NPE in PKIXCertPathValidator
Kai
sophokles.kh at gmail.com
Fri Oct 23 14:56:11 UTC 2020
Hi,
I ran into a NPE while validating a certificate chain with the latest JDK
11 using a TrustAnchor that has been created using the TrustAnchor(caName,
publicKey, nameConstraints) constructor.
I suspect the PKIXCertPathValidator.validate(TrustAnchor, ValidatorParams)
method to cause the NPE (
http://hg.openjdk.java.net/jdk/jdk/file/ee1d592a9f53/src/java.base/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java
):
X509ValidationEvent xve = new X509ValidationEvent();if
(xve.shouldCommit() || EventHelper.isLoggingSecurity()) { int[]
certIds = params.certificates().stream() .mapToInt(x ->
x.hashCode()) .toArray(); int anchorCertId =
anchor.getTrustedCert().hashCode(); if (xve.shouldCommit()) {
xve.certificateId = anchorCertId; int certificatePos = 1;
//anchor cert xve.certificatePosition = certificatePos;
xve.validationCounter = validationCounter.incrementAndGet();
xve.commit(); // now, iterate through remaining for (int id
: certIds) { xve.certificateId = id;
xve.certificatePosition = ++certificatePos; xve.commit();
} } if (EventHelper.isLoggingSecurity()) {
EventHelper.logX509ValidationEvent(anchorCertId, certIds); }
}
IMHO line
int anchorCertId = anchor.getTrustedCert().hashCode();
will throw the NPE if the trust anchor has not been created with a
certificate as in my case.
The code should do a null check here and fall back to using the
hashCode of the PublicKey.
WDYT?
Kai
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20201023/b6602bfc/attachment.htm>
More information about the security-dev
mailing list