throw parsing exceptions when DER data is invalid, and handle empty element at the end of the sequence

Author: timfel

graalpython/com.oracle.graal.python/src/com/oracle/graal/python/builtins/objects/ssl/CertUtils.java

@@ -106,7 +106,6 @@
 import com.oracle.graal.python.builtins.objects.tuple.PTuple;
 import com.oracle.graal.python.nodes.ErrorMessages;
 import com.oracle.graal.python.runtime.object.PythonObjectFactory;
-import com.oracle.graal.python.util.BiConsumer;
 import com.oracle.truffle.api.CompilerDirectives.TruffleBoundary;
 import com.oracle.truffle.api.TruffleFile;
 import com.oracle.truffle.api.nodes.Node;
@@ -151,7 +150,7 @@ static boolean isCrl(boolean[] keyUsage) {
      * _ssl.c#_decode_certificate
      */
     @TruffleBoundary
-    public static PDict decodeCertificate(Node node, X509Certificate cert) throws IOException, CertificateParsingException {
+    public static PDict decodeCertificate(Node node, X509Certificate cert) throws CertificateParsingException {
         PythonObjectFactory factory = PythonObjectFactory.getUncached();
         PDict dict = factory.createDict();
         HashingStorage storage = dict.getDictStorage();
@@ -289,77 +288,92 @@ private static final class DerValue {
         private static final byte OBJECT_IDENTIFIER = 0x06;
         private static final byte SEQUENCE = 0x10;
 
+        private static final String ERROR_MESSAGE = "Invalid DER encoded data";
+
         final byte[] data;
-        final int end;
         final boolean isContextTag;
         final int contentLen;
         final int contentStart;
         int contentTag;
 
-        DerValue(byte[] data) {
+        DerValue(byte[] data) throws CertificateParsingException {
             this(data, 0, data.length);
         }
 
-        DerValue(byte[] data, int offset, int end) {
-            this.data = data;
-            this.end = end;
-
-            this.contentTag = data[offset] & 0b11111;
-            this.isContextTag = (data[offset] & 0b11000000) == 0b10000000;
-            int[] lenAndOffset = readLength(data, offset);
-            this.contentStart = lenAndOffset[0];
-            this.contentLen = lenAndOffset[1];
-
-            assert this.contentTag != 0b11111 : "extended tag range not supported";
-            assert contentStart + contentLen <= end;
+        DerValue(byte[] data, int offset, int end) throws CertificateParsingException {
+            if (offset == data.length) {
+                // this is a 0-length value at the end of the data
+                this.data = data;
+                this.contentTag = 0;
+                this.isContextTag = false;
+                this.contentStart = offset;
+                this.contentLen = 0;
+            } else if (offset < data.length) {
+                this.data = data;
+
+                this.contentTag = data[offset] & 0b11111;
+                this.isContextTag = (data[offset] & 0b11000000) == 0b10000000;
+                int[] lenAndOffset = readLength(data, offset);
+                this.contentStart = lenAndOffset[0];
+                this.contentLen = lenAndOffset[1];
+
+                assert this.contentTag != 0b11111 : "extended tag range not supported";
+                assert contentStart + contentLen <= end;
+            } else {
+                throw new CertificateParsingException(ERROR_MESSAGE);
+            }
         }
 
-        private static int[] readLength(byte[] data, int offset) {
-            int lenBase = data[offset + 1] & 0xff;
-            if (lenBase < 128) {
-                return new int[]{offset + 2, lenBase};
-            } else {
-                int lengthOfLength = lenBase - 128;
-                if (lengthOfLength > 4) {
-                    throw new IllegalArgumentException("longer than int-range DER values not supported");
-                }
-                int fullLength = 0;
-                for (int i = 0; i < lengthOfLength; i++) {
-                    fullLength = (fullLength << 8) | data[offset + 2 + i];
+        private static int[] readLength(byte[] data, int offset) throws CertificateParsingException {
+            try {
+                int lenBase = data[offset + 1] & 0xff;
+                if (lenBase < 128) {
+                    return new int[]{offset + 2, lenBase};
+                } else {
+                    int lengthOfLength = lenBase - 128;
+                    if (lengthOfLength > 4) {
+                        throw new IllegalArgumentException("longer than int-range DER values not supported");
+                    }
+                    int fullLength = 0;
+                    for (int i = 0; i < lengthOfLength; i++) {
+                        fullLength = (fullLength << 8) | data[offset + 2 + i];
+                    }
+                    return new int[]{offset + 2 + lengthOfLength, fullLength};
                 }
-                return new int[]{offset + 2 + lengthOfLength, fullLength};
+            } catch (ArrayIndexOutOfBoundsException e) {
+                throw new CertificateParsingException(ERROR_MESSAGE);
             }
         }
 
         byte[] getRawData() {
             return Arrays.copyOfRange(data, contentStart, contentStart + contentLen);
         }
 
-        DerValue getObjectIdentifier() {
+        DerValue getObjectIdentifier() throws CertificateParsingException {
             if (contentTag != OBJECT_IDENTIFIER) {
                 return null;
             } else {
                 return new DerValue(data, contentStart, contentStart + contentLen);
             }
         }
 
