Yes, that is a bug. Do you want to file a bug report or would you like
us to file on one your behalf?
Thanks,
Sean
On 10/23/20 10:56 AM, Kai wrote:
Hi,
I ran into a NPE while validating a certificate chain with the latest
JDK 11 using a TrustAnchor that has been created using the
TrustAnchor(caName, publicKey, nameConstraints) constructor.
I suspect the PKIXCertPathValidator.validate(TrustAnchor,
ValidatorParams) method to cause the NPE
(http://hg.openjdk.java.net/jdk/jdk/file/ee1d592a9f53/src/java.base/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java):
X509ValidationEvent xve = new X509ValidationEvent();
if (xve.shouldCommit() || EventHelper.isLoggingSecurity()) {
int[] certIds = params.certificates().stream()
.mapToInt(x -> x.hashCode())
.toArray();
int anchorCertId = anchor.getTrustedCert().hashCode();
if (xve.shouldCommit()) {
xve.certificateId = anchorCertId;
int certificatePos = 1; //anchor cert
xve.certificatePosition = certificatePos;
xve.validationCounter = validationCounter.incrementAndGet();
xve.commit();
// now, iterate through remaining
for (int id : certIds) {
xve.certificateId = id;
xve.certificatePosition = ++certificatePos;
xve.commit();
}
}
if (EventHelper.isLoggingSecurity()) {
EventHelper.logX509ValidationEvent(anchorCertId, certIds);
}
}
IMHO line
int anchorCertId = anchor.getTrustedCert().hashCode();
will throw the NPE if the trust anchor has not been created with a
certificate as in my case.
The code should do a null check here and fall back to using the
hashCode of the PublicKey.
WDYT?
Kai
