8239094: PKCS#9 ChallengePassword attribute does not allow for the UTF8String type

Reviewed-by: xuelei
2020-02-19 13:36:53 -08:00 · 2020-02-19 13:36:53 -08:00 · 39db83a9cc
commit 39db83a9cc
parent e028bb4f2b
2 changed files with 126 additions and 14 deletions
--- a/src/java.base/share/classes/sun/security/pkcs/PKCS9Attribute.java
+++ b/src/java.base/share/classes/sun/security/pkcs/PKCS9Attribute.java
@ -30,7 +30,7 @@ import java.io.OutputStream;
 import java.security.cert.CertificateException;
 import java.util.Locale;
 import java.util.Date;
-import java.util.Hashtable;
+import java.util.HashMap;
 import sun.security.x509.CertificateExtensions;
 import sun.security.util.Debug;
 import sun.security.util.DerEncoder;
@ -247,12 +247,12 @@ public class PKCS9Attribute implements DerEncoder {
                                "SignatureTimestampToken";

    /**
-     * Hashtable mapping names and variant names of supported
+     * HashMap mapping names and variant names of supported
     * attributes to their OIDs. This table contains all name forms
     * that occur in PKCS9, in lower case.
     */
-    private static final Hashtable<String, ObjectIdentifier> NAME_OID_TABLE =
-        new Hashtable<String, ObjectIdentifier>(17);
+    private static final HashMap<String, ObjectIdentifier> NAME_OID_TABLE =
+        new HashMap<String, ObjectIdentifier>(17);

    static { // static initializer for PCKS9_NAMES
        NAME_OID_TABLE.put("emailaddress", PKCS9_OIDS[1]);
@ -275,11 +275,11 @@ public class PKCS9Attribute implements DerEncoder {
    };

    /**
-     * Hashtable mapping attribute OIDs defined in PKCS9 to the
+     * HashMap mapping attribute OIDs defined in PKCS9 to the
     * corresponding attribute value type.
     */
-    private static final Hashtable<ObjectIdentifier, String> OID_NAME_TABLE =
-        new Hashtable<ObjectIdentifier, String>(17);
+    private static final HashMap<ObjectIdentifier, String> OID_NAME_TABLE =
+        new HashMap<ObjectIdentifier, String>(17);
    static {
        OID_NAME_TABLE.put(PKCS9_OIDS[1], EMAIL_ADDRESS_STR);
        OID_NAME_TABLE.put(PKCS9_OIDS[2], UNSTRUCTURED_NAME_STR);
@ -315,7 +315,10 @@ public class PKCS9Attribute implements DerEncoder {
        {DerValue.tag_UtcTime},     // SigningTime
        {DerValue.tag_Sequence},    // Countersignature
        {DerValue.tag_PrintableString,
-         DerValue.tag_T61String},   // ChallengePassword
+         DerValue.tag_T61String,
+         DerValue.tag_BMPString,
+         DerValue.tag_UniversalString,
+         DerValue.tag_UTF8String},   // ChallengePassword
        {DerValue.tag_PrintableString,
         DerValue.tag_T61String},   // UnstructuredAddress
        {DerValue.tag_SetOf},       // ExtendedCertificateAttributes
@ -508,9 +511,8 @@ public class PKCS9Attribute implements DerEncoder {

        // check for illegal element tags
        Byte tag;
-        for (int i=0; i < elems.length; i++) {
-            tag = elems[i].tag;
-
+        for (DerValue elem : elems) {
+            tag = elem.tag;
            if (indexOf(tag, PKCS9_VALUE_TAGS[index], 0) == -1)
                throwTagException(tag);
        }
@ -599,6 +601,7 @@ public class PKCS9Attribute implements DerEncoder {
     * <code>PrintableString</code>s, without checking whether they
     * should be encoded as <code>T61String</code>s.
     */
+    @Override
    public void derEncode(OutputStream out) throws IOException {
        DerOutputStream temp = new DerOutputStream();
        temp.putOID(oid);
@ -787,6 +790,7 @@ public class PKCS9Attribute implements DerEncoder {
    /**
     * Returns a string representation of this attribute.
     */
+    @Override
    public String toString() {
        StringBuilder sb = new StringBuilder(100);

@ -812,13 +816,12 @@ public class PKCS9Attribute implements DerEncoder {
            boolean first = true;
            Object[] values = (Object[]) value;

