[
https://issues.apache.org/jira/browse/DIRKRB-741?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Michael Osipov updated DIRKRB-741:
----------------------------------
Description:
I am trying to process the subjects of public CAs. Kerby ASN.1 chokes on one.
Selfcontained example:
{code:java}
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Base64;
import javax.security.auth.x500.X500Principal;
import org.apache.kerby.asn1.Asn1;
import org.apache.kerby.asn1.type.Asn1Sequence;
import org.apache.kerby.asn1.type.Asn1Type;
public class KerbyTester {
private static final String CERT_1 =
"MIIGSzCCBDOgAwIBAgIIamg+nFGby1MwDQYJKoZIhvcNAQELBQAwgbIxCzAJBgNV"
+
"BAYTAlRSMQ8wDQYDVQQHDAZBbmthcmExQDA+BgNVBAoMN0UtVHXEn3JhIEVCRyBC"
+
"aWxpxZ9pbSBUZWtub2xvamlsZXJpIHZlIEhpem1ldGxlcmkgQS7Fni4xJjAkBgNV"
+
"BAsMHUUtVHVncmEgU2VydGlmaWthc3lvbiBNZXJrZXppMSgwJgYDVQQDDB9FLVR1"
+
"Z3JhIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTEzMDMwNTEyMDk0OFoXDTIz"
+
"MDMwMzEyMDk0OFowgbIxCzAJBgNVBAYTAlRSMQ8wDQYDVQQHDAZBbmthcmExQDA+"
+
"BgNVBAoMN0UtVHXEn3JhIEVCRyBCaWxpxZ9pbSBUZWtub2xvamlsZXJpIHZlIEhp"
+
"em1ldGxlcmkgQS7Fni4xJjAkBgNVBAsMHUUtVHVncmEgU2VydGlmaWthc3lvbiBN"
+
"ZXJrZXppMSgwJgYDVQQDDB9FLVR1Z3JhIENlcnRpZmljYXRpb24gQXV0aG9yaXR5"
+
"MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4vU/kwVRHoViVF56C/UY"
+
"B4Oufq9899SKa6VjQzm5S/fDxmSJPZQuVIBSOTkHS0vdhQd2h8y/L5VMzH2nPbxH"
+
"D5hw+IyFHnSOkm0bQNGZDbt1bsipa5rAhDGvykPL6ys06I+XawGb1Q5KCKpbknSF"
+
"Q9OArqGIW66z6l7LFpp3RMih9lRozt6Plyu6W0ACDGQXwLWTzeHxE2bODHnv0ZEo"
+
"q1+gElIwcxmOj+GMB6LDu0rw6h8VqO4lzKRG+Bsi77MOQ7osJLjFLFzUHPhdZL3D"
+
"k14opz8n8Y4e0ypQBaNV2cvnOVPAmJ6MVGKLJrD3fY185MaeZkJVgkfnsliNZvcH"
+
"fC425lAcP9tDJMW/hkd5s3kc91r0E+xs+D/iWR+V7kI+ua2oMoVJl0b+SzGPWsut"
+
"dEcf6ZG33ygEIqDUD13ieU/qbIWGvaimzuT6w+Gzrt48Ue7LE3wBf4QOXVGUnhMM"
+
"ti6lTPk5cDZvlsouDERVxcr6XQKj39ZkjFqzAQqptQpHF//vkUAqjqFGOjGY5RH8"
+
"zLtJVor8udBhmm9lbObDyz51Sf6Pp+KJxWfXnUYTTjF2OySznhFlhqt/7x3U+Lzn"
+
"rFpct1pHXFXOVbQicVtbC/DP3KBhZOqp12gKY6fgDT+gr9Oq0n7vUaDmUStVkhUX"
+
"U8u3Zg5mTPj5dUyQ5xJwx0UCAwEAAaNjMGEwHQYDVR0OBBYEFC7j27JJ0JxUeVz6"
+
"Jyr+zE7S6E5UMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAULuPbsknQnFR5"
+
"XPonKv7MTtLoTlQwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4ICAQAF"
+
"Nzr0TbdF4kV1JI+2d1LoHNgQk2Xz8lkGpD4eKexd0dCrfOAKkEh47U6YA5n+KGCR"
+
"HTAduGN8qOY1tfrTYXbm1gdLymmasoR6d5NFFxWfJNCYExL/u6Au/U5Mh/jOXKqY"
+
"GwXgAEZKgoClM4so3O0409/lPun++1ndYYRP0lSWE2ETPo+Aab6TR7U1Q9Jauz1c"
+
"77NCR807VRMGsAnb/WP2OogKmW9+4c4bU2pEZiNRCHu8W1Ki/QY3OEBhj0qWuJA3"
+
"+GbHeJAAFS6LrVE1Uweoa2iu+U48BybNCAVwzDk/dr2l02cmAYamU9JgO3xDf1WK"
+
"vJUawSg5TB9D0pH0clmKuVb8P7Sd2nCcdlqMQ1DujjByTd//SffGqWfZbawCEeI6"
