7024771: "\\<>" in attribute value part of X500Principal constructor parameter makes strange effect

Reviewed-by: vinnie

7024771: "\\<>" in attribute value part of X500Principal constructor parameter makes strange effect
Reviewed-by: vinnie
4dcf283e · mullan · dc5debbe · 4dcf283e · 4dcf283e · 4dcf283e
3 changed file
--- a/src/share/classes/sun/security/x509/AVA.java
+++ b/src/share/classes/sun/security/x509/AVA.java
@@ -42,7 +42,7 @@ import sun.security.pkcs.PKCS9Attribute;
 * X.500 Attribute-Value-Assertion (AVA):  an attribute, as identified by
 * some attribute ID, has some particular value.  Values are as a rule ASN.1
 * printable strings.  A conventional set of type IDs is recognized when
- * parsing (and generating) RFC 1779 or RFC 2253 syntax strings.
+ * parsing (and generating) RFC 1779, 2253 or 4514 syntax strings.
 *
 * <P>AVAs are components of X.500 relative names.  Think of them as being
 * individual fields of a database record.  The attribute ID is how you
@@ -92,18 +92,20 @@ public class AVA implements DerEncoder {
     * Leading and trailing spaces, also multiple internal spaces, also
     * call for quoting the whole string.
     */
-    private static final String specialChars = ",+=\n<>#;";
+    private static final String specialChars1779 = ",=\n+<>#;\\\"";
    /*
     * In RFC2253, if the value has any of these characters in it, it
     * must be quoted by a preceding \.
     */
-    private static final String specialChars2253 = ",+\"\\<>;";
+    private static final String specialChars2253 = ",=+<>#;\\\"";
    /*
-     * includes special chars from RFC1779 and RFC2253, as well as ' '
+     * includes special chars from RFC1779 and RFC2253, as well as ' ' from
+     * RFC 4514.
     */
-    private static final String specialCharsAll = ",=\n+<>#;\\\" ";
+    private static final String specialCharsDefault = ",=\n+<>#;\\\" ";
+    private static final String escapedDefault = ",+<>;\"";
    /*
     * Values that aren't printable strings are emitted as BER-encoded
@@ -120,26 +122,26 @@ public class AVA implements DerEncoder {
    }
    /**
-     * Parse an RFC 1779 or RFC 2253 style AVA string:  CN=fee fie foe fum
+     * Parse an RFC 1779, 2253 or 4514 style AVA string:  CN=fee fie foe fum
     * or perhaps with quotes.  Not all defined AVA tags are supported;
     * of current note are X.400 related ones (PRMD, ADMD, etc).
     *
     * This terminates at unescaped AVA separators ("+") or RDN
-     * separators (",", ";"), or DN terminators (">"), and removes
+     * separators (",", ";"), and removes cosmetic whitespace at the end of
-     * cosmetic whitespace at the end of values.
+     * values.
     */
    AVA(Reader in) throws IOException {
        this(in, DEFAULT);
    }
    /**
-     * Parse an RFC 1779 or RFC 2253 style AVA string:  CN=fee fie foe fum
+     * Parse an RFC 1779, 2253 or 4514 style AVA string:  CN=fee fie foe fum
     * or perhaps with quotes. Additional keywords can be specified in the
     * keyword/OID map.
     *
     * This terminates at unescaped AVA separators ("+") or RDN
-     * separators (",", ";"), or DN terminators (">"), and removes
+     * separators (",", ";"), and removes cosmetic whitespace at the end of
-     * cosmetic whitespace at the end of values.
+     * values.
     */
    AVA(Reader in, Map<String, String> keywordMap) throws IOException {
        this(in, DEFAULT, keywordMap);
@@ -147,9 +149,6 @@ public class AVA implements DerEncoder {
    /**
     * Parse an AVA string formatted according to format.
-     *
-     * XXX format RFC1779 should only allow RFC1779 syntax but is
-     * actually DEFAULT with RFC1779 keywords.
     */
    AVA(Reader in, int format) throws IOException {
        this(in, format, Collections.<String, String>emptyMap());
@@ -158,9 +157,6 @@ public class AVA implements DerEncoder {
    /**
     * Parse an AVA string formatted according to format.
     *
-     * XXX format RFC1779 should only allow RFC1779 syntax but is
-     * actually DEFAULT with RFC1779 keywords.
-     *
     * @param in Reader containing AVA String
     * @param format parsing format
     * @param keywordMap a Map where a keyword String maps to a corresponding
@@ -168,11 +164,11 @@ public class AVA implements DerEncoder {
     *   If an entry does not exist, it will fallback to the builtin
     *   keyword/OID mapping.
