@primetomas @dghgit

BouncyCastle bc-java had this issue raised recently: bcgit/bc-java#1015, which led to noticing that some code in https://github.com/primekeydevs/cert-cvc/blob/trunk/src/main/java/org/ejbca/cvc/OIDField.java no longer works with our latest beta versions for 1.70.

The issue is this line (https://github.com/primekeydevs/cert-cvc/blob/d6ab56912354ea2f793ceb3a8d4a104b1743a20a/src/main/java/org/ejbca/cvc/OIDField.java#L68):

this.id = ASN1ObjectIdentifier.getInstance(new DERTaggedObject(true, 0, new DEROctetString(data)), false).getId();

The first problem is that the "true" creates an explicit tag, which is then passed to getInstance saying that an implicit tag is expected (the "false"). Beyond that however it is relying on behaviour that is really intended for the parser to use (interpreting the octet string as an implicitly-encoded ASN1ObjectIdentifier).

1. I have patched bc-java so that this existing behaviour will continue to work for you in 1.70 and probably for a while after that.

2. I have added a utility method for 1.70 to directly achieve what this code is trying to do, like so:

this.id = ASN1ObjectIdentifier.fromContents(data).getId();

3. The following code avoids assumptions about internals. It should also be portable backwards (several years) and forwards (but switch to the simpler form above when possible):

ASN1TaggedObject pseudo = new DERTaggedObject(false, 0, new DEROctetString(data));
ASN1TaggedObject parsed = ASN1TaggedObject.getInstance(pseudo.getEncoded(ASN1Encoding.DER));
this.id = ASN1ObjectIdentifier.getInstance(parsed, false).getId();

There is no emergency because of (1), but I recommend you switch to (3) and make a note to change to (2) if/when 1.70+ becomes a required minimum version for the BC dependency.