+
"FiWnWAjLb1NBnEg4R2gz0dfHj9R0IdTDBZB6/86WiLEVKV0jq9BgoRJP3vQXzTLl"
+
"yb/IQ639Lo7xr+L0mPoSHyDYwKcMhcWQ9DstliaxLL5Mq+ux0orJ23gTDx4JnW2P"
+
"AJ8C2sH6H3p6CcRK5ogql5+Ji/03X186zjhZhkuvcQu02PJwT58yE+Owp1fl2tpD"
+
"y4Q08ijE6m30Ku/Ba3ba+367hTzSU8JNvnHhRdH9I2cNE3X7z2VnIp2usAnRCf8d"
+ "NL/+I5c30jn6PQ0GC7TbO6Orb1wdtn7os4I07QZcJA==";
private static final String CERT_2 =
"MIIEFTCCAv2gAwIBAgIGSUEs5AAQMA0GCSqGSIb3DQEBCwUAMIGnMQswCQYDVQQG"
+
"EwJIVTERMA8GA1UEBwwIQnVkYXBlc3QxFTATBgNVBAoMDE5ldExvY2sgS2Z0LjE3"
+
"MDUGA1UECwwuVGFuw7pzw610dsOhbnlraWFkw7NrIChDZXJ0aWZpY2F0aW9uIFNl"
+
"cnZpY2VzKTE1MDMGA1UEAwwsTmV0TG9jayBBcmFueSAoQ2xhc3MgR29sZCkgRsWR"
+
"dGFuw7pzw610dsOhbnkwHhcNMDgxMjExMTUwODIxWhcNMjgxMjA2MTUwODIxWjCB"
+
"pzELMAkGA1UEBhMCSFUxETAPBgNVBAcMCEJ1ZGFwZXN0MRUwEwYDVQQKDAxOZXRM"
+
"b2NrIEtmdC4xNzA1BgNVBAsMLlRhbsO6c8OtdHbDoW55a2lhZMOzayAoQ2VydGlm"
+
"aWNhdGlvbiBTZXJ2aWNlcykxNTAzBgNVBAMMLE5ldExvY2sgQXJhbnkgKENsYXNz"
+
"IEdvbGQpIEbFkXRhbsO6c8OtdHbDoW55MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A"
+
"MIIBCgKCAQEAxCRec75LbRTDofTjl5Bu0jBFHjzuZ9lk4BqKf8owyoPjIMHj9DrT"
+
"lF8afFttvzBPhCf2nx9JvMaZCpDyD/V/Q4Q3Y1GLeqVw/HpYzY6b7cNGbIRwXdrz"
+
"AZAj/E4wqX7hJ2Pn7WQ8oLjJM2P+FpD/sLj916jAwJRDC7bVWaaeVtAkH3B5r9s5"
+
"VA1lddkVQZQBr17s9o3x/61k/iCa11zr/qYfCGSji3ZVrR47KGAuhyXoqq8fxmRG"
+
"ILdwfzzeSNuWU7c5d+Qa4scWhHaXWy+7GRWF+GmF9ZmnqfI0p6m2pgP8b4Y9VHx2"
+
"BJtr+UBdADTHLpl1neWIA6pN+APSQnbAGwIDAKiLo0UwQzASBgNVHRMBAf8ECDAG"
+
"AQH/AgEEMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUzPpnk/C2uNClwB7zU/2M"
+
"U9+D15YwDQYJKoZIhvcNAQELBQADggEBAKt/7hwWqZw8UQCgwBEIBaeZ5m8BiFRh"
+
"bvG5GK1Krf6BQCOUL/t1fC8oS2IkgYIL9WHxHG64YTjrgfpioTtaYtOUZcTh5m2C"
+
"+C8lcLIhJsFyUR+MLMOEkMNaj7rP9KdlpeuY0fsFskZ1FSNqb4VjMIDw1Z4fKRzC"
+
"bLBQWV2QWzuoDTDPv31/zvGdg73JRm4gpvlhUbohL3u+pRVjodSVh/GeufOJ8z2F"
+
"uLjbvrW5KfnaNwUASZQDhETnv0Mxz3WLJdH0pmT1kvarBes96aULNmLazAZfNou2"
+
"XjG4Kvte9nHfRCaexOYNkbQudZWAUWpLMKawYqGT8ZvYzsRjdT9ZR7E=";
private static final String[] CERTS = new String[] { CERT_1, CERT_2 };
public static void main(String[] args) throws CertificateException,
IOException {
for (String base64Cert : CERTS) {
byte[] pemCert = Base64.getDecoder().decode(base64Cert);
CertificateFactory certFactory =
CertificateFactory.getInstance("X.509");
Certificate cert = certFactory.generateCertificate(new
ByteArrayInputStream(pemCert));
X509Certificate x509Cert = (X509Certificate) cert;
X500Principal subject =
x509Cert.getSubjectX500Principal();
byte[] encoded = subject.getEncoded();
System.out.println("Processing: " +
subject.getName(X500Principal.RFC2253));
Asn1Sequence asn1seq = (Asn1Sequence)
Asn1.decode(encoded);
