Skip to content

Fix for PemTrustConfigTests.testTrustConfigReloadsFileContents failure #43539

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 25, 2019
Merged

Fix for PemTrustConfigTests.testTrustConfigReloadsFileContents failure #43539

merged 1 commit into from
Jun 25, 2019

Conversation

bizybot
Copy link
Contributor

@bizybot bizybot commented Jun 24, 2019

The test PemTrustConfigTests.testTrustConfigReloadsFileContents failed
intermittently with ArrayIndexOutOfBoundsException while parsing
the randomly generated bytes array representing DER encoded stream.
This seems to be a bug in JDK (once confirmed we can raise the bug
in JDK bugs system).

The problem arises when the X509Factory#parseX509orPKCS7() tries to
create PKCS7 block from der encoded stream. While constructing PKCS7
block it tries to create ContentInfo type but fails to do so for the
stream where the length after the DER SEQUENCE is 0.
DerInputStream#getSequence may return empty array of DerValue but
the code in ContentInfo does not check for the empty thereby throwing
ArrayIndexOutOfBoundsException.

Closes #42509

Fix for PemTrustConfigTests.testTrustConfigReloadsFileContents failure
4034ff4 
The test `PemTrustConfigTests.testTrustConfigReloadsFileContents` failed
intermittently with `ArrayIndexOutOfBoundsException` while parsing
the randomly generated bytes array representing DER encoded stream.
This seems to be a bug in JDK (once confirmed we can raise the bug
in JDK bugs system).

The problem arises when the `X509Factory#parseX509orPKCS7()` tries to
[create `PKCS7` block](https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/19fb8f93c59dfd791f62d41f332db9e306bc1422/src/java.base/share/classes/sun/security/provider/X509Factory.java#L460) from der encoded stream. While constructing PKCS7
block it tries to create `ContentInfo` type but fails to do so for the
stream where the length after the DER SEQUENCE is 0.
`DerInputStream#getSequence` [may return empty array of `DerValue`](https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/19fb8f93c59dfd791f62d41f332db9e306bc1422/src/java.base/share/classes/sun/security/util/DerInputStream.java#L409..L412) but
[the code in `ContentInfo`](https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/19fb8f93c59dfd791f62d41f332db9e306bc1422/src/java.base/share/classes/sun/security/pkcs/ContentInfo.java#L135) does not check for the empty thereby throwing
`ArrayIndexOutOfBoundsException`.

Closes elastic#42509
@bizybot bizybot added >test Issues or PRs that are addressing/adding tests v8.0.0 v6.7.3 v7.3.0 v6.8.2 labels Jun 24, 2019
@bizybot bizybot requested a review from tvernum June 24, 2019 14:31
@bizybot bizybot added the :Security/TLS SSL/TLS, Certificates label Jun 24, 2019
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security

@bizybot bizybot merged commit 7054a42 into elastic:master Jun 25, 2019
bizybot added a commit to bizybot/elasticsearch that referenced this pull request Jun 26, 2019
@bizybot
Fix for PemTrustConfigTests.testTrustConfigReloadsFileContents failure (
f9a94c6 
elastic#43539)

The test `PemTrustConfigTests.testTrustConfigReloadsFileContents` failed
intermittently with `ArrayIndexOutOfBoundsException` while parsing
the randomly generated bytes array representing DER encoded stream.
This seems to be a bug in JDK (once confirmed we can raise the bug
in JDK bugs system).

The problem arises when the `X509Factory#parseX509orPKCS7()` tries to
[create `PKCS7` block](https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/19fb8f93c59dfd791f62d41f332db9e306bc1422/src/java.base/share/classes/sun/security/provider/X509Factory.java#L460) from der encoded stream. While constructing PKCS7
block it tries to create `ContentInfo` type but fails to do so for the
stream where the length after the DER SEQUENCE is 0.
`DerInputStream#getSequence` [may return empty array of `DerValue`](https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/19fb8f93c59dfd791f62d41f332db9e306bc1422/src/java.base/share/classes/sun/security/util/DerInputStream.java#L409..L412) but
[the code in `ContentInfo`](https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/19fb8f93c59dfd791f62d41f332db9e306bc1422/src/java.base/share/classes/sun/security/pkcs/ContentInfo.java#L135) does not check for the empty thereby throwing
`ArrayIndexOutOfBoundsException`.

