Integrated: 8346094: Harden X509CertImpl.getExtensionValue for NPE cases
Konanki Sreenath
duke at openjdk.org
Wed Feb 19 16:51:01 UTC 2025
On Mon, 27 Jan 2025 12:39:45 GMT, Konanki Sreenath <duke at openjdk.org> wrote:
> Earlier code will trigger NPE if the certificate does not contain the extensions or if the requested extensions does not exist. The better approach for hardening **getExtensionValue** here is to to check for NULL explicitly before calling **getExtensionValue()** and avoding try-catch block which ensures the readability and maintainability.
>
> After scanning in multiple places where invokng getExtensions on the X509CertInfo reference, the check for NULL is added in the **getKeyUsage()** as well while calling before **getExtensionValue()**
>
> The associated tests are written and added in test class **CertificateExtensions**. Which will ensure to validate the
> **getExtensionValue()** and **getKeyUsage()** methods in **X509CertImpl** class.
This pull request has now been integrated.
Changeset: 70a6c0b7
Author: konanki sreenath <konanki.sreenath at oracle.com>
Committer: Weijun Wang <weijun at openjdk.org>
URL: https://git.openjdk.org/jdk/commit/70a6c0b7ac952eebdffa1d64399cd0ee1efec1f6
Stats: 267 lines in 3 files changed: 210 ins; 47 del; 10 mod
8346094: Harden X509CertImpl.getExtensionValue for NPE cases
Reviewed-by: coffeys, weijun
-------------
PR: https://git.openjdk.org/jdk/pull/23315
More information about the security-dev
mailing list