<div dir="ltr"><div>Hi,</div><div><br></div><div>I ran into a NPE while validating a certificate chain with the latest JDK 11 using a TrustAnchor that has been created using the TrustAnchor(caName, publicKey, nameConstraints) constructor.</div><div><br></div><div>I suspect the PKIXCertPathValidator.validate(TrustAnchor, ValidatorParams) method to cause the NPE (<a href="http://hg.openjdk.java.net/jdk/jdk/file/ee1d592a9f53/src/java.base/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java">http://hg.openjdk.java.net/jdk/jdk/file/ee1d592a9f53/src/java.base/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java</a>):</div><div><br></div><div><pre class="gmail-sourcelines gmail-stripes4 gmail-wrap"><span id="gmail-l241">X509ValidationEvent xve = new X509ValidationEvent();</span>
<span id="gmail-l242">if (xve.shouldCommit() || EventHelper.isLoggingSecurity()) {</span>
<span id="gmail-l243">  int[] certIds = params.certificates().stream()</span>
<span id="gmail-l244">          .mapToInt(x -> x.hashCode())</span>
<span id="gmail-l245">          .toArray();</span>
<span id="gmail-l246">  int anchorCertId =</span> <span id="gmail-l247">anchor.getTrustedCert().hashCode();</span>
<span id="gmail-l248">  if (xve.shouldCommit()) {</span>
<span id="gmail-l249">      xve.certificateId = anchorCertId;</span>
<span id="gmail-l250">      int certificatePos = 1; //anchor cert</span>
<span id="gmail-l251">      xve.certificatePosition = certificatePos;</span>
<span id="gmail-l252">      xve.validationCounter = validationCounter.incrementAndGet();</span>
<span id="gmail-l253">      xve.commit();</span>
<span id="gmail-l254">      // now, iterate through remaining</span>
<span id="gmail-l255">      for (int id : certIds) {</span>
<span id="gmail-l256">          xve.certificateId = id;</span>
<span id="gmail-l257">          xve.certificatePosition = ++certificatePos;</span>
<span id="gmail-l258">          xve.commit();</span>
<span id="gmail-l260">      }</span>
<span id="gmail-l261">   }</span>
<span id="gmail-l262">   if (EventHelper.isLoggingSecurity()) {</span>
<span id="gmail-l263">      EventHelper.logX509ValidationEvent(anchorCertId, certIds);</span>
<span id="gmail-l264">   }</span>
}<br><br>IMHO line<br><span id="gmail-l246"><br>int anchorCertId =</span> <span id="gmail-l247">anchor.getTrustedCert().hashCode();<br><br></span></pre><pre class="gmail-sourcelines gmail-stripes4 gmail-wrap"><span id="gmail-l247">will throw the NPE if the trust anchor has not been created with a certificate as in my case.<br></span></pre><pre class="gmail-sourcelines gmail-stripes4 gmail-wrap"><span id="gmail-l247">The code should do a null check here and fall back to using the hashCode of the PublicKey.<br></span></pre><pre class="gmail-sourcelines gmail-stripes4 gmail-wrap">WDYT?<br><br></pre><pre class="gmail-sourcelines gmail-stripes4 gmail-wrap">Kai<br></pre></div></div>