d813ae: 8311301: MethodExitTest may fail with stack buffer overrun
  • 0741cd3: 8311264: JavaDoc index comparator is not transitive
  • edb2be1: 8311279: TestStressIGVNAndCCP.java failed with different IGVN traces for the same seed
  • d072c40: 8311183: Remove unused mapping test files
  • 66d2736: 8307526: [JFR] Better handling of tampered JFR repository
  • 0616648: 8311035: CDS should not use dump time JVM narrow Klass encoding to pre-compute Klass ids
  • ... and 2 more: https://git.openjdk.org/jdk/compare/2cffef21201c3e8be87c92234712839bff531047...master

As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

As you do not have Committer status in this project an existing Committer must agree to sponsor your change. Possible candidates are the reviewers of this PR (@XueleiFan) but any other Committer may sponsor as well.

➡️ To flag this PR as ready for integration with the above commit message, type /integrate in a new comment. (Afterwards, your sponsor types /sponsor in a new comment to perform the integration).

@openjdk openjdk bot added the ready Pull request is ready to be integrated label Jul 6, 2023
@driverkt
Copy link
Member Author

driverkt commented Jul 6, 2023

/integrate

@openjdk openjdk bot added the sponsor Pull request is ready to be sponsored label Jul 6, 2023
@openjdk
Copy link

openjdk bot commented Jul 6, 2023

@driverkt
Your change (at version ce66984) is now ready to be sponsored by a Committer.

@XueleiFan
Copy link
Member

/sponsor

@openjdk
Copy link

openjdk bot commented Jul 7, 2023

Going to push as commit 5667afc.
Since your change was applied there have been 22 commits pushed to the master branch:

  • 34004e1: 8311575: Fix invalid format parameters
  • 9084b6c: 8311514: Incorrect regex in TestMetaSpaceLog.java
  • 0ef03f1: 8311285: report some fontconfig related environment variables in hs_err file
  • 92ca670: 8310170: Use sp's argument to improve performance of outputStream::indent and remove SP_USE_TABS
  • 25cbe85: 8310550: Adjust references to rt.jar
  • 848abd2: 8311511: Improve description of NativeLibrary JFR event
  • 6485b7d: 6875229: Wrong placement of icons in JTabbedPane in Nimbus
  • 27de536: 8311581: Remove obsolete code and comments in TestLVT.java
  • e848d94: 8310923: Refactor Currency tests to use JUnit
  • 0c86c31: 8302351: "assert(!JavaThread::current()->is_interp_only_mode() || !nm->method()->is_continuation_enter_intrinsic() || ContinuationEntry::is_interpreted_call(return_pc)) failed: interp_only_mode but not in enterSpecial interpreted entry" in fixup_callers_callsite
  • ... and 12 more: https://git.openjdk.org/jdk/compare/2cffef21201c3e8be87c92234712839bff531047...master

Your commit was automatically rebased without conflicts.

@openjdk openjdk bot added the integrated Pull request has been integrated label Jul 7, 2023
@openjdk openjdk bot closed this Jul 7, 2023
@openjdk openjdk bot removed ready Pull request is ready to be integrated rfr Pull request is ready for review sponsor Pull request is ready to be sponsored labels Jul 7, 2023
@openjdk
Copy link

openjdk bot commented Jul 7, 2023

@XueleiFan @driverkt Pushed as commit 5667afc.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.

@driverkt driverkt deleted the JDK-8295068 branch July 18, 2023 14:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
integrated Pull request has been integrated security security-dev@openjdk.org
3 participants