byte[] recoded = new
byte[asn1seq.getContainer().getBodyLength()];
int offset = 0;
for (Asn1Type asn1set : asn1seq.getValue()) {
byte[] term = asn1set.encode();
System.arraycopy(term, 0, recoded, offset,
term.length);
offset += term.length;
}
System.out.println("Unpacked RDNs: " +
Base64.getEncoder().encodeToString(recoded));
}
}
}
{code}
The ouput is:
{noformat}
Processing: CN=E-Tugra Certification Authority,OU=E-Tugra Sertifikasyon
Merkezi,O=E-Tuğra EBG Bilişim Teknolojileri ve Hizmetleri A.Ş.,L=Ankara,C=TR
Exception in thread "main" java.nio.BufferOverflowException
at java.base/java.nio.HeapByteBuffer.put(HeapByteBuffer.java:225)
at java.base/java.nio.ByteBuffer.put(ByteBuffer.java:1031)
at org.apache.kerby.asn1.type.Asn1Simple.encodeBody(Asn1Simple.java:79)
at
org.apache.kerby.asn1.type.Asn1Encodeable.encode(Asn1Encodeable.java:146)
at
org.apache.kerby.asn1.type.Asn1Constructed.encodeBody(Asn1Constructed.java:93)
at
org.apache.kerby.asn1.type.Asn1Encodeable.encode(Asn1Encodeable.java:146)
at
org.apache.kerby.asn1.type.Asn1Constructed.encodeBody(Asn1Constructed.java:93)
at
org.apache.kerby.asn1.type.Asn1Encodeable.encode(Asn1Encodeable.java:146)
at
org.apache.kerby.asn1.type.Asn1Encodeable.encode(Asn1Encodeable.java:136)
at
com.siemens.dynamowerk.certdownloader.KerbyTester.main(KerbyTester.java:96)
{noformat}
The cert is perfectly valid obtained from Mozilla's NSS bundle.
was:
I am trying to process the subjects of public CAs. Kerby ASN.1 chokes on one.
Selfcontained example:
{code;java}
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Base64;
import javax.security.auth.x500.X500Principal;
import org.apache.kerby.asn1.Asn1;
import org.apache.kerby.asn1.type.Asn1Sequence;
import org.apache.kerby.asn1.type.Asn1Type;
public class KerbyTester {
private static final String CERT_1 =
"MIIGSzCCBDOgAwIBAgIIamg+nFGby1MwDQYJKoZIhvcNAQELBQAwgbIxCzAJBgNV"
+
"BAYTAlRSMQ8wDQYDVQQHDAZBbmthcmExQDA+BgNVBAoMN0UtVHXEn3JhIEVCRyBC"
+
"aWxpxZ9pbSBUZWtub2xvamlsZXJpIHZlIEhpem1ldGxlcmkgQS7Fni4xJjAkBgNV"
+
"BAsMHUUtVHVncmEgU2VydGlmaWthc3lvbiBNZXJrZXppMSgwJgYDVQQDDB9FLVR1"
+
"Z3JhIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTEzMDMwNTEyMDk0OFoXDTIz"
+
"MDMwMzEyMDk0OFowgbIxCzAJBgNVBAYTAlRSMQ8wDQYDVQQHDAZBbmthcmExQDA+"
+
"BgNVBAoMN0UtVHXEn3JhIEVCRyBCaWxpxZ9pbSBUZWtub2xvamlsZXJpIHZlIEhp"
+
"em1ldGxlcmkgQS7Fni4xJjAkBgNVBAsMHUUtVHVncmEgU2VydGlmaWthc3lvbiBN"
+
"ZXJrZXppMSgwJgYDVQQDDB9FLVR1Z3JhIENlcnRpZmljYXRpb24gQXV0aG9yaXR5"
+
"MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4vU/kwVRHoViVF56C/UY"
+
"B4Oufq9899SKa6VjQzm5S/fDxmSJPZQuVIBSOTkHS0vdhQd2h8y/L5VMzH2nPbxH"
+
