My favorites | Sign in
Project Home Issues
New issue   Search
for
  Advanced search   Search tips   Subscriptions
Issue 5001: Browser crashes if server certificate contains >32 subjectAltName.
7 people starred this issue and may be notified of changes. Back to list
Status:  Released
Owner:  e...@google.com
Closed:  Nov 2009
Cc:  b...@google.com, e...@google.com

Restricted
  • Only users with Commit permission may comment.


Sign in to add a comment
 
Reported by KENSYS...@gmail.com, Nov 23, 2009
Hi, I have a motorola droid (build ESD20), it crashes when loading an SSL
site such as 
https://www.encorehollywood.com

Log excerpt:
I( 1015:0x5b4) Starting activity: Intent { act=android.intent.action.VIEW
cat=[android.intent.category.BROWSABLE]
dat=http://fm.methodstudios.com/filemanager/
cmp=com.android.browser/.BrowserActivity }
I( 1015:0x3fa) Starting activity: Intent { act=android.intent.action.VIEW
cat=[android.intent.category.BROWSABLE]
dat=https://fm.methodstudios.com/filemanager/?
cmp=com.android.browser/.BrowserActivity }
D(10734:0x29fc) GC freed 7459 objects / 608472 bytes in 90ms
W(10734:0x29fc) threadid=23: thread exiting with uncaught exception
(group=0x4001b180)
E(10734:0x29fc) Uncaught handler: thread http1 exiting due to uncaught
exception
E(10734:0x29fc) java.lang.UnsupportedOperationException: no more than 32
elements
E(10734:0x29fc) 	at
org.bouncycastle.asn1.x509.X509NameElementList.add(X509NameElementList.java:74)
E(10734:0x29fc) 	at
org.bouncycastle.asn1.x509.X509NameElementList.add(X509NameElementList.java:62)
E(10734:0x29fc) 	at
org.bouncycastle.asn1.x509.X509Name.<init>(X509Name.java:680)
E(10734:0x29fc) 	at
org.bouncycastle.asn1.x509.X509Name.<init>(X509Name.java:596)
E(10734:0x29fc) 	at
org.bouncycastle.asn1.x509.X509Name.<init>(X509Name.java:534)
E(10734:0x29fc) 	at
android.net.http.SslCertificate$DName.<init>(SslCertificate.java:199)
E(10734:0x29fc) 	at
android.net.http.SslCertificate.<init>(SslCertificate.java:109)
E(10734:0x29fc) 	at
android.net.http.SslCertificate.<init>(SslCertificate.java:121)
E(10734:0x29fc) 	at
android.net.http.CertificateChainValidator.doHandshakeAndValidateServerCertificates(CertificateChainValidator.java:103)
E(10734:0x29fc) 	at
android.net.http.HttpsConnection.openConnection(HttpsConnection.java:306)
E(10734:0x29fc) 	at
android.net.http.Connection.openHttpConnection(Connection.java:358)
E(10734:0x29fc) 	at
android.net.http.Connection.processRequests(Connection.java:225)
E(10734:0x29fc) 	at
android.net.http.ConnectionThread.run(ConnectionThread.java:125)
I( 1015:0x5ba) Sending signal. PID: 10734 SIG: 3
I(10734:0x29f0) threadid=7: reacting to signal 3
I(10734:0x29f0) Wrote stack trace to '/data/anr/traces.txt'
I( 1015:0x2a4c) Added state dump to 1 crashes
I(10734:0x29fc) Sending signal. PID: 10734 SIG: 9
I( 1015:0x45c) Process com.android.browser (pid 10734) has died.
I( 1015:0x5b4) WIN DEATH: Window{449af9f8
com.android.browser/com.android.browser.BrowserActivity paused=false}
I( 1015:0x5b6) WIN DEATH: Window{4493ba80
SubPanel:com.android.browser/com.android.browser.BrowserActivity paused=false}
W( 1015:0x46e) Got RemoteException sending setActive(false) notification to
pid 10734 uid 10009
W( 1015:0x45c) Unexpected resume of com.android.launcher while already
resumed in com.android.browser
I( 1015:0x46c) Starting activity: Intent { act=android.intent.action.MAIN
cat=[android.intent.category.LAUNCHER] flg=0x10200000
cmp=com.android.vending/.AssetBrowserActivity }
W( 1015:0x46c) Failed to persist new stats
D(10036:0x2734) GC freed 14091 objects / 883368 bytes in 141ms
D( 1083:0x43b) GC freed 250 objects / 12392 bytes in 61ms

Nov 23, 2009
#1 e...@google.com
(No comment was entered for this change.)
Labels: Component-Dalvik
Nov 23, 2009
#2 e...@google.com
confirmed. we have a 32-item limit simply because we use an int instead of a BitSet.
(the upstream bouncycastle code uses a Vector<Boolean>.)
Owner: enh+...@google.com
Nov 23, 2009
#3 KENSYS...@gmail.com
In hope of accelerating a possible fix for this, please let me know if I should file
this with the BC folks, or will/did you. Thanks much!
Nov 23, 2009
#4 e...@google.com
no, upstream doesn't have the bug. the bug is android-only. i've already tested a
fix, and hope to get it committed today or tomorrow ;-)
Nov 23, 2009
#5 KENSYS...@gmail.com
Wow, such responsive need is a rare encounter for me, thank you many times. And I
should have read carefully, vector of bits vs packed int. :-) 

