8252377: Incorrect encoding for EC AlgorithmIdentifier

[haimaychao]

This change fixes the DER encoding for ECDSA AlgorithmIdentifier to omit the parameters field instead of encoding a Null tag.

---

Progress

• Change must not contain extraneous whitespace
• Commit message must refer to an issue
• Change must be properly reviewed

Issue

• JDK-8252377: Incorrect encoding for EC AlgorithmIdentifier

Reviewers

• Weijun Wang (@wangweij - Reviewer)

Download

$ git fetch https://git.openjdk.java.net/jdk pull/312/head:pull/312
$ git checkout pull/312

[bridgekeeper]

👋 Welcome back hchao! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[openjdk]

@haimaychao The following label will be automatically applied to this pull request: security.

When this pull request is ready to be reviewed, an RFR email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label (add|remove) "label" command.

[mlbridge]

Webrevs

• 02: Full - Incremental (4f4e368)
• 01: Full - Incremental (edc71d0)
• 00: Full (f52268a)

[wangweij]

I don't quite understand what the test is for. The bug is about encoding but the test seems to be decoding the certificates. Does the test fail before this fix and succeed after it?

[haimaychao]

This is because the encoding of Algorithm Identifier incorrectly adds two NULL tags to the parameters field in the canned certificate. (There are two Algorithm Identifiers in the cert, with each NULL tag containing two bytes: tag + length.) I use the length of an encoded certificate (x509Cert.getEncoded().length) to verify that the certificate contains an extra 4 bytes to hold the two NULL tags. Therefore, the certificate without the fix should be 4 bytes (5 bytes if one byte alignment is applied) longer in length than the certificate with the fix.

[wangweij]

But the certificates included in the test are static and if one day we mistakenly add the NULL back it will not be detected by the test. My idea is to generate a cert on the fly inside the test so that can check the derEncode method in this JDK. As for checking if the NULL is there, you can try looking at the DerUtils::shouldNotExist method with "021" and "11" as arguments.

[openjdk]

@haimaychao This change now passes all automated pre-integration checks.

ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for more details.

After integration, the commit message for the final commit will be:

8252377: Incorrect encoding for EC AlgorithmIdentifier

Reviewed-by: weijun

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 141 new commits pushed to the master branch:

• 9150b90: 8253659: ProblemList sun/security/ec/TestEC.java on linux-aarch64
• 0187567: 8250984: Memory Docker tests fail on some Linux kernels w/o cgroupv1 …
• a75edc2: 8251188: Update LDAP tests not to use wildcard addresses
• 1f5a033: 8253555: Make ByteSize and WordSize typed scoped enums
• f62eefc: 8253469: ARM32 Zero: replace usages of __sync_synchronize() with OrderAccess::fence
• 1b79326: 8242451: ensure semantics of non-capturing lambdas are preserved independent of execution mode
• dc1ef58: 8253631: Remove unimplemented CompileBroker methods after JEP-165
• 27d0a70: 8253633: Remove unimplemented TieredThresholdPolicy::set_carry_if_neccessary
• e12d94a: 8253594: Remove CollectedHeap::supports_tlab_allocation
• cfa3f74: 8245527: LDAP Channel Binding support for Java GSS/Kerberos
• ... and 131 more: https://git.openjdk.java.net/jdk/compare/46598c8644a5e300cd622c66336fd3e261d4b68a...master

As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

As you do not have Committer status in this project an existing Committer must agree to sponsor your change. Possible candidates are the reviewers of this PR (@wangweij) but any other Committer may sponsor as well.

➡️ To flag this PR as ready for integration with the above commit message, type /integrate in a new comment. (Afterwards, your sponsor types /sponsor in a new comment to perform the integration).

[wangweij]

/sponsor

[openjdk]

@wangweij The change author (@haimaychao) must issue an integrate command before the integration can be sponsored.

[haimaychao]

/integrate

[openjdk]

@haimaychao
Your change (at version 4f4e368) is now ready to be sponsored by a Committer.

[wangweij]

/sponsor

[openjdk]

@wangweij @haimaychao Since your change was applied there have been 141 commits pushed to the master branch:

• 9150b90: 8253659: ProblemList sun/security/ec/TestEC.java on linux-aarch64
• 0187567: 8250984: Memory Docker tests fail on some Linux kernels w/o cgroupv1 …
• a75edc2: 8251188: Update LDAP tests not to use wildcard addresses
• 1f5a033: 8253555: Make ByteSize and WordSize typed scoped enums
• f62eefc: 8253469: ARM32 Zero: replace usages of __sync_synchronize() with OrderAccess::fence
• 1b79326: 8242451: ensure semantics of non-capturing lambdas are preserved independent of execution mode
• dc1ef58: 8253631: Remove unimplemented CompileBroker methods after JEP-165
• 27d0a70: 8253633: Remove unimplemented TieredThresholdPolicy::set_carry_if_neccessary
• e12d94a: 8253594: Remove CollectedHeap::supports_tlab_allocation
• cfa3f74: 8245527: LDAP Channel Binding support for Java GSS/Kerberos
• ... and 131 more: https://git.openjdk.java.net/jdk/compare/46598c8644a5e300cd622c66336fd3e261d4b68a...master

Your commit was automatically rebased without conflicts.

Pushed as commit 0e855fe.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.