"D5hw+IyFHnSOkm0bQNGZDbt1bsipa5rAhDGvykPL6ys06I+XawGb1Q5KCKpbknSF"
+
"Q9OArqGIW66z6l7LFpp3RMih9lRozt6Plyu6W0ACDGQXwLWTzeHxE2bODHnv0ZEo"
+
"q1+gElIwcxmOj+GMB6LDu0rw6h8VqO4lzKRG+Bsi77MOQ7osJLjFLFzUHPhdZL3D"
+
"k14opz8n8Y4e0ypQBaNV2cvnOVPAmJ6MVGKLJrD3fY185MaeZkJVgkfnsliNZvcH"
+
"fC425lAcP9tDJMW/hkd5s3kc91r0E+xs+D/iWR+V7kI+ua2oMoVJl0b+SzGPWsut"
+
"dEcf6ZG33ygEIqDUD13ieU/qbIWGvaimzuT6w+Gzrt48Ue7LE3wBf4QOXVGUnhMM"
+
"ti6lTPk5cDZvlsouDERVxcr6XQKj39ZkjFqzAQqptQpHF//vkUAqjqFGOjGY5RH8"
+
"zLtJVor8udBhmm9lbObDyz51Sf6Pp+KJxWfXnUYTTjF2OySznhFlhqt/7x3U+Lzn"
+
"rFpct1pHXFXOVbQicVtbC/DP3KBhZOqp12gKY6fgDT+gr9Oq0n7vUaDmUStVkhUX"
+
"U8u3Zg5mTPj5dUyQ5xJwx0UCAwEAAaNjMGEwHQYDVR0OBBYEFC7j27JJ0JxUeVz6"
+
"Jyr+zE7S6E5UMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAULuPbsknQnFR5"
+
"XPonKv7MTtLoTlQwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4ICAQAF"
+
"Nzr0TbdF4kV1JI+2d1LoHNgQk2Xz8lkGpD4eKexd0dCrfOAKkEh47U6YA5n+KGCR"
+
"HTAduGN8qOY1tfrTYXbm1gdLymmasoR6d5NFFxWfJNCYExL/u6Au/U5Mh/jOXKqY"
+
"GwXgAEZKgoClM4so3O0409/lPun++1ndYYRP0lSWE2ETPo+Aab6TR7U1Q9Jauz1c"
+
"77NCR807VRMGsAnb/WP2OogKmW9+4c4bU2pEZiNRCHu8W1Ki/QY3OEBhj0qWuJA3"
+
"+GbHeJAAFS6LrVE1Uweoa2iu+U48BybNCAVwzDk/dr2l02cmAYamU9JgO3xDf1WK"
+
"vJUawSg5TB9D0pH0clmKuVb8P7Sd2nCcdlqMQ1DujjByTd//SffGqWfZbawCEeI6"
+
"FiWnWAjLb1NBnEg4R2gz0dfHj9R0IdTDBZB6/86WiLEVKV0jq9BgoRJP3vQXzTLl"
+
"yb/IQ639Lo7xr+L0mPoSHyDYwKcMhcWQ9DstliaxLL5Mq+ux0orJ23gTDx4JnW2P"
+
"AJ8C2sH6H3p6CcRK5ogql5+Ji/03X186zjhZhkuvcQu02PJwT58yE+Owp1fl2tpD"
+
"y4Q08ijE6m30Ku/Ba3ba+367hTzSU8JNvnHhRdH9I2cNE3X7z2VnIp2usAnRCf8d"
+ "NL/+I5c30jn6PQ0GC7TbO6Orb1wdtn7os4I07QZcJA==";
private static final String CERT_2 =
"MIIEFTCCAv2gAwIBAgIGSUEs5AAQMA0GCSqGSIb3DQEBCwUAMIGnMQswCQYDVQQG"
+
"EwJIVTERMA8GA1UEBwwIQnVkYXBlc3QxFTATBgNVBAoMDE5ldExvY2sgS2Z0LjE3"
+
"MDUGA1UECwwuVGFuw7pzw610dsOhbnlraWFkw7NrIChDZXJ0aWZpY2F0aW9uIFNl"
+
"cnZpY2VzKTE1MDMGA1UEAwwsTmV0TG9jayBBcmFueSAoQ2xhc3MgR29sZCkgRsWR"
+
"dGFuw7pzw610dsOhbnkwHhcNMDgxMjExMTUwODIxWhcNMjgxMjA2MTUwODIxWjCB"
+
"pzELMAkGA1UEBhMCSFUxETAPBgNVBAcMCEJ1ZGFwZXN0MRUwEwYDVQQKDAxOZXRM"
+
"b2NrIEtmdC4xNzA1BgNVBAsMLlRhbsO6c8OtdHbDoW55a2lhZMOzayAoQ2VydGlm"
+
"aWNhdGlvbiBTZXJ2aWNlcykxNTAzBgNVBAMMLE5ldExvY2sgQXJhbnkgKENsYXNz"
+
"IEdvbGQpIEbFkXRhbsO6c8OtdHbDoW55MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A"
+
"MIIBCgKCAQEAxCRec75LbRTDofTjl5Bu0jBFHjzuZ9lk4BqKf8owyoPjIMHj9DrT"
+
"lF8afFttvzBPhCf2nx9JvMaZCpDyD/V/Q4Q3Y1GLeqVw/HpYzY6b7cNGbIRwXdrz"
+
"AZAj/E4wqX7hJ2Pn7WQ8oLjJM2P+FpD/sLj916jAwJRDC7bVWaaeVtAkH3B5r9s5"
+
"VA1lddkVQZQBr17s9o3x/61k/iCa11zr/qYfCGSji3ZVrR47KGAuhyXoqq8fxmRG"
+
"ILdwfzzeSNuWU7c5d+Qa4scWhHaXWy+7GRWF+GmF9ZmnqfI0p6m2pgP8b4Y9VHx2"
+
