8348014: Enhance certificate processing

Aleksei Voitylov · RealCLanger · commit 56f4d07b03d9 · 2026-04-16T09:51:21.000+02:00
Reviewed-by: andrew
Backport-of: b470d96dd18f380044611e2343f08c4db5b495b4
diff --git a/src/java.base/share/classes/sun/security/provider/X509Factory.java b/src/java.base/share/classes/sun/security/provider/X509Factory.java
@@ -64,6 +64,7 @@ public class X509Factory extends CertificateFactorySpi {
     public static final String END_CERT = "-----END CERTIFICATE-----";
 
     private static final int ENC_MAX_LENGTH = 4096 * 1024; // 4 MB MAX
+    public static final int BER_ITERATION_COUNT = 128; // Limit nested depth
 
     private static final Cache<Object, X509CertImpl> certCache
         = Cache.newSoftMemoryCache(750);
@@ -553,7 +554,7 @@ private static byte[] readOneBlock(InputStream is) throws IOException {
         if (c == DerValue.tag_Sequence) {
             ByteArrayOutputStream bout = new ByteArrayOutputStream(2048);
             bout.write(c);
-            readBERInternal(is, bout, c);
+            readBERInternal(is, bout, c, BER_ITERATION_COUNT);
             return bout.toByteArray();
         } else {
             // Read BASE64 encoded data, might skip info at the beginning
@@ -675,12 +676,16 @@ private static void checkHeaderFooter(String header,
      * @param is    Read from this InputStream
      * @param bout  Write into this OutputStream
      * @param tag   Tag already read (-1 mean not read)
+     * @param depth nesting depth limit
      * @return     The current tag, used to check EOC in indefinite-length BER
      * @throws IOException Any parsing error
      */
     private static int readBERInternal(InputStream is,
-            ByteArrayOutputStream bout, int tag) throws IOException {
+        ByteArrayOutputStream bout, int tag, int depth) throws IOException {
 
+        if (depth-- == 0) {
+            throw new IOException("Nesting sequence depth limit reached.");
+        }
         if (tag == -1) {        // Not read before the call, read now
             tag = is.read();
             if (tag == -1) {
@@ -706,7 +711,7 @@ private static int readBERInternal(InputStream is,
                         "Non constructed encoding must have definite length");
             }
             while (true) {
-                int subTag = readBERInternal(is, bout, -1);
+                int subTag = readBERInternal(is, bout, -1, depth);
                 if (subTag == 0) {   // EOC, end of indefinite-length section
                     break;
                 }
