'Re: [dev-crypto] Problem in X509ExtensionUtils.calculateIdentifier'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bouncycastle-crypto-dev
Subject:    Re: [dev-crypto] Problem in X509ExtensionUtils.calculateIdentifier
From:       Matthew Hall <mhall () mhcomputing ! net>
Date:       2013-04-19 21:18:11
Message-ID: 20130419211811.GA22438 () mhcomputing ! net
[Download RAW message or body]

"// it's hard to imagine this happening, but yes it does!"

Very true! :-D

In my case it happened when two threads were using the same X509ExtensionUtils 
and stomping upon one another, but it was tough to debug right since the 
exception was swallowed.

But it could also happen if you tried to calculate a KeyId for an untrusted 
cert or something odd like this.

Matthew.

On Fri, Apr 19, 2013 at 04:45:57PM +1000, David Hook wrote:
> 
> Ooops... Both these issues are now fixed.
> 
> Sorry about that.
> 
> Regards,
> 
> David
> 
> On 19/04/13 09:41, Matthew Hall wrote:
> > Hello,
> > 
> > This function is silently dropping IOException instead of reporting it to the
> > caller or logging it or wrapping it with a RuntimeException;
> > 
> > private byte[] calculateIdentifier(SubjectPublicKeyInfo publicKeyInfo)
> > {
> > byte[] bytes = publicKeyInfo.getPublicKeyData().getBytes();
> > 
> > OutputStream cOut = calculator.getOutputStream();
> > 
> > try
> > {
> > cOut.write(bytes);
> > 
> > cOut.close();
> > }
> > catch (IOException e)
> > {
> > 
> > }
> > 
> > return calculator.getDigest();
> > }
> > 
> > It's causing problems if I attempt to calculate an identifier, because once
> > the IOException gets missed, you end up with an error from the getDigest()
> > which is difficult to debug:
> > 
> > java.lang.ArrayIndexOutOfBoundsException
> > at java.lang.System.arraycopy(Native Method)
> > at sun.security.provider.DigestBase.engineUpdate(DigestBase.java:127)
> > at java.security.MessageDigest$Delegate.engineUpdate(MessageDigest.java:555)
> > at java.security.MessageDigest.update(MessageDigest.java:310)
> > at java.security.MessageDigest.digest(MessageDigest.java:385)
> > at org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils$SHA1DigestCalculator.getDigest(JcaX509ExtensionUtils.java:122)
> >  
> > Another thing, because it uses a DigestCalculator instance stored in the
> > class, and does not use a ThreadLocal, or create one on the stack, this class
> > is not thread-safe, such as for use in a Servlet, which is opposite what one
> > would expect on most *Util classes. Perhaps this could be written in the
> > javadoc?
> > 
> > Thanks,
> > Matthew.
> > 
> > 
> 
> 


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic