NPE in PKIXCertPathValidator

Kai sophokles.kh at gmail.com
Fri Oct 23 14:56:11 UTC 2020


Hi,

I ran into a NPE while validating a certificate chain with the latest JDK
11 using a TrustAnchor that has been created using the TrustAnchor(caName,
publicKey, nameConstraints) constructor.

I suspect the PKIXCertPathValidator.validate(TrustAnchor, ValidatorParams)
method to cause the NPE (
http://hg.openjdk.java.net/jdk/jdk/file/ee1d592a9f53/src/java.base/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java
):

X509ValidationEvent xve = new X509ValidationEvent();if
(xve.shouldCommit() || EventHelper.isLoggingSecurity()) {  int[]
certIds = params.certificates().stream()          .mapToInt(x ->
x.hashCode())          .toArray();  int anchorCertId =
anchor.getTrustedCert().hashCode();  if (xve.shouldCommit()) {
xve.certificateId = anchorCertId;      int certificatePos = 1;
//anchor cert      xve.certificatePosition = certificatePos;
xve.validationCounter = validationCounter.incrementAndGet();
xve.commit();      // now, iterate through remaining      for (int id
: certIds) {          xve.certificateId = id;
xve.certificatePosition = ++certificatePos;          xve.commit();
 }   }   if (EventHelper.isLoggingSecurity()) {
EventHelper.logX509ValidationEvent(anchorCertId, certIds);   }
}

IMHO line

int anchorCertId = anchor.getTrustedCert().hashCode();

will throw the NPE if the trust anchor has not been created with a
certificate as in my case.

The code should do a null check here and fall back to using the
hashCode of the PublicKey.

WDYT?

Kai
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20201023/b6602bfc/attachment.htm>


More information about the security-dev mailing list