"BJtr+UBdADTHLpl1neWIA6pN+APSQnbAGwIDAKiLo0UwQzASBgNVHRMBAf8ECDAG"
+
"AQH/AgEEMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUzPpnk/C2uNClwB7zU/2M"
+
"U9+D15YwDQYJKoZIhvcNAQELBQADggEBAKt/7hwWqZw8UQCgwBEIBaeZ5m8BiFRh"
+
"bvG5GK1Krf6BQCOUL/t1fC8oS2IkgYIL9WHxHG64YTjrgfpioTtaYtOUZcTh5m2C"
+
"+C8lcLIhJsFyUR+MLMOEkMNaj7rP9KdlpeuY0fsFskZ1FSNqb4VjMIDw1Z4fKRzC"
+
"bLBQWV2QWzuoDTDPv31/zvGdg73JRm4gpvlhUbohL3u+pRVjodSVh/GeufOJ8z2F"
+
"uLjbvrW5KfnaNwUASZQDhETnv0Mxz3WLJdH0pmT1kvarBes96aULNmLazAZfNou2"
+
"XjG4Kvte9nHfRCaexOYNkbQudZWAUWpLMKawYqGT8ZvYzsRjdT9ZR7E=";
private static final String[] CERTS = new String[] { CERT_1, CERT_2 };
public static void main(String[] args) throws CertificateException,
IOException {
for (String base64Cert : CERTS) {
byte[] pemCert = Base64.getDecoder().decode(base64Cert);
CertificateFactory certFactory =
CertificateFactory.getInstance("X.509");
Certificate cert = certFactory.generateCertificate(new
ByteArrayInputStream(pemCert));
X509Certificate x509Cert = (X509Certificate) cert;
X500Principal subject =
x509Cert.getSubjectX500Principal();
byte[] encoded = subject.getEncoded();
System.out.println("Processing: " +
subject.getName(X500Principal.RFC2253));
Asn1Sequence asn1seq = (Asn1Sequence)
Asn1.decode(encoded);
byte[] recoded = new
byte[asn1seq.getContainer().getBodyLength()];
int offset = 0;
for (Asn1Type asn1set : asn1seq.getValue()) {
byte[] term = asn1set.encode();
System.arraycopy(term, 0, recoded, offset,
term.length);
offset += term.length;
}
System.out.println("Unpacked RDNs: " +
Base64.getEncoder().encodeToString(recoded));
}
}
}
{code}
The ouput is:
{noformat}
Processing: CN=E-Tugra Certification Authority,OU=E-Tugra Sertifikasyon
Merkezi,O=E-Tuğra EBG Bilişim Teknolojileri ve Hizmetleri A.Ş.,L=Ankara,C=TR
Exception in thread "main" java.nio.BufferOverflowException
at java.base/java.nio.HeapByteBuffer.put(HeapByteBuffer.java:225)
at java.base/java.nio.ByteBuffer.put(ByteBuffer.java:1031)
at org.apache.kerby.asn1.type.Asn1Simple.encodeBody(Asn1Simple.java:79)
at
org.apache.kerby.asn1.type.Asn1Encodeable.encode(Asn1Encodeable.java:146)
at
org.apache.kerby.asn1.type.Asn1Constructed.encodeBody(Asn1Constructed.java:93)
at
org.apache.kerby.asn1.type.Asn1Encodeable.encode(Asn1Encodeable.java:146)
at
org.apache.kerby.asn1.type.Asn1Constructed.encodeBody(Asn1Constructed.java:93)
at
org.apache.kerby.asn1.type.Asn1Encodeable.encode(Asn1Encodeable.java:146)
at
org.apache.kerby.asn1.type.Asn1Encodeable.encode(Asn1Encodeable.java:136)
at
com.siemens.dynamowerk.certdownloader.KerbyTester.main(KerbyTester.java:96)
{noformat}
The cert is perfectly valid obtained from Mozilla's NSS bundle.
