Java 1.5 is not encoding integers properly

Salil Dangi first_dot_last_ at
Wed Jun 21 20:03:41 EDT 2006

As per the ASN encoding specifications, all integers must be encoded in
minimum number of octets.
This means that the top 9 bits of the encoded string should not be same.

It is possible that other implementations of ASN encoding have similar bug
and this encoding error is either not detected or ignored.

In my case, I am receiving seq-number encoded as FFFFXXXX (A706 0204
FFFFXXXX) and this is wrong.
It should be encoded as 00FFFFXXXX (A707 0205 00FFFFXXXX).

Is my interpretation of rules of the ASN encoding correct?

"Seema Malkani" <Seema.Malkani at> wrote in message 
news:4499D248.2050604 at
> Sun's implementation of Java GSS/Kerberos implementation is fully 
> interoperable with MIT/Solaris/Linux/Windows GSS/Kerberos implementations. 
> Tokens generated by Java are accepted by all other GSS/Kerberos 
> implementations.
> I'll look into this, and get back to you.
> Seema
> Salil Dangi wrote:
>> I am using java 1.5 to generate a service ticket token (AP Request) for a 
>> service running on Unisys machines.
>> This token can not be parsed properly due to ASN encoding errors.
>> There is an Authenticator in this AP request.
>> Within the authenticator, there is an optional field for seq-number of 
>> type integer.
>> The seq-number is a unsigned integer that can go from 0 to 2**32 -1 with 
>> a random initial value.
>> During my sample runs, I saw that Java 1.5 implementation is either 
>> sending an integer encoded in 2 bytes or an integer encoded in 4 bytes. 
>> When this is encoded in 2 bytes, there is no issue. When this is encoded 
>> in 4 bytes, the encoding is not correct. The value looks something like 
>> As per ASN encoding, this should be encoded as 00FFFFXXXX (A707 0205 
>> 00FFFFXXXX) since ASN encoding does not allow top 9 bit to be either all 
>> ones or all zeroes.
>> Has anyone seen this problem?
>> sample Hex dump of the seq-number field from the Authenticator
>> A70402020398        Works
>> A704020207CB        Works
>> A7060204FFFFF77F    Fails
>> A7060204FFFFFA59    Fails
>> A7060204FFFFF96D    Fails
>> A7060204FFFFF3F8    Fails

More information about the Kerberos mailing list