提交 fc28d3fd 编写于 作者: M mullan

8234042: Better factory production of certificates

Reviewed-by: weijun, rhalade, mschoene
上级 39d6fef1
/* /*
* Copyright (c) 2011, 2019, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2011, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -226,6 +226,9 @@ public final class KeychainStore extends KeyStoreSpi { ...@@ -226,6 +226,9 @@ public final class KeychainStore extends KeyStoreSpi {
// Get the Algorithm ID next // Get the Algorithm ID next
DerValue[] value = in.getSequence(2); DerValue[] value = in.getSequence(2);
if (value.length < 1 || value.length > 2) {
throw new IOException("Invalid length for AlgorithmIdentifier");
}
AlgorithmId algId = new AlgorithmId(value[0].getOID()); AlgorithmId algId = new AlgorithmId(value[0].getOID());
String algName = algId.getName(); String algName = algId.getName();
......
/* /*
* Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2013, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -252,6 +252,9 @@ public final class PKCS12Attribute implements KeyStore.Entry.Attribute { ...@@ -252,6 +252,9 @@ public final class PKCS12Attribute implements KeyStore.Entry.Attribute {
private void parse(byte[] encoded) throws IOException { private void parse(byte[] encoded) throws IOException {
DerInputStream attributeValue = new DerInputStream(encoded); DerInputStream attributeValue = new DerInputStream(encoded);
DerValue[] attrSeq = attributeValue.getSequence(2); DerValue[] attrSeq = attributeValue.getSequence(2);
if (attrSeq.length != 2) {
throw new IOException("Invalid length for PKCS12Attribute");
}
ObjectIdentifier type = attrSeq[0].getOID(); ObjectIdentifier type = attrSeq[0].getOID();
DerInputStream attrContent = DerInputStream attrContent =
new DerInputStream(attrSeq[1].toByteArray()); new DerInputStream(attrSeq[1].toByteArray());
......
/* /*
* Copyright (c) 1996, 2011, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 1996, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -130,6 +130,9 @@ public class ContentInfo { ...@@ -130,6 +130,9 @@ public class ContentInfo {
DerValue[] contents; DerValue[] contents;
typeAndContent = derin.getSequence(2); typeAndContent = derin.getSequence(2);
if (typeAndContent.length < 1 || typeAndContent.length > 2) {
throw new ParsingException("Invalid length for ContentInfo");
}
// Parse the content type // Parse the content type
type = typeAndContent[0]; type = typeAndContent[0];
...@@ -149,6 +152,9 @@ public class ContentInfo { ...@@ -149,6 +152,9 @@ public class ContentInfo {
disTaggedContent disTaggedContent
= new DerInputStream(taggedContent.toByteArray()); = new DerInputStream(taggedContent.toByteArray());
contents = disTaggedContent.getSet(1, true); contents = disTaggedContent.getSet(1, true);
if (contents.length != 1) {
throw new ParsingException("ContentInfo encoding error");
}
content = contents[0]; content = contents[0];
} }
} }
......
...@@ -144,6 +144,9 @@ public class SignerInfo implements DerEncoder { ...@@ -144,6 +144,9 @@ public class SignerInfo implements DerEncoder {
// issuerAndSerialNumber // issuerAndSerialNumber
DerValue[] issuerAndSerialNumber = derin.getSequence(2); DerValue[] issuerAndSerialNumber = derin.getSequence(2);
if (issuerAndSerialNumber.length != 2) {
throw new ParsingException("Invalid length for IssuerAndSerialNumber");
}
byte[] issuerBytes = issuerAndSerialNumber[0].toByteArray(); byte[] issuerBytes = issuerAndSerialNumber[0].toByteArray();
issuerName = new X500Name(new DerValue(DerValue.tag_Sequence, issuerName = new X500Name(new DerValue(DerValue.tag_Sequence,
issuerBytes)); issuerBytes));
......
/* /*
* Copyright (c) 1999, 2007, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 1999, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -59,10 +59,16 @@ class MacData { ...@@ -59,10 +59,16 @@ class MacData {
throws IOException, ParsingException throws IOException, ParsingException
{ {
DerValue[] macData = derin.getSequence(2); DerValue[] macData = derin.getSequence(2);
if (macData.length < 2 || macData.length > 3) {
throw new ParsingException("Invalid length for MacData");
}
// Parse the digest info // Parse the digest info
DerInputStream digestIn = new DerInputStream(macData[0].toByteArray()); DerInputStream digestIn = new DerInputStream(macData[0].toByteArray());
DerValue[] digestInfo = digestIn.getSequence(2); DerValue[] digestInfo = digestIn.getSequence(2);
if (digestInfo.length != 2) {
throw new ParsingException("Invalid length for DigestInfo");
}
// Parse the DigestAlgorithmIdentifier. // Parse the DigestAlgorithmIdentifier.
AlgorithmId digestAlgorithmId = AlgorithmId.parse(digestInfo[0]); AlgorithmId digestAlgorithmId = AlgorithmId.parse(digestInfo[0]);
......
