8172244: AIOOBE in KeyStore.getCertificateAlias on Windows

Reviewed-by: vinnie
2017-05-25 11:31:23 +01:00 · 2017-05-25 11:31:23 +01:00 · da44748ec7
commit da44748ec7
parent 2d7f46e91b
2 changed files with 86 additions and 3 deletions
--- a/jdk/src/jdk.crypto.mscapi/windows/classes/sun/security/mscapi/KeyStore.java
+++ b/jdk/src/jdk.crypto.mscapi/windows/classes/sun/security/mscapi/KeyStore.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -513,7 +513,7 @@ abstract class KeyStore extends KeyStoreSpi {
        if (entry != null) {
            // Get end-entity certificate and remove from system cert store
            X509Certificate[] certChain = entry.getCertificateChain();
-            if (certChain != null) {
+            if (certChain != null && certChain.length > 0) {

                try {

@ -629,7 +629,9 @@ abstract class KeyStore extends KeyStoreSpi {

        for (Map.Entry<String,KeyEntry> mapEntry : entries.entrySet()) {
            KeyEntry entry = mapEntry.getValue();
-            if (entry.certChain != null && entry.certChain[0].equals(cert)) {
+            if (entry.certChain != null &&
+                entry.certChain.length > 0 &&
+                entry.certChain[0].equals(cert)) {
                return entry.getAlias();
            }
        }
--- a/jdk/test/sun/security/mscapi/KeyStoreEmptyCertChain.java
+++ b/jdk/test/sun/security/mscapi/KeyStoreEmptyCertChain.java
@ -0,0 +1,81 @@
+/*
+ * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8172244
+ * @summary Verify that no exception is thrown with empty cert chain
+ *    in MSCAPI.
+ * @requires os.family == "windows"
+ * @modules java.base/sun.security.tools.keytool java.base/sun.security.x509
+ * @run main/othervm --add-opens java.base/java.security=ALL-UNNAMED
+ *      KeyStoreEmptyCertChain
+ */
+
+import java.security.KeyStore;
+import java.security.cert.Certificate;
+import sun.security.x509.X500Name;
+import sun.security.tools.keytool.CertAndKeyGen;
+import java.security.KeyPairGenerator;
+import java.security.KeyPair;
+import java.security.PrivateKey;
+import java.security.KeyStoreSpi;
+import java.lang.reflect.*;
+
+public class KeyStoreEmptyCertChain {
+
+    public static void main(String[] args) {
+
+        try {
+
+            KeyStore keyStore = KeyStore.getInstance("Windows-MY", "SunMSCAPI");
+            keyStore.load(null, null);
+
+            // Generate a certificate to use for testing
+            CertAndKeyGen gen = new CertAndKeyGen("RSA", "SHA256withRSA");
+            gen.generate(2048);
+            Certificate cert =
+                gen.getSelfCertificate(new X500Name("CN=test"), 3600);
+            String alias = "JDK-8172244";
+            char[] password = "password".toCharArray();
+            KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
+
+            // generate a private key for the certificate
+            kpg.initialize(2048);
+            KeyPair keyPair = kpg.generateKeyPair();
+            PrivateKey privKey = keyPair.getPrivate();
+            // need to bypass checks to store the private key without the cert
+            Field spiField = KeyStore.class.getDeclaredField("keyStoreSpi");
+            spiField.setAccessible(true);
+            KeyStoreSpi spi = (KeyStoreSpi) spiField.get(keyStore);
+            spi.engineSetKeyEntry(alias, privKey, password, new Certificate[0]);
+            keyStore.store(null, null);
+
+            keyStore.getCertificateAlias(cert);
+            keyStore.deleteEntry(alias);
+            // test passes if no exception is thrown
+        } catch (Exception ex) {
+            throw new RuntimeException(ex);
+        }
+    }
+}