Bug 1582323 - DER encoding error for enumerated types with a value of zero
Summary: DER encoding error for enumerated types with a value of zero
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: jss
Version: 7.6
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Alex Scheel
QA Contact: Asha Akkiangady
Depends On:
TreeView+ depends on / blocked
Reported: 2018-05-24 21:11 UTC by Alex Wood
Modified: 2019-08-06 13:07 UTC (History)
4 users (show)

Fixed In Version: jss-4.4.6-1.el7
Doc Type: Bug Fix
Doc Text:
Cause: A bug in the DER encoder causes JSS to generate incorrect CRL entries when the revocation reason is "unspecified". This resulted in zero-length integer values, while DER specifies that all integer values must have length at least one. Result: JSS will now generate correct DER encodings of CRLs.
Clone Of:
Last Closed: 2019-08-06 13:06:56 UTC
Target Upstream Version:

Attachments (Terms of Use)
Test case to replicate error (8.17 KB, text/x-csrc)
2018-05-24 21:11 UTC, Alex Wood
no flags Details

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:2219 0 None None None 2019-08-06 13:07:03 UTC

Description Alex Wood 2018-05-24 21:11:21 UTC
Created attachment 1441245 [details]
Test case to replicate error

Description of problem:
Creating a CRL entry with a CRL Reason of "unspecified" (which has a value of 0) results in an encoding error due to the way JSS encodes ASN.1 enumerations in DerOutputStream.  Instead of encoding the enumeration as 0x0A0100, the value portion of the TLV is omitted and it's encoded as 0x0A00.

From what I can tell from X.690 (https://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf), "The encoding of an enumerated value shall be that 
of the integer value with which it is associated" and for integers "The encoding of an integer value shall be primitive. The contents octets shall consist of one or more octets."

Version-Release number of selected component (if applicable): 4.4

How reproducible: Always

Steps to Reproduce:
1. Compile and run the attached test case:

% javac -cp ~/.m2/repository/org/mozilla/jss/4.4.0/jss-4.4.0.jar EnumerationZeroTest.java                                               

% java -cp ~/.m2/repository/org/mozilla/jss/4.4.0/jss-4.4.0.jar:. -Djava.library.path=/usr/lib64/jss EnumerationZeroTest

Actual results: The JDK X509CRL class cannot parse the generated CRL due to the way that the CRL reason is encoded.  Instead of being encoded as 0x0A0100, it's encoded as 0x0A00.

Full encoded extension: 30090603551d1504020a00  Encoded CRL Reason: 0a00        Reason value: 0
Full encoded extension: 300a0603551d1504030a0101        Encoded CRL Reason: 0a0101      Reason value: 1

The JDK then throws an error when attempting to generate the CRL: "java.security.cert.CRLException: Invalid encoding: zero length Int value"

Expected results: The reason is encoded as 0x0A0100

Comment 2 Matthew Harmsen 2018-06-27 01:17:21 UTC
Moved to RHEL 7.7 due to lack of development resource time.

Comment 3 Alex Scheel 2019-01-14 14:43:13 UTC
This will be present in the RHEL 7.7 rebase due to bz#1659527.

Upstream commit: https://github.com/dogtagpki/jss/commit/fc3197ee80753d6a25956ad8c1d931fa94213661

Comment 8 Pritam Singh 2019-05-03 13:59:34 UTC
jss version:
# rpm -qa | grep jss

pki version:
# rpm -qa | grep pki-*

Step of reproduction:

# javac -cp /usr/lib64/jss/jss4.jar EnumerationZeroTest.java
# java -cp /usr/lib64/jss/jss4.jar:. -Djava.library.path=/usr/lib64/jss EnumerationZeroTest

Proof of concept:
File has been attached.

Please find the attached test result and let me know if it needs additional test approach.
Compiled the test and analysed that its matching the expected result without generating any exception on jss-4.4.6-1.

Hence marking this bz verified.

Comment 10 errata-xmlrpc 2019-08-06 13:06:56 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.