Mercurial > hg > openjdk > bsd-port > jdk
changeset 8755:1303ee1ee5b8
7195409: CertPath/CertPathValidatorTest/KeyParamsInheritanceTest fails with NullPointerException
Reviewed-by: xuelei
author | mullan |
---|---|
date | Thu, 09 Nov 2017 06:17:15 +0000 |
parents | 1edb6fe8456b |
children | 3a2a9ad6d2c5 |
files | src/share/classes/sun/security/provider/certpath/AlgorithmChecker.java src/share/classes/sun/security/provider/certpath/BasicChecker.java src/share/classes/sun/security/provider/certpath/ForwardBuilder.java src/share/classes/sun/security/provider/certpath/ForwardState.java src/share/classes/sun/security/provider/certpath/PKIX.java src/share/classes/sun/security/provider/certpath/ReverseState.java src/share/classes/sun/security/provider/certpath/RevocationChecker.java src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java |
diffstat | 8 files changed, 43 insertions(+), 40 deletions(-) [+] |
line wrap: on
line diff
--- a/src/share/classes/sun/security/provider/certpath/AlgorithmChecker.java Thu Nov 09 06:08:09 2017 +0000 +++ b/src/share/classes/sun/security/provider/certpath/AlgorithmChecker.java Thu Nov 09 06:17:15 2017 +0000 @@ -358,8 +358,7 @@ } // Inherit key parameters from previous key - if (currPubKey instanceof DSAPublicKey && - ((DSAPublicKey)currPubKey).getParams() == null) { + if (PKIX.isDSAPublicKeyWithoutParams(currPubKey)) { // Inherit DSA parameters from previous key if (!(prevPubKey instanceof DSAPublicKey)) { throw new CertPathValidatorException("Input key is not " +
--- a/src/share/classes/sun/security/provider/certpath/BasicChecker.java Thu Nov 09 06:08:09 2017 +0000 +++ b/src/share/classes/sun/security/provider/certpath/BasicChecker.java Thu Nov 09 06:17:15 2017 +0000 @@ -235,8 +235,7 @@ currCert.getSubjectX500Principal() + "; serial#: " + currCert.getSerialNumber().toString()); } - if (cKey instanceof DSAPublicKey && - ((DSAPublicKey)cKey).getParams() == null) { + if (PKIX.isDSAPublicKeyWithoutParams(cKey)) { //cKey needs to inherit DSA parameters from prev key cKey = makeInheritedParamsKey(cKey, prevPubKey); if (debug != null) debug.println("BasicChecker.updateState Made " +
--- a/src/share/classes/sun/security/provider/certpath/ForwardBuilder.java Thu Nov 09 06:08:09 2017 +0000 +++ b/src/share/classes/sun/security/provider/certpath/ForwardBuilder.java Thu Nov 09 06:17:15 2017 +0000 @@ -800,36 +800,36 @@ } else { continue; } - } else { - X500Principal principal = anchor.getCA(); - PublicKey publicKey = anchor.getCAPublicKey(); + } + X500Principal principal = anchor.getCA(); + PublicKey publicKey = anchor.getCAPublicKey(); - if (principal != null && publicKey != null && - principal.equals(cert.getSubjectX500Principal())) { - if (publicKey.equals(cert.getPublicKey())) { - // the cert itself is a trust anchor - this.trustAnchor = anchor; - return true; - } - // else, it is a self-issued certificate of the anchor + if (principal != null && publicKey != null && + principal.equals(cert.getSubjectX500Principal())) { + if (publicKey.equals(cert.getPublicKey())) { + // the cert itself is a trust anchor + this.trustAnchor = anchor; + return true; } + // else, it is a self-issued certificate of the anchor + } - // Check subject/issuer name chaining - if (principal == null || - !principal.equals(cert.getIssuerX500Principal())) { - continue; - } + // Check subject/issuer name chaining + if (principal == null || + !principal.equals(cert.getIssuerX500Principal())) { + continue; + } + + // skip anchor if it contains a DSA key with no DSA params + if (PKIX.isDSAPublicKeyWithoutParams(publicKey)) { + continue; } /* * Check signature */ try { - // NOTE: the DSA public key in the buildParams may lack - // parameters, yet there is no key to inherit the parameters - // from. This is probably such a rare case that it is not worth - // trying to detect the situation earlier. - cert.verify(anchor.getCAPublicKey(), buildParams.sigProvider()); + cert.verify(publicKey, buildParams.sigProvider()); } catch (InvalidKeyException ike) { if (debug != null) { debug.println("ForwardBuilder.isPathCompleted() invalid "
--- a/src/share/classes/sun/security/provider/certpath/ForwardState.java Thu Nov 09 06:08:09 2017 +0000 +++ b/src/share/classes/sun/security/provider/certpath/ForwardState.java Thu Nov 09 06:17:15 2017 +0000 @@ -26,12 +26,10 @@ package sun.security.provider.certpath; import java.io.IOException; -import java.security.PublicKey; import java.security.cert.CertificateException; import java.security.cert.CertPathValidatorException; import java.security.cert.PKIXCertPathChecker; import java.security.cert.X509Certificate; -import java.security.interfaces.DSAPublicKey; import java.util.ArrayList; import java.util.HashSet; import java.util.List; @@ -168,9 +166,7 @@ X509CertImpl icert = X509CertImpl.toImpl(cert); /* see if certificate key has null parameters */ - PublicKey newKey = icert.getPublicKey(); - if (newKey instanceof DSAPublicKey && - ((DSAPublicKey)newKey).getParams() == null) { + if (PKIX.isDSAPublicKeyWithoutParams(icert.getPublicKey())) { keyParamsNeededFlag = true; }
--- a/src/share/classes/sun/security/provider/certpath/PKIX.java Thu Nov 09 06:08:09 2017 +0000 +++ b/src/share/classes/sun/security/provider/certpath/PKIX.java Thu Nov 09 06:17:15 2017 +0000 @@ -26,8 +26,10 @@ import java.security.InvalidAlgorithmParameterException; import java.security.KeyStore; +import java.security.PublicKey; import java.security.Timestamp; import java.security.cert.*; +import java.security.interfaces.DSAPublicKey; import java.util.*; import javax.security.auth.x500.X500Principal; @@ -43,6 +45,11 @@ private PKIX() { } + static boolean isDSAPublicKeyWithoutParams(PublicKey publicKey) { + return (publicKey instanceof DSAPublicKey && + ((DSAPublicKey)publicKey).getParams() == null); + } + static ValidatorParams checkParams(CertPath cp, CertPathParameters params) throws InvalidAlgorithmParameterException {
--- a/src/share/classes/sun/security/provider/certpath/ReverseState.java Thu Nov 09 06:08:09 2017 +0000 +++ b/src/share/classes/sun/security/provider/certpath/ReverseState.java Thu Nov 09 06:17:15 2017 +0000 @@ -32,7 +32,6 @@ import java.security.cert.PKIXCertPathChecker; import java.security.cert.TrustAnchor; import java.security.cert.X509Certificate; -import java.security.interfaces.DSAPublicKey; import java.util.ArrayList; import java.util.HashSet; import java.util.List; @@ -281,8 +280