     * @throws IOException if the AVA String is not valid in the specified
-     *   standard or an OID String from the keywordMap is improperly formatted
+     *   format or an OID String from the keywordMap is improperly formatted
     */
    AVA(Reader in, int format, Map<String, String> keywordMap)
        throws IOException {
-        // assume format is one of DEFAULT, RFC1779, RFC2253
+        // assume format is one of DEFAULT or RFC2253
        StringBuilder   temp = new StringBuilder();
        int             c;
@@ -193,7 +189,7 @@ public class AVA implements DerEncoder {
        /*
         * Now parse the value.  "#hex", a quoted string, or a string
-         * terminated by "+", ",", ";", ">".  Whitespace before or after
+         * terminated by "+", ",", ";".  Whitespace before or after
         * the value is stripped away unless format is RFC2253.
         */
        temp.setLength(0);
@@ -331,8 +327,7 @@ public class AVA implements DerEncoder {
                    continue;
                }
-                if (c != '\\' && c != '"' &&
+                if (specialChars1779.indexOf((char)c) < 0) {
-                    specialChars.indexOf((char)c) < 0) {
                    throw new IOException
                        ("Invalid escaped character in AVA: " +
                        (char)c);
@@ -386,7 +381,7 @@ public class AVA implements DerEncoder {
    private DerValue parseString
        (Reader in, int c, int format, StringBuilder temp) throws IOException {
-        List<Byte> embeddedHex = new ArrayList<Byte>();
+        List<Byte> embeddedHex = new ArrayList<>();
        boolean isPrintableString = true;
        boolean escape = false;
        boolean leadingChar = true;
@@ -413,16 +408,11 @@ public class AVA implements DerEncoder {
                }
                // check if character was improperly escaped
-                if ((format == DEFAULT &&
+                if (format == DEFAULT &&
-                        specialCharsAll.indexOf((char)c) == -1) ||
+                       specialCharsDefault.indexOf((char)c) == -1) {
-                    (format == RFC1779  &&
-                        specialChars.indexOf((char)c) == -1 &&
-                        c != '\\' && c != '\"')) {
                    throw new IOException
                        ("Invalid escaped character in AVA: '" +
                        (char)c + "'");
                } else if (format == RFC2253) {
                    if (c == ' ') {
                        // only leading/trailing space can be escaped
@@ -443,10 +433,8 @@ public class AVA implements DerEncoder {
                        throw new IOException
                                ("Invalid escaped character in AVA: '" +
                                (char)c + "'");
                    }
                }
            } else {
                // check if character should have been escaped
                if (format == RFC2253) {
@@ -455,6 +443,10 @@ public class AVA implements DerEncoder {
                                ("Character '" + (char)c +
                                 "' in AVA appears without escape");
                    }
+                } else if (escapedDefault.indexOf((char)c) != -1) {
+                    throw new IOException
+                            ("Character '" + (char)c +
+                            "' in AVA appears without escape");
                }
            }
@@ -551,7 +543,6 @@ public class AVA implements DerEncoder {
        case ',':
            return true;
        case ';':
-        case '>':
            return format != RFC2253;
        default:
            return false;
@@ -1200,18 +1191,6 @@ class AVAKeyword {
        }
    }
-    /**
-     * Get an object identifier representing the specified keyword (or
-     * string encoded object identifier) in the given standard.
-     *
-     * @throws IOException If the keyword is not valid in the specified standard
-     */
-    static ObjectIdentifier getOID(String keyword, int standard)
-            throws IOException {
-        return getOID
-            (keyword, standard, Collections.<String, String>emptyMap());
-    }
    /**
     * Get an object identifier representing the specified keyword (or
     * string encoded object identifier) in the given standard.
@@ -1249,19 +1228,11 @@ class AVAKeyword {
            return new ObjectIdentifier(oidString);
        }
-        // no keyword found or not standard compliant, check if OID string
+        // no keyword found, check if OID string
+        if (standard == AVA.DEFAULT && keyword.startsWith("OID.")) {
-        // RFC1779 requires, DEFAULT allows OID. prefix
-        if (standard == AVA.RFC1779) {
-            if (keyword.startsWith("OID.") == false) {
-                throw new IOException("Invalid RFC1779 keyword: " + keyword);
-            }
            keyword = keyword.substring(4);
-        } else if (standard == AVA.DEFAULT) {
-            if (keyword.startsWith("OID.")) {
-                keyword = keyword.substring(4);
-            }
        }
        boolean number = false;
        if (keyword.length() != 0) {
            char ch = keyword.charAt(0);

--- a/src/share/classes/sun/security/x509/X500Name.java
+++ b/src/share/classes/sun/security/x509/X500Name.java
@@ -142,9 +142,9 @@ public class X500Name implements GeneralNameInterface, Principal {
    /**
     * Constructs a name from a conventionally formatted string, such
     * as "CN=Dave, OU=JavaSoft, O=Sun Microsystems, C=US".