> ASN.1 decodes overflows on Turkish CA
> -------------------------------------
>
> Key: DIRKRB-741
> URL: https://issues.apache.org/jira/browse/DIRKRB-741
> Project: Directory Kerberos
> Issue Type: Bug
> Affects Versions: 2.0.0
> Reporter: Michael Osipov
> Priority: Critical
>
> I am trying to process the subjects of public CAs. Kerby ASN.1 chokes on one.
> Selfcontained example:
> {code:java}
> import java.io.ByteArrayInputStream;
> import java.io.IOException;
> import java.security.cert.Certificate;
> import java.security.cert.CertificateException;
> import java.security.cert.CertificateFactory;
> import java.security.cert.X509Certificate;
> import java.util.Base64;
> import javax.security.auth.x500.X500Principal;
> import org.apache.kerby.asn1.Asn1;
> import org.apache.kerby.asn1.type.Asn1Sequence;
> import org.apache.kerby.asn1.type.Asn1Type;
> public class KerbyTester {
> private static final String CERT_1 =
> "MIIGSzCCBDOgAwIBAgIIamg+nFGby1MwDQYJKoZIhvcNAQELBQAwgbIxCzAJBgNV"
> +
> "BAYTAlRSMQ8wDQYDVQQHDAZBbmthcmExQDA+BgNVBAoMN0UtVHXEn3JhIEVCRyBC"
> +
> "aWxpxZ9pbSBUZWtub2xvamlsZXJpIHZlIEhpem1ldGxlcmkgQS7Fni4xJjAkBgNV"
> +
> "BAsMHUUtVHVncmEgU2VydGlmaWthc3lvbiBNZXJrZXppMSgwJgYDVQQDDB9FLVR1"
> +
> "Z3JhIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTEzMDMwNTEyMDk0OFoXDTIz"
> +
> "MDMwMzEyMDk0OFowgbIxCzAJBgNVBAYTAlRSMQ8wDQYDVQQHDAZBbmthcmExQDA+"
> +
> "BgNVBAoMN0UtVHXEn3JhIEVCRyBCaWxpxZ9pbSBUZWtub2xvamlsZXJpIHZlIEhp"
> +
> "em1ldGxlcmkgQS7Fni4xJjAkBgNVBAsMHUUtVHVncmEgU2VydGlmaWthc3lvbiBN"
> +
> "ZXJrZXppMSgwJgYDVQQDDB9FLVR1Z3JhIENlcnRpZmljYXRpb24gQXV0aG9yaXR5"
> +
> "MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4vU/kwVRHoViVF56C/UY"
> +
> "B4Oufq9899SKa6VjQzm5S/fDxmSJPZQuVIBSOTkHS0vdhQd2h8y/L5VMzH2nPbxH"
> +
> "D5hw+IyFHnSOkm0bQNGZDbt1bsipa5rAhDGvykPL6ys06I+XawGb1Q5KCKpbknSF"
> +
> "Q9OArqGIW66z6l7LFpp3RMih9lRozt6Plyu6W0ACDGQXwLWTzeHxE2bODHnv0ZEo"
> +
> "q1+gElIwcxmOj+GMB6LDu0rw6h8VqO4lzKRG+Bsi77MOQ7osJLjFLFzUHPhdZL3D"
> +
> "k14opz8n8Y4e0ypQBaNV2cvnOVPAmJ6MVGKLJrD3fY185MaeZkJVgkfnsliNZvcH"
> +
> "fC425lAcP9tDJMW/hkd5s3kc91r0E+xs+D/iWR+V7kI+ua2oMoVJl0b+SzGPWsut"
> +
> "dEcf6ZG33ygEIqDUD13ieU/qbIWGvaimzuT6w+Gzrt48Ue7LE3wBf4QOXVGUnhMM"
> +
> "ti6lTPk5cDZvlsouDERVxcr6XQKj39ZkjFqzAQqptQpHF//vkUAqjqFGOjGY5RH8"
> +
> "zLtJVor8udBhmm9lbObDyz51Sf6Pp+KJxWfXnUYTTjF2OySznhFlhqt/7x3U+Lzn"
> +
> "rFpct1pHXFXOVbQicVtbC/DP3KBhZOqp12gKY6fgDT+gr9Oq0n7vUaDmUStVkhUX"
> +
> "U8u3Zg5mTPj5dUyQ5xJwx0UCAwEAAaNjMGEwHQYDVR0OBBYEFC7j27JJ0JxUeVz6"
