RFR: 8346094: Harden X509CertImpl.getExtensionValue for NPE cases [v3]
Weijun Wang
weijun at openjdk.org
Sun Feb 16 14:39:15 UTC 2025
On Sun, 16 Feb 2025 06:31:50 GMT, Konanki Sreenath <duke at openjdk.org> wrote:
>> Earlier code will trigger NPE if the certificate does not contain the extensions or if the requested extensions does not exist. The better approach for hardening **getExtensionValue** here is to to check for NULL explicitly before calling **getExtensionValue()** and avoding try-catch block which ensures the readability and maintainability.
>>
>> After scanning in multiple places where invokng getExtensions on the X509CertInfo reference, the check for NULL is added in the **getKeyUsage()** as well while calling before **getExtensionValue()**
>>
>> The associated tests are written and added in test class **CertificateExtensions**. Which will ensure to validate the
>> **getExtensionValue()** and **getKeyUsage()** methods in **X509CertImpl** class.
>
> Konanki Sreenath has updated the pull request incrementally with one additional commit since the last revision:
>
> JDK-8346094 : Harden X509CertImpl.getExtensionValue for NPE cases
test/jdk/sun/security/x509/X509CertImpl/CertificateExtensions.java line 1:
> 1: /*
Another test `V3Certificate` in the same directory references the internal `CertificateExtensions` class by its simple name. There is a conflict with this new test and it does not compile. Consider renaming your new test. Thanks.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/23315#discussion_r1957341274
More information about the security-dev
mailing list