Hi, I ran into a NPE while validating a certificate chain with the latest JDK 11 using a TrustAnchor that has been created using the TrustAnchor(caName, publicKey, nameConstraints) constructor.
I suspect the PKIXCertPathValidator.validate(TrustAnchor, ValidatorParams) method to cause the NPE ( http://hg.openjdk.java.net/jdk/jdk/file/ee1d592a9f53/src/java.base/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java ): X509ValidationEvent xve = new X509ValidationEvent();if (xve.shouldCommit() || EventHelper.isLoggingSecurity()) { int[] certIds = params.certificates().stream() .mapToInt(x -> x.hashCode()) .toArray(); int anchorCertId = anchor.getTrustedCert().hashCode(); if (xve.shouldCommit()) { xve.certificateId = anchorCertId; int certificatePos = 1; //anchor cert xve.certificatePosition = certificatePos; xve.validationCounter = validationCounter.incrementAndGet(); xve.commit(); // now, iterate through remaining for (int id : certIds) { xve.certificateId = id; xve.certificatePosition = ++certificatePos; xve.commit(); } } if (EventHelper.isLoggingSecurity()) { EventHelper.logX509ValidationEvent(anchorCertId, certIds); } } IMHO line int anchorCertId = anchor.getTrustedCert().hashCode(); will throw the NPE if the trust anchor has not been created with a certificate as in my case. The code should do a null check here and fall back to using the hashCode of the PublicKey. WDYT? Kai