I have an audience waiting on this, so you know if the patch has chance of making it
into the purported USA/Versizon Dec update, or does this have to go through a longer
Q-A cycle than would allow?
Nov 24, 2009
#6 e...@google.com
fix committed internally. i don't know when this will make it into the wild; in the
meantime, your only work-around is to create multiple certificates rather than use
one with so many subjectAltNames. (i imagine you guessed that already!)
Status: FutureRelease
Dec 23, 2009
#7 KENSYS...@gmail.com
Hi again, its possibly noteworthy that I updated the cert on the example URL to
contain fewer than 32 subjectAltNames (29 at present) and this error still happens;
what is the object under which the enum-limit exists, is it for all elements in the
cert as a whole (flat-list)?

As a side note, it appears the fix above did not make it into the Verizon ESD56 /
11-Dec-2009 release, exact same stacktrace/linenos..
Dec 23, 2009
#8 e...@google.com
> what is the object under which the enum-limit exists, is it for all elements in the
> cert as a whole (flat-list)?

yes:

http://android.git.kernel.org/?
p=platform/dalvik.git;a=blob;f=libcore/security/src/main/java/org/bouncycastle/asn1/x509/X509NameEle
mentList.java

> the fix above did not make it into ... ESD56

correct.
Jan 11, 2010
Project Member #9 e...@google.com
 Issue 5974  has been merged into this issue.
Mar 24, 2010
#10 jyothi...@gmail.com
Hi, 
This issue iam still able to reproduce on Android 2.1 emulator. The same is 
reproducible on Nexus one too.
Browser crashes when I browse the site www.pressceo.com

Could you please let me know when can this fix will be released

Logdetails:
03-24 10:51:53.818: ERROR/AndroidRuntime(3872): Uncaught handler: thread http3 
exiting due to uncaught exception
03-24 10:51:53.873: ERROR/AndroidRuntime(3872): 
java.lang.UnsupportedOperationException: no more than 32 elements
03-24 10:51:53.873: ERROR/AndroidRuntime(3872):     at 
org.bouncycastle.asn1.x509.X509NameElementList.add(X509NameElementList.java:74)
03-24 10:51:53.873: ERROR/AndroidRuntime(3872):     at 
org.bouncycastle.asn1.x509.X509NameElementList.add(X509NameElementList.java:62)
03-24 10:51:53.873: ERROR/AndroidRuntime(3872):     at 
org.bouncycastle.asn1.x509.X509Name.<init>(X509Name.java:680)
03-24 10:51:53.873: ERROR/AndroidRuntime(3872):     at 
org.bouncycastle.asn1.x509.X509Name.<init>(X509Name.java:596)
03-24 10:51:53.873: ERROR/AndroidRuntime(3872):     at 
org.bouncycastle.asn1.x509.X509Name.<init>(X509Name.java:534)
03-24 10:51:53.873: ERROR/AndroidRuntime(3872):     at 
android.net.http.SslCertificate$DName.<init>(SslCertificate.java:199)
03-24 10:51:53.873: ERROR/AndroidRuntime(3872):     at 
android.net.http.SslCertificate.<init>(SslCertificate.java:109)
03-24 10:51:53.873: ERROR/AndroidRuntime(3872):     at 
android.net.http.SslCertificate.<init>(SslCertificate.java:121)
03-24 10:51:53.873: ERROR/AndroidRuntime(3872):     at 
android.net.http.CertificateChainValidator.doHandshakeAndValidateServerCertificates
(CertificateChainValidator.java:103)
03-24 10:51:53.873: ERROR/AndroidRuntime(3872):     at 
android.net.http.HttpsConnection.openConnection(HttpsConnection.java:306)
03-24 10:51:53.873: ERROR/AndroidRuntime(3872):     at 
android.net.http.Connection.openHttpConnection(Connection.java:358)
03-24 10:51:53.873: ERROR/AndroidRuntime(3872):     at 
android.net.http.Connection.processRequests(Connection.java:225)
03-24 10:51:53.873: ERROR/AndroidRuntime(3872):     at 
android.net.http.ConnectionThread.run(ConnectionThread.java:125)

Mar 24, 2010
Project Member #11 e...@google.com
this fix is in froyo.
Owner: e...@google.com
Labels: Target-Froyo
Mar 24, 2010
#12 jyothi...@gmail.com
Thanks for the info.
If possible, Can you please let me know the Fix details.
Mar 24, 2010
Project Member #13 e...@google.com
i switched from using an int and a fixed-size array to a BitSet and an ArrayList. i.e. i've removed the limit rather 
than just raised it. the only work-around until you have the fix is to have fewer subjectAltNames in your 
certificate (which only helps you if it's your own web site, of course).
Apr 2, 2010
#14 Kilohoku...@gmail.com
When can we expect this to be rolled out?
Jun 16, 2010
Project Member #15 e...@google.com
 Issue 9109  has been merged into this issue.
Dec 6, 2010
Project Member #16 e...@google.com
(No comment was entered for this change.)
Status: Released
Dec 3, 2012
Project Member #17 e...@google.com
(No comment was entered for this change.)
Labels: Restrict-AddIssueComment-Commit
Sign in to add a comment

Powered by Google Project Hosting