8236191: Enhance OID processing

XueleiFan · XueleiFan · commit 8fdbb2907969 · 2020-03-05T14:59:34.000-08:00
Reviewed-by: jnimeh, weijun, ahgross, rhalade
diff --git a/src/java.base/share/classes/sun/security/util/ObjectIdentifier.java b/src/java.base/share/classes/sun/security/util/ObjectIdentifier.java
@@ -52,6 +52,25 @@
  */
 
 public final class ObjectIdentifier implements Serializable {
+    /*
+     * The maximum encoded OID length, excluding the ASN.1 encoding tag and
+     * length.
+     *
+     * In theory, there is no maximum size for OIDs.  However, there are some
+     * limitation in practice.
+     *
+     * RFC 5280 mandates support for OIDs that have arc elements with values
+     * that are less than 2^28 (that is, they MUST be between 0 and
+     * 268,435,455, inclusive), and implementations MUST be able to handle
+     * OIDs with up to 20 elements (inclusive).  Per RFC 5280, an encoded
+     * OID should be less than 80 bytes for safe interoperability.
+     *
+     * This class could be used for protocols other than X.509 certificates.
+     * To be safe, a relatively large but still reasonable value is chosen
+     * as the restriction in JDK.
+     */
+    private static final int MAXIMUM_OID_SIZE = 4096;    // 2^12
+
     /**
      * We use the DER value (no tag, no length) as the internal format
      * @serial
@@ -118,7 +137,13 @@ private void readObject(ObjectInputStream is)
             if (componentLen > comp.length) {
                 componentLen = comp.length;
             }
+
+            // Check the estimated size before it is too later.
+            checkOidSize(componentLen);
+
             init(comp, componentLen);
+        } else {
+            checkOidSize(encoding.length);
         }
     }
 
@@ -203,6 +228,8 @@ private ObjectIdentifier(String oid) throws IOException {
                 }
                 start = end + 1;
                 count++;
+
+                checkOidSize(pos);
             } while (end != -1);
 
             checkCount(count);
@@ -250,11 +277,13 @@ public ObjectIdentifier(DerInputStream in) throws IOException {
                 );
 
         int len = in.getDefiniteLength();
+        checkOidSize(len);
         if (len > in.available()) {
-            throw new IOException("ObjectIdentifier() -- length exceeds" +
+            throw new IOException("ObjectIdentifier length exceeds " +
                     "data available.  Length: " + len + ", Available: " +
                     in.available());
         }
+
         encoding = new byte[len];
         in.getBytes(encoding);
         check(encoding);
@@ -267,26 +296,32 @@ public ObjectIdentifier(DerInputStream in) throws IOException {
      */
     ObjectIdentifier(DerInputBuffer buf) throws IOException {
         DerInputStream in = new DerInputStream(buf);
-        encoding = new byte[in.available()];
+        int len = in.available();
+        checkOidSize(len);
+
+        encoding = new byte[len];
         in.getBytes(encoding);
         check(encoding);
     }
 
-    private void init(int[] components, int length) {
+    private void init(int[] components, int length) throws IOException {
         int pos = 0;
-        byte[] tmp = new byte[length*5+1];  // +1 for empty input
+        byte[] tmp = new byte[length * 5 + 1];  // +1 for empty input
 
-        if (components[1] < Integer.MAX_VALUE - components[0]*40)
-            pos += pack7Oid(components[0]*40+components[1], tmp, pos);
-        else {
+        if (components[1] < Integer.MAX_VALUE - components[0] * 40) {
+            pos += pack7Oid(components[0] * 40 + components[1], tmp, pos);
+        } else {
             BigInteger big = BigInteger.valueOf(components[1]);
-            big = big.add(BigInteger.valueOf(components[0]*40));
+            big = big.add(BigInteger.valueOf(components[0] * 40));
             pos += pack7Oid(big, tmp, pos);
         }
 
-        for (int i=2; i<length; i++) {
+        for (int i = 2; i < length; i++) {
             pos += pack7Oid(components[i], tmp, pos);
+
+            checkOidSize(pos);
         }
+
         encoding = new byte[pos];
         System.arraycopy(tmp, 0, encoding, 0, pos);
     }
@@ -690,4 +725,13 @@ private static void checkOtherComponent(
                     "oid component #" + (i+1) + " must be non-negative ");
         }
     }
+
+    private static void checkOidSize(int oidLength) throws IOException {
+        if (oidLength > MAXIMUM_OID_SIZE) {
+            throw new IOException(
+                    "ObjectIdentifier encoded length exceeds " +
+                    "the restriction in JDK (OId length(>=): " + oidLength +
+                    ", Restriction: " + MAXIMUM_OID_SIZE + ")");
+        }
+    }
 }