/* /*
* Copyright (c) 1999, 2017, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 1999, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -389,6 +389,9 @@ public final class PKCS12KeyStore extends KeyStoreSpi { ...@@ -389,6 +389,9 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
DerInputStream in = val.toDerInputStream(); DerInputStream in = val.toDerInputStream();
int i = in.getInteger(); int i = in.getInteger();
DerValue[] value = in.getSequence(2); DerValue[] value = in.getSequence(2);
if (value.length < 1 || value.length > 2) {
throw new IOException("Invalid length for AlgorithmIdentifier");
}
AlgorithmId algId = new AlgorithmId(value[0].getOID()); AlgorithmId algId = new AlgorithmId(value[0].getOID());
String keyAlgo = algId.getName(); String keyAlgo = algId.getName();
...@@ -2000,11 +2003,17 @@ public final class PKCS12KeyStore extends KeyStoreSpi { ...@@ -2000,11 +2003,17 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
DerInputStream edi = DerInputStream edi =
safeContents.getContent().toDerInputStream(); safeContents.getContent().toDerInputStream();
int edVersion = edi.getInteger(); int edVersion = edi.getInteger();
DerValue[] seq = edi.getSequence(2); DerValue[] seq = edi.getSequence(3);
if (seq.length != 3) {
// We require the encryptedContent field, even though
// it is optional
throw new IOException("Invalid length for EncryptedContentInfo");
}
ObjectIdentifier edContentType = seq[0].getOID(); ObjectIdentifier edContentType = seq[0].getOID();
eAlgId = seq[1].toByteArray(); eAlgId = seq[1].toByteArray();
if (!seq[2].isContextSpecific((byte)0)) { if (!seq[2].isContextSpecific((byte)0)) {
throw new IOException("encrypted content not present!"); throw new IOException("unsupported encrypted content type "
+ seq[2].tag);
} }
byte newTag = DerValue.tag_OctetString; byte newTag = DerValue.tag_OctetString;
if (seq[2].isConstructed()) if (seq[2].isConstructed())
...@@ -2218,6 +2227,9 @@ public final class PKCS12KeyStore extends KeyStoreSpi { ...@@ -2218,6 +2227,9 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
} else if (bagId.equals((Object)CertBag_OID)) { } else if (bagId.equals((Object)CertBag_OID)) {
DerInputStream cs = new DerInputStream(bagValue.toByteArray()); DerInputStream cs = new DerInputStream(bagValue.toByteArray());
DerValue[] certValues = cs.getSequence(2); DerValue[] certValues = cs.getSequence(2);
if (certValues.length != 2) {
throw new IOException("Invalid length for CertBag");
}
ObjectIdentifier certId = certValues[0].getOID(); ObjectIdentifier certId = certValues[0].getOID();
if (!certValues[1].isContextSpecific((byte)0)) { if (!certValues[1].isContextSpecific((byte)0)) {
throw new IOException("unsupported PKCS12 cert value type " throw new IOException("unsupported PKCS12 cert value type "
...@@ -2233,6 +2245,9 @@ public final class PKCS12KeyStore extends KeyStoreSpi { ...@@ -2233,6 +2245,9 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
} else if (bagId.equals((Object)SecretBag_OID)) { } else if (bagId.equals((Object)SecretBag_OID)) {
DerInputStream ss = new DerInputStream(bagValue.toByteArray()); DerInputStream ss = new DerInputStream(bagValue.toByteArray());
DerValue[] secretValues = ss.getSequence(2); DerValue[] secretValues = ss.getSequence(2);
if (secretValues.length != 2) {
throw new IOException("Invalid length for SecretBag");
}
ObjectIdentifier secretId = secretValues[0].getOID(); ObjectIdentifier secretId = secretValues[0].getOID();
if (!secretValues[1].isContextSpecific((byte)0)) { if (!secretValues[1].isContextSpecific((byte)0)) {
throw new IOException( throw new IOException(
...@@ -2271,6 +2286,9 @@ public final class PKCS12KeyStore extends KeyStoreSpi { ...@@ -2271,6 +2286,9 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
byte[] encoded = attrSet[j].toByteArray(); byte[] encoded = attrSet[j].toByteArray();
DerInputStream as = new DerInputStream(encoded); DerInputStream as = new DerInputStream(encoded);
DerValue[] attrSeq = as.getSequence(2); DerValue[] attrSeq = as.getSequence(2);
if (attrSeq.length != 2) {
throw new IOException("Invalid length for Attribute");
}
ObjectIdentifier attrId = attrSeq[0].getOID(); ObjectIdentifier attrId = attrSeq[0].getOID();
DerInputStream vs = DerInputStream vs =
new DerInputStream(attrSeq[1].toByteArray()); new DerInputStream(attrSeq[1].toByteArray());
......
/* /*
* Copyright (c) 2003, 2017, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -261,7 +261,7 @@ public final class OCSPResponse { ...@@ -261,7 +261,7 @@ public final class OCSPResponse {
DerInputStream basicOCSPResponse = DerInputStream basicOCSPResponse =
new DerInputStream(derIn.getOctetString()); new DerInputStream(derIn.getOctetString());
DerValue[] seqTmp = basicOCSPResponse.getSequence(2); DerValue[] seqTmp = basicOCSPResponse.getSequence(3);
if (seqTmp.length < 3) { if (seqTmp.length < 3) {
throw new IOException("Unexpected BasicOCSPResponse value"); throw new IOException("Unexpected BasicOCSPResponse value");
} }
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册