Closes elastic#42509
@bizybot bizybot mentioned this pull request Jun 26, 2019
Merged
bizybot added a commit that referenced this pull request Jun 26, 2019
@bizybot
Fix for PemTrustConfigTests.testTrustConfigReloadsFileContents failure (
ca43cdf 
#43539) (#43613)

The test `PemTrustConfigTests.testTrustConfigReloadsFileContents` failed
intermittently with `ArrayIndexOutOfBoundsException` while parsing
the randomly generated bytes array representing DER encoded stream.
This seems to be a bug in JDK (once confirmed we can raise the bug
in JDK bugs system).

The problem arises when the `X509Factory#parseX509orPKCS7()` tries to
[create `PKCS7` block](https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/19fb8f93c59dfd791f62d41f332db9e306bc1422/src/java.base/share/classes/sun/security/provider/X509Factory.java#L460) from der encoded stream. While constructing PKCS7
block it tries to create `ContentInfo` type but fails to do so for the
stream where the length after the DER SEQUENCE is 0.
`DerInputStream#getSequence` [may return empty array of `DerValue`](https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/19fb8f93c59dfd791f62d41f332db9e306bc1422/src/java.base/share/classes/sun/security/util/DerInputStream.java#L409..L412) but
[the code in `ContentInfo`](https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/19fb8f93c59dfd791f62d41f332db9e306bc1422/src/java.base/share/classes/sun/security/pkcs/ContentInfo.java#L135) does not check for the empty thereby throwing
`ArrayIndexOutOfBoundsException`.

Closes #42509
cbuescher pushed a commit to cbuescher/elasticsearch that referenced this pull request Jul 16, 2019
Unmute test that seems to be fixed
972ff05 
Since elastic#42509 is closed and the fix seems to have been backported to 7.x (elastic#43539)
the test can be enabled again.
@cbuescher cbuescher mentioned this pull request Jul 16, 2019
Merged
@jkakavas
Copy link
Member

@bizybot did you raise the issue upstream ?

@bizybot
Copy link
Contributor Author

bizybot commented Jul 23, 2019

@bizybot did you raise the issue upstream?

@jkakavas I have not yet raised an issue for it. I need to create a repro example and then add it to the bug, will do this week. Do you have anything to add in that bug? Thanks for the ping.

@jkakavas
Copy link
Member

Nothing to add, just pinged to make sure we didn't miss that since I stumbled upon it :)

cbuescher pushed a commit that referenced this pull request Jul 31, 2019
Unmute test that seems to be fixed (#44432)
f6922bc 
Since #42509 is closed and the fix seems to have been backported to 7.x (#43539)
the test can be enabled again.
cbuescher pushed a commit that referenced this pull request Jul 31, 2019
Unmute test that seems to be fixed (#44432)
23affc0 
Since #42509 is closed and the fix seems to have been backported to 7.x (#43539)
the test can be enabled again.
rjernst pushed a commit that referenced this pull request Feb 27, 2020
@bizybot @rjernst
Fix for PemTrustConfigTests.testTrustConfigReloadsFileContents failure (
7c9a31a 
#43539)

The test `PemTrustConfigTests.testTrustConfigReloadsFileContents` failed
intermittently with `ArrayIndexOutOfBoundsException` while parsing
the randomly generated bytes array representing DER encoded stream.
This seems to be a bug in JDK (once confirmed we can raise the bug
in JDK bugs system).

The problem arises when the `X509Factory#parseX509orPKCS7()` tries to
[create `PKCS7` block](https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/19fb8f93c59dfd791f62d41f332db9e306bc1422/src/java.base/share/classes/sun/security/provider/X509Factory.java#L460) from der encoded stream. While constructing PKCS7
block it tries to create `ContentInfo` type but fails to do so for the
stream where the length after the DER SEQUENCE is 0.
`DerInputStream#getSequence` [may return empty array of `DerValue`](https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/19fb8f93c59dfd791f62d41f332db9e306bc1422/src/java.base/share/classes/sun/security/util/DerInputStream.java#L409..L412) but
[the code in `ContentInfo`](https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/19fb8f93c59dfd791f62d41f332db9e306bc1422/src/java.base/share/classes/sun/security/pkcs/ContentInfo.java#L135) does not check for the empty thereby throwing
`ArrayIndexOutOfBoundsException`.

Closes #42509
@rjernst rjernst added the v6.8.7 label Feb 27, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tvernum tvernum tvernum approved these changes

Assignees
No one assigned
Labels
:Security/TLS SSL/TLS, Certificates >test Issues or PRs that are addressing/adding tests v6.8.7 v7.3.0 v8.0.0-alpha1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[CI] PemTrustConfigTests.testTrustConfigReloadsFileContents failure
6 participants
@bizybot @elasticmachine @jkakavas @tvernum @rjernst @jakelandis