NPE in sun.security.provider.certpath.OCSPResponse.verify

Jason Harrop jharrop at gmail.com
Sat Jul 25 13:40:11 UTC 2015


Hi there,

I'm getting an NPE, Java 8:

        at sun.security.provider.certpath.OCSPResponse.verify(OCSPResponse.java:452)

        at sun.security.provider.certpath.OCSP.check(OCSP.java:290)

        at sun.security.provider.certpath.RevocationChecker.checkOCSP(RevocationChecker.java:716)

        at sun.security.provider.certpath.RevocationChecker.check(RevocationChecker.java:357)

        at sun.security.provider.certpath.RevocationChecker.check(RevocationChecker.java:337)

        at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:119)

        at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:215)

        at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:143)

        at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:79)

        at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)


and Java 9:

        at sun.security.provider.certpath.OCSPResponse.verify(OCSPResponse.java:451)

        at sun.security.provider.certpath.OCSP.check(OCSP.java:290)

        at sun.security.provider.certpath.RevocationChecker.checkOCSP(RevocationChecker.java:749)

        at sun.security.provider.certpath.RevocationChecker.check(RevocationChecker.java:363)

        at sun.security.provider.certpath.RevocationChecker.check(RevocationChecker.java:337)

        at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125)

        at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:212)

        at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:140)

        at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:79)

        at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)


It is happening because List<X509CertImpl> certs contains 10 null
entries, so cert is null at:

                    KeyIdentifier certKeyId = cert.getSubjectKeyId();

The last bit of debug before this failure is:

certpath: BasicChecker.updateState issuer: CN=UTN-USERFirst-Object,
OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake
City, ST=UT, C=US; subject: CN=COMODO Code Signing CA 2, O=COMODO CA
Limited, L=Salford, ST=Greater Manchester, C=GB; serial#:
21852375853972585523540355797488858555
certpath: -checker6 validation succeeded
certpath: -Using checker7 ... [sun.security.provider.certpath.RevocationChecker]
certpath: connecting to OCSP service at: http://ocsp.usertrust.com
certpath: OCSP response status: SUCCESSFUL
certpath: OCSP response type: basic
certpath: Responder's key ID:
2b:c3:46:ab:ba:0e:c9:65:2a:46:d1:79:47:c4:62:e2:e1:da:fc:b8
certpath: OCSP response produced at: Sat Jul 25 19:49:44 EST 2015
certpath: OCSP number of SingleResponses: 1
certpath: Status of certificate (with serial number
21852375853972585523540355797488858555) is: GOOD

In OCSPResponse constructor, i think its just setting

            certs = new ArrayList<X509CertImpl>();  // line 386

I'm new to this certpath stuff, so I hope that's intelligible.

cheers .. Jason


More information about the security-dev mailing list