<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">Yes, that is a bug. Do you want to file
a bug report or would you like us to file on one your behalf?</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Thanks,<br>
</div>
<div class="moz-cite-prefix">Sean</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">On 10/23/20 10:56 AM, Kai wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAFQGvKJz-M7AtOAYF9rOLncP2SPTj2KX+hSXqjE0b1uyPsXVVA@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div>Hi,</div>
<div><br>
</div>
<div>I ran into a NPE while validating a certificate chain with
the latest JDK 11 using a TrustAnchor that has been created
using the TrustAnchor(caName, publicKey, nameConstraints)
constructor.</div>
<div><br>
</div>
<div>I suspect the PKIXCertPathValidator.validate(TrustAnchor,
ValidatorParams) method to cause the NPE (<a
href="http://hg.openjdk.java.net/jdk/jdk/file/ee1d592a9f53/src/java.base/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java"
moz-do-not-send="true">http://hg.openjdk.java.net/jdk/jdk/file/ee1d592a9f53/src/java.base/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java</a>):</div>
<div><br>
</div>
<div>
<pre class="gmail-sourcelines gmail-stripes4 gmail-wrap"><span id="gmail-l241">X509ValidationEvent xve = new X509ValidationEvent();</span>
<span id="gmail-l242">if (xve.shouldCommit() || EventHelper.isLoggingSecurity()) {</span>
<span id="gmail-l243"> int[] certIds = params.certificates().stream()</span>
<span id="gmail-l244"> .mapToInt(x -> x.hashCode())</span>
<span id="gmail-l245"> .toArray();</span>
<span id="gmail-l246"> int anchorCertId =</span> <span id="gmail-l247">anchor.getTrustedCert().hashCode();</span>
<span id="gmail-l248"> if (xve.shouldCommit()) {</span>
<span id="gmail-l249"> xve.certificateId = anchorCertId;</span>
<span id="gmail-l250"> int certificatePos = 1; //anchor cert</span>
<span id="gmail-l251"> xve.certificatePosition = certificatePos;</span>
<span id="gmail-l252"> xve.validationCounter = validationCounter.incrementAndGet();</span>
<span id="gmail-l253"> xve.commit();</span>
<span id="gmail-l254"> // now, iterate through remaining</span>
<span id="gmail-l255"> for (int id : certIds) {</span>
<span id="gmail-l256"> xve.certificateId = id;</span>
<span id="gmail-l257"> xve.certificatePosition = ++certificatePos;</span>
<span id="gmail-l258"> xve.commit();</span>
<span id="gmail-l260"> }</span>
<span id="gmail-l261"> }</span>
<span id="gmail-l262"> if (EventHelper.isLoggingSecurity()) {</span>
<span id="gmail-l263"> EventHelper.logX509ValidationEvent(anchorCertId, certIds);</span>
<span id="gmail-l264"> }</span>
}
IMHO line
<span id="gmail-l246">
int anchorCertId =</span> <span id="gmail-l247">anchor.getTrustedCert().hashCode();
</span></pre>
<pre class="gmail-sourcelines gmail-stripes4 gmail-wrap"><span id="gmail-l247">will throw the NPE if the trust anchor has not been created with a certificate as in my case.
</span></pre>
<pre class="gmail-sourcelines gmail-stripes4 gmail-wrap"><span id="gmail-l247">The code should do a null check here and fall back to using the hashCode of the PublicKey.
</span></pre>
<pre class="gmail-sourcelines gmail-stripes4 gmail-wrap">WDYT?
</pre>
<pre class="gmail-sourcelines gmail-stripes4 gmail-wrap">Kai
</pre>
</div>
</div>
</blockquote>
</body>
</html>