> +
> "Jyr+zE7S6E5UMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAULuPbsknQnFR5"
> +
> "XPonKv7MTtLoTlQwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4ICAQAF"
> +
> "Nzr0TbdF4kV1JI+2d1LoHNgQk2Xz8lkGpD4eKexd0dCrfOAKkEh47U6YA5n+KGCR"
> +
> "HTAduGN8qOY1tfrTYXbm1gdLymmasoR6d5NFFxWfJNCYExL/u6Au/U5Mh/jOXKqY"
> +
> "GwXgAEZKgoClM4so3O0409/lPun++1ndYYRP0lSWE2ETPo+Aab6TR7U1Q9Jauz1c"
> +
> "77NCR807VRMGsAnb/WP2OogKmW9+4c4bU2pEZiNRCHu8W1Ki/QY3OEBhj0qWuJA3"
> +
> "+GbHeJAAFS6LrVE1Uweoa2iu+U48BybNCAVwzDk/dr2l02cmAYamU9JgO3xDf1WK"
> +
> "vJUawSg5TB9D0pH0clmKuVb8P7Sd2nCcdlqMQ1DujjByTd//SffGqWfZbawCEeI6"
> +
> "FiWnWAjLb1NBnEg4R2gz0dfHj9R0IdTDBZB6/86WiLEVKV0jq9BgoRJP3vQXzTLl"
> +
> "yb/IQ639Lo7xr+L0mPoSHyDYwKcMhcWQ9DstliaxLL5Mq+ux0orJ23gTDx4JnW2P"
> +
> "AJ8C2sH6H3p6CcRK5ogql5+Ji/03X186zjhZhkuvcQu02PJwT58yE+Owp1fl2tpD"
> +
> "y4Q08ijE6m30Ku/Ba3ba+367hTzSU8JNvnHhRdH9I2cNE3X7z2VnIp2usAnRCf8d"
> + "NL/+I5c30jn6PQ0GC7TbO6Orb1wdtn7os4I07QZcJA==";
> private static final String CERT_2 =
> "MIIEFTCCAv2gAwIBAgIGSUEs5AAQMA0GCSqGSIb3DQEBCwUAMIGnMQswCQYDVQQG"
> +
> "EwJIVTERMA8GA1UEBwwIQnVkYXBlc3QxFTATBgNVBAoMDE5ldExvY2sgS2Z0LjE3"
> +
> "MDUGA1UECwwuVGFuw7pzw610dsOhbnlraWFkw7NrIChDZXJ0aWZpY2F0aW9uIFNl"
> +
> "cnZpY2VzKTE1MDMGA1UEAwwsTmV0TG9jayBBcmFueSAoQ2xhc3MgR29sZCkgRsWR"
> +
> "dGFuw7pzw610dsOhbnkwHhcNMDgxMjExMTUwODIxWhcNMjgxMjA2MTUwODIxWjCB"
> +
> "pzELMAkGA1UEBhMCSFUxETAPBgNVBAcMCEJ1ZGFwZXN0MRUwEwYDVQQKDAxOZXRM"
> +
> "b2NrIEtmdC4xNzA1BgNVBAsMLlRhbsO6c8OtdHbDoW55a2lhZMOzayAoQ2VydGlm"
> +
> "aWNhdGlvbiBTZXJ2aWNlcykxNTAzBgNVBAMMLE5ldExvY2sgQXJhbnkgKENsYXNz"
> +
> "IEdvbGQpIEbFkXRhbsO6c8OtdHbDoW55MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A"
> +
> "MIIBCgKCAQEAxCRec75LbRTDofTjl5Bu0jBFHjzuZ9lk4BqKf8owyoPjIMHj9DrT"
> +
> "lF8afFttvzBPhCf2nx9JvMaZCpDyD/V/Q4Q3Y1GLeqVw/HpYzY6b7cNGbIRwXdrz"
> +
> "AZAj/E4wqX7hJ2Pn7WQ8oLjJM2P+FpD/sLj916jAwJRDC7bVWaaeVtAkH3B5r9s5"
> +
> "VA1lddkVQZQBr17s9o3x/61k/iCa11zr/qYfCGSji3ZVrR47KGAuhyXoqq8fxmRG"
> +
> "ILdwfzzeSNuWU7c5d+Qa4scWhHaXWy+7GRWF+GmF9ZmnqfI0p6m2pgP8b4Y9VHx2"
> +
> "BJtr+UBdADTHLpl1neWIA6pN+APSQnbAGwIDAKiLo0UwQzASBgNVHRMBAf8ECDAG"
> +
> "AQH/AgEEMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUzPpnk/C2uNClwB7zU/2M"
> +
> "U9+D15YwDQYJKoZIhvcNAQELBQADggEBAKt/7hwWqZw8UQCgwBEIBaeZ5m8BiFRh"
> +
> "bvG5GK1Krf6BQCOUL/t1fC8oS2IkgYIL9WHxHG64YTjrgfpioTtaYtOUZcTh5m2C"
> +
> "+C8lcLIhJsFyUR+MLMOEkMNaj7rP9KdlpeuY0fsFskZ1FSNqb4VjMIDw1Z4fKRzC"
> +