-        DerValue getContextTag(int tag) {
+        DerValue getContextTag(int tag) throws CertificateParsingException {
             if (contentTag != tag || !isContextTag) {
                 return null;
             } else {
                 return new DerValue(data, contentStart, contentStart + contentLen);
             }
         }
 
-        DerValue getOctetString() {
+        DerValue getOctetString() throws CertificateParsingException {
             if (contentTag != OCTET_STRING) {
                 return null;
             } else {
                 return new DerValue(data, contentStart, contentStart + contentLen);
             }
         }
 
-        DerValue getSequence() {
+        DerValue getSequence() throws CertificateParsingException {
             if (contentTag != SEQUENCE) {
                 return null;
             } else {
@@ -386,15 +400,20 @@ String getGeneralNameURI() {
             }
         }
 
-        List<DerValue> getSequenceElements() {
+        List<DerValue> getSequenceElements() throws CertificateParsingException {
             List<DerValue> result = new ArrayList<>();
             iterateSequence((e, r) -> {
                 result.add(e);
             }, result);
             return result;
         }
 
-        <T> void iterateSequence(BiConsumer<DerValue, T> consumer, T value) {
+        @FunctionalInterface
+        private interface DerSequenceConsumer<A, B> {
+            abstract void accept(A a, B b) throws CertificateParsingException;
+        }
+
+        <T> void iterateSequence(DerSequenceConsumer<DerValue, T> consumer, T value) throws CertificateParsingException {
             int sequenceStart = contentStart;
             int sequenceEnd = contentStart + contentLen;
             DerValue sequenceData = getSequence();
@@ -411,7 +430,7 @@ <T> void iterateSequence(BiConsumer<DerValue, T> consumer, T value) {
     }
 
     @TruffleBoundary
-    private static PTuple parseCRLPoints(X509Certificate cert, PythonObjectFactory factory) throws IOException {
+    private static PTuple parseCRLPoints(X509Certificate cert, PythonObjectFactory factory) throws CertificateParsingException {
         List<String> result = new ArrayList<>();
         byte[] bytes = cert.getExtensionValue(OID_CRL_DISTRIBUTION_POINTS);
         if (bytes == null) {
@@ -452,7 +471,7 @@ private static PTuple parseCRLPoints(X509Certificate cert, PythonObjectFactory f
     }
 
     @TruffleBoundary
-    private static PTuple parseCAIssuers(X509Certificate cert, PythonObjectFactory factory) throws IOException {
+    private static PTuple parseCAIssuers(X509Certificate cert, PythonObjectFactory factory) throws CertificateParsingException {
         List<String> result = new ArrayList<>();
         byte[] bytes = cert.getExtensionValue(OID_AUTHORITY_INFO_ACCESS);
         if (bytes == null) {
@@ -484,7 +503,7 @@ private static PTuple parseCAIssuers(X509Certificate cert, PythonObjectFactory f
     }
 
     @TruffleBoundary
-    private static PTuple parseOCSP(X509Certificate cert, PythonObjectFactory factory) {
+    private static PTuple parseOCSP(X509Certificate cert, PythonObjectFactory factory) throws CertificateParsingException {
         List<String> result = new ArrayList<>();
         byte[] bytes = cert.getExtensionValue(OID_AUTHORITY_INFO_ACCESS);
         if (bytes == null) {

graalpython/com.oracle.graal.python/src/com/oracle/graal/python/builtins/objects/ssl/SSLContextBuiltins.java

@@ -982,7 +982,7 @@ Object getCerts(PSSLContext self, @SuppressWarnings("unused") boolean binary_for
                     }
                 }
                 return factory().createList(result.toArray(new Object[result.size()]));
-            } catch (KeyStoreException | NoSuchAlgorithmException | IOException | CertificateParsingException ex) {
+            } catch (KeyStoreException | NoSuchAlgorithmException | CertificateParsingException ex) {
                 throw PRaiseSSLErrorNode.raiseUncached(this, SSLErrorCode.ERROR_SSL, ex);
             }
         }

graalpython/com.oracle.graal.python/src/com/oracle/graal/python/builtins/objects/ssl/SSLSocketBuiltins.java

@@ -41,10 +41,8 @@
 package com.oracle.graal.python.builtins.objects.ssl;
 
 import static com.oracle.graal.python.builtins.PythonBuiltinClassType.NotImplementedError;
-import static com.oracle.graal.python.builtins.PythonBuiltinClassType.SSLError;
 import static com.oracle.graal.python.builtins.PythonBuiltinClassType.ValueError;
 
-import java.io.IOException;
 import java.nio.ByteBuffer;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateEncodingException;
@@ -320,8 +318,6 @@ PDict getPeerCertDict(PSSLSocket self, @SuppressWarnings("unused") boolean der)
                     return CertUtils.decodeCertificate(this, (X509Certificate) certificate);
                 } catch (CertificateParsingException e) {
                     return factory().createDict();
-                } catch (IOException ex) {
-                    throw raise(SSLError, ex);
                 }
             }
             return factory().createDict();