NPE in sun.security.provider.certpath.OCSPResponse.verify
Jason Harrop
jharrop at gmail.com
Sat Jul 25 13:40:11 UTC 2015
Hi there,
I'm getting an NPE, Java 8:
at sun.security.provider.certpath.OCSPResponse.verify(OCSPResponse.java:452)
at sun.security.provider.certpath.OCSP.check(OCSP.java:290)
at sun.security.provider.certpath.RevocationChecker.checkOCSP(RevocationChecker.java:716)
at sun.security.provider.certpath.RevocationChecker.check(RevocationChecker.java:357)
at sun.security.provider.certpath.RevocationChecker.check(RevocationChecker.java:337)
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:119)
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:215)
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:143)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:79)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
and Java 9:
at sun.security.provider.certpath.OCSPResponse.verify(OCSPResponse.java:451)
at sun.security.provider.certpath.OCSP.check(OCSP.java:290)
at sun.security.provider.certpath.RevocationChecker.checkOCSP(RevocationChecker.java:749)
at sun.security.provider.certpath.RevocationChecker.check(RevocationChecker.java:363)
at sun.security.provider.certpath.RevocationChecker.check(RevocationChecker.java:337)
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125)
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:212)
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:140)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:79)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
It is happening because List<X509CertImpl> certs contains 10 null
entries, so cert is null at:
KeyIdentifier certKeyId = cert.getSubjectKeyId();
The last bit of debug before this failure is:
certpath: BasicChecker.updateState issuer: CN=UTN-USERFirst-Object,
OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake
City, ST=UT, C=US; subject: CN=COMODO Code Signing CA 2, O=COMODO CA
Limited, L=Salford, ST=Greater Manchester, C=GB; serial#:
21852375853972585523540355797488858555
certpath: -checker6 validation succeeded
certpath: -Using checker7 ... [sun.security.provider.certpath.RevocationChecker]
certpath: connecting to OCSP service at: http://ocsp.usertrust.com
certpath: OCSP response status: SUCCESSFUL
certpath: OCSP response type: basic
certpath: Responder's key ID:
2b:c3:46:ab:ba:0e:c9:65:2a:46:d1:79:47:c4:62:e2:e1:da:fc:b8
certpath: OCSP response produced at: Sat Jul 25 19:49:44 EST 2015
certpath: OCSP number of SingleResponses: 1
certpath: Status of certificate (with serial number
21852375853972585523540355797488858555) is: GOOD
In OCSPResponse constructor, i think its just setting
certs = new ArrayList<X509CertImpl>(); // line 386
I'm new to this certpath stuff, so I hope that's intelligible.
cheers .. Jason
More information about the security-dev
mailing list