> "bLBQWV2QWzuoDTDPv31/zvGdg73JRm4gpvlhUbohL3u+pRVjodSVh/GeufOJ8z2F"
> +
> "uLjbvrW5KfnaNwUASZQDhETnv0Mxz3WLJdH0pmT1kvarBes96aULNmLazAZfNou2"
> +
> "XjG4Kvte9nHfRCaexOYNkbQudZWAUWpLMKawYqGT8ZvYzsRjdT9ZR7E=";
> private static final String[] CERTS = new String[] { CERT_1, CERT_2 };
> public static void main(String[] args) throws CertificateException,
> IOException {
> for (String base64Cert : CERTS) {
> byte[] pemCert = Base64.getDecoder().decode(base64Cert);
> CertificateFactory certFactory =
> CertificateFactory.getInstance("X.509");
> Certificate cert = certFactory.generateCertificate(new
> ByteArrayInputStream(pemCert));
> X509Certificate x509Cert = (X509Certificate) cert;
> X500Principal subject =
> x509Cert.getSubjectX500Principal();
> byte[] encoded = subject.getEncoded();
> System.out.println("Processing: " +
> subject.getName(X500Principal.RFC2253));
> Asn1Sequence asn1seq = (Asn1Sequence)
> Asn1.decode(encoded);
> byte[] recoded = new
> byte[asn1seq.getContainer().getBodyLength()];
> int offset = 0;
> for (Asn1Type asn1set : asn1seq.getValue()) {
> byte[] term = asn1set.encode();
> System.arraycopy(term, 0, recoded, offset,
> term.length);
> offset += term.length;
> }
> System.out.println("Unpacked RDNs: " +
> Base64.getEncoder().encodeToString(recoded));
> }
> }
> }
> {code}
> The ouput is:
> {noformat}
> Processing: CN=E-Tugra Certification Authority,OU=E-Tugra Sertifikasyon
> Merkezi,O=E-Tuğra EBG Bilişim Teknolojileri ve Hizmetleri A.Ş.,L=Ankara,C=TR
> Exception in thread "main" java.nio.BufferOverflowException
> at java.base/java.nio.HeapByteBuffer.put(HeapByteBuffer.java:225)
> at java.base/java.nio.ByteBuffer.put(ByteBuffer.java:1031)
> at org.apache.kerby.asn1.type.Asn1Simple.encodeBody(Asn1Simple.java:79)
> at
> org.apache.kerby.asn1.type.Asn1Encodeable.encode(Asn1Encodeable.java:146)
> at
> org.apache.kerby.asn1.type.Asn1Constructed.encodeBody(Asn1Constructed.java:93)
> at
> org.apache.kerby.asn1.type.Asn1Encodeable.encode(Asn1Encodeable.java:146)
> at
> org.apache.kerby.asn1.type.Asn1Constructed.encodeBody(Asn1Constructed.java:93)
> at
> org.apache.kerby.asn1.type.Asn1Encodeable.encode(Asn1Encodeable.java:146)
> at
> org.apache.kerby.asn1.type.Asn1Encodeable.encode(Asn1Encodeable.java:136)
> at
> com.siemens.dynamowerk.certdownloader.KerbyTester.main(KerbyTester.java:96)
> {noformat}
> The cert is perfectly valid obtained from Mozilla's NSS bundle.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