-            for (int j=0; j < values.length; j++) {
+            for (Object curVal : values) {
                if (first)
                    first = false;
                else
                    sb.append(", ");
-
-                sb.append(values[j].toString());
+                sb.append(curVal.toString());
            }
            return sb.toString();
        }
--- a/test/jdk/sun/security/pkcs/pkcs9/ChallengePassStringFmt.java
+++ b/test/jdk/sun/security/pkcs/pkcs9/ChallengePassStringFmt.java
@ -0,0 +1,109 @@
+/*
+ * Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8239094
+ * @summary PKCS#9 ChallengePassword attribute does not allow for the
+ *          UTF8String type
+ * @modules java.base/sun.security.pkcs10
+ */
+
+import java.io.IOException;
+import java.util.Base64;
+import java.util.Map;
+import sun.security.pkcs10.PKCS10;
+
+public class ChallengePassStringFmt {
+
+    static final Map<String, String> TEST_INPUT = Map.of(
+        "PKCS10 with password as TeletexString",
+        "MIIBBzCBrQIBADAoMQ0wCwYDVQQKEwRUZXN0MRcwFQYDVQQDEw5UZXN0IFQ2MVN0\n" +
+        "cmluZzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABH9MshRAqmpY6o80JJY2DCA6\n" +
+        "uN6GoG79khaIkdjEw0HHAkQDJ0aLPsZ87lqqba7NvmLw8wi/AXiyTLdBHOhy2n+g\n" +
+        "IzAhBgkqhkiG9w0BCQcxFBQSVDYxU3RyaW5nIXBhc3N3b3JkMAoGCCqGSM49BAMC\n" +
+        "A0kAMEYCIQDv6sj5Jf1yocHEiD8sZ6F8YMP3lcyzrhwrfZ16xN9azwIhAL7GJGgQ\n" +
+        "LmAbXTm59gWL7uofniwX22vv55J4nWt7a3jI",
+
+        "PKCS10 with password as PrintableString",
+        "MIIBDzCBtQIBADAuMQ0wCwYDVQQKEwRUZXN0MR0wGwYDVQQDExRUZXN0IFByaW50\n" +
+        "YWJsZVN0cmluZzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABD4JaJAehTeZy4Fx\n" +
+        "jxNUZqhzwywIUjoK8kzYenEFRLiqCpDynhixE3zEsnFEzXsF1V7BX5HhU8NE2xrH\n" +
+        "GrDPY/agJTAjBgkqhkiG9w0BCQcxFhMUUHJpbnRhYmxlU3RyaW5nIHBhc3MwCgYI\n" +
+        "KoZIzj0EAwIDSQAwRgIhANmqfVcArwm0+C/5MJqUpbGqryYzGlHunmUpbKxTrt9T\n" +
+        "AiEAiAmSSLvyfoXms8f6+1q2NElVNIj6ULherOEuU13Hd8U=",
+
+        "PKCS10 with password as BMPString",
+        "MIIBGDCBvwIBADAoMQ0wCwYDVQQKEwRUZXN0MRcwFQYDVQQDEw5UZXN0IEJNUFN0\n" +
+        "cmluZzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABEC6gpNha74xeCabdi647rXq\n" +
+        "5unD5FTgA5RGGUd+uixOjwrRrCWTQbZ1//1MrioKbzWB1BjKmJI0N2plwIBmbAGg\n" +
+        "NTAzBgkqhkiG9w0BCQcxJh4kAEIATQBQAFMAdAByAGkAbgBnACEAcABhAHMAcwB3\n" +
+        "AG8AcgBkMAoGCCqGSM49BAMCA0gAMEUCIDN2n8G+jzKamNmTJkSixgiq3ysR1GHY\n" +
+        "5e0J5zRjtMtHAiEAy3me/gRIXa2OecrXGC+UjYJ1bLKkr1xadiolFv+1fkQ=",
+
+        "PKCS10 with password as UniversalString",
+        "MIIBPzCB5QIBADAuMQ0wCwYDVQQKDARUZXN0MR0wGwYDVQQDDBRUZXN0IFVuaXZl\n" +
+        "cnNhbFN0cmluZzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABFe/CetRtzHEeN7J\n" +
+        "fDi020fGb96RqMHFr/yuwcVmao3tZzSbYDZwLrMdk77PeX25GJG9vB6fgepaOXHS\n" +
+        "uVJlB6ugVTBTBgkqhkiG9w0BCQcxRhxEAAAAVQAAAG4AAABpAAAAdgAAAGUAAABy\n" +
+        "AAAAcwAAAGEAAABsAAAAUAAAAGEAAABzAAAAcwAAAHcAAABvAAAAcgAAAGQwCgYI\n" +
+        "KoZIzj0EAwIDSQAwRgIhAJIQmTp0HyHHzGbdr68wG7N5twevt+3VipsU8Kk10LiX\n" +
+        "AiEAkU/X7dDtjlIM6BHdssIlRlS/KFhmsLDq6RgREFmdjBQ=",
+
+        "PKCS10 with password as UTF8String",
+        "MIH7MIGiAgEAMCMxDTALBgNVBAoMBFRlc3QxEjAQBgNVBAMMCVRlc3QgVVRGODBZ\n" +
+        "MBMGByqGSM49AgEGCCqGSM49AwEHA0IABCvIy9BZ/hvmP9WdeIVnqPmbhcTl9IDy\n" +
+        "9uzWh5PH04u4LXUWWPedQL7DWBK9pRlV5HgvuPll0mMmC6goewqOC6SgHTAbBgkq\n" +
+        "hkiG9w0BCQcxDgwMdXRmOHBhc3N3b3JkMAoGCCqGSM49BAMCA0gAMEUCIQD396fy\n" +
+        "H2maO/rAj0EIWyNs9dFrDGf/IN08+qj8YFn0jgIgEJ5sXV2GLKX5CqfeyTWyu02f\n" +
+        "WEf4+EIuvcItbM4jhbs="
+    );
+
+    public static void main(String[] args) throws Exception {
+        int failedTests = 0;
+
+        for (Map.Entry<String, String> entry : TEST_INPUT.entrySet()) {
+            try {
+                System.out.print("Test - " + entry.getKey() + ": ");
+
+                // If the PKCS9 challengePassword attribute cannot accept the
+                // DirectoryString encoding for the password, parsing the
+                // PKCS10 should fail.
+                PKCS10 req = new PKCS10(Base64.getMimeDecoder().
+                        decode(entry.getValue()));
+
+                System.out.println("PASS");
+            } catch (IOException ioe) {
+                failedTests++;
+                System.out.println("FAIL: " + ioe);
+                ioe.printStackTrace(System.out);
+                System.out.println();
+            }
+        }
+
+        if (failedTests > 0) {
+            throw new RuntimeException(
+                    "One or more test cases failed, see output");
+        }
+    }
+}