NPE in PKIXCertPathValidator

Sean Mullan sean.mullan at oracle.com
Fri Oct 23 15:00:42 UTC 2020


Yes, that is a bug. Do you want to file a bug report or would you like 
us to file on one your behalf?

Thanks,
Sean

On 10/23/20 10:56 AM, Kai wrote:
> Hi,
>
> I ran into a NPE while validating a certificate chain with the latest 
> JDK 11 using a TrustAnchor that has been created using the 
> TrustAnchor(caName, publicKey, nameConstraints) constructor.
>
> I suspect the PKIXCertPathValidator.validate(TrustAnchor, 
> ValidatorParams) method to cause the NPE 
> (http://hg.openjdk.java.net/jdk/jdk/file/ee1d592a9f53/src/java.base/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java):
>
> X509ValidationEvent xve = new X509ValidationEvent();
> if (xve.shouldCommit() || EventHelper.isLoggingSecurity()) {
> int[] certIds = params.certificates().stream()
> .mapToInt(x -> x.hashCode())
> .toArray();
> int anchorCertId =  anchor.getTrustedCert().hashCode();
> if (xve.shouldCommit()) {
> xve.certificateId = anchorCertId;
> int certificatePos = 1; //anchor cert
> xve.certificatePosition = certificatePos;
> xve.validationCounter = validationCounter.incrementAndGet();
> xve.commit();
> // now, iterate through remaining
> for (int id : certIds) {
> xve.certificateId = id;
> xve.certificatePosition = ++certificatePos;
> xve.commit();
> }
> }
> if (EventHelper.isLoggingSecurity()) {
> EventHelper.logX509ValidationEvent(anchorCertId, certIds);
> }
> }
>
> IMHO line
> int anchorCertId =  anchor.getTrustedCert().hashCode();
> will throw the NPE if the trust anchor has not been created with a 
> certificate as in my case.
> The code should do a null check here and fall back to using the 
> hashCode of the PublicKey.
> WDYT?
>
> Kai
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20201023/4a33ab28/attachment.htm>


More information about the security-dev mailing list