-     * (RFC 1779 or RFC 2253 style).
+     * (RFC 1779, 2253, or 4514 style).
     *
-     * @param DN X.500 Distinguished Name
+     * @param dname the X.500 Distinguished Name
     */
    public X500Name(String dname) throws IOException {
        this(dname, Collections.<String, String>emptyMap());
@@ -153,9 +153,9 @@ public class X500Name implements GeneralNameInterface, Principal {
    /**
     * Constructs a name from a conventionally formatted string, such
     * as "CN=Dave, OU=JavaSoft, O=Sun Microsystems, C=US".
-     * (RFC 1779 or RFC 2253 style).
+     * (RFC 1779, 2253, or 4514 style).
     *
-     * @param DN X.500 Distinguished Name
+     * @param dname the X.500 Distinguished Name
     * @param keywordMap an additional keyword/OID map
     */
    public X500Name(String dname, Map<String, String> keywordMap)
@@ -167,10 +167,11 @@ public class X500Name implements GeneralNameInterface, Principal {
     * Constructs a name from a string formatted according to format.
     * Currently, the formats DEFAULT and RFC2253 are supported.
     * DEFAULT is the default format used by the X500Name(String)
-     * constructor. RFC2253 is format strictly according to RFC2253
+     * constructor. RFC2253 is the format strictly according to RFC2253
     * without extensions.
     *
-     * @param DN X.500 Distinguished Name
+     * @param dname the X.500 Distinguished Name
+     * @param format the specified format of the String DN
     */
    public X500Name(String dname, String format) throws IOException {
        if (dname == null) {
@@ -865,8 +866,8 @@ public class X500Name implements GeneralNameInterface, Principal {
     *     O="Sue, Grabbit and Runn" or
     *     O=Sue\, Grabbit and Runn
     *
-     * This method can parse 1779 or 2253 DNs and non-standard 3280 keywords.
+     * This method can parse RFC 1779, 2253 or 4514 DNs and non-standard 3280
-     * Additional keywords can be specified in the keyword/OID map.
+     * keywords. Additional keywords can be specified in the keyword/OID map.
     */
    private void parseDN(String input, Map<String, String> keywordMap)
        throws IOException {
@@ -875,7 +876,7 @@ public class X500Name implements GeneralNameInterface, Principal {
            return;
        }
-        List<RDN> dnVector = new ArrayList<RDN>();
+        List<RDN> dnVector = new ArrayList<>();
        int dnOffset = 0;
        int rdnEnd;
        String rdnString;
@@ -947,10 +948,9 @@ public class X500Name implements GeneralNameInterface, Principal {
            return;
         }
-        List<RDN> dnVector = new ArrayList<RDN>();
+         List<RDN> dnVector = new ArrayList<>();
         int dnOffset = 0;
         String rdnString;
         int searchOffset = 0;
         int rdnEnd = dnString.indexOf(',');
         while (rdnEnd >=0) {

--- a/test/javax/security/auth/x500/X500Principal/Parse.java
+++ b/test/javax/security/auth/x500/X500Principal/Parse.java
+/*
+ * Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+/*
+ * @test
+ * @bug 7024771
+ * @summary various X500Principal DN parsing tests
+ */
+import javax.security.auth.x500.X500Principal;
+public class Parse {
+    private static TestCase[] testCases = {
+        new TestCase("CN=prefix\\<>suffix", false)
+    };
+    public static void main(String args[]) throws Exception {
+        for (int i = 0; i < testCases.length; i++) {
+            testCases[i].run();
+        }
+        System.out.println("Test completed ok.");
+    }
+}
+class TestCase {
+     private String name;
+     private boolean expectedResult;
+     TestCase(String name, boolean expectedResult) {
+         this.name = name;
+         this.expectedResult = expectedResult;
+     }
+     void run() throws Exception {
+         Exception f = null;
+         try {
+             System.out.println("Parsing: \"" + name + "\"");
+             new X500Principal(name);
+             if (expectedResult == false) {
+                 f = new Exception("Successfully parsed invalid name");
+             }
+         } catch (IllegalArgumentException e) {
+             if (expectedResult == true) {
+                 throw e;
+             }
+         }
+         if (f != null) {
+             throw f;
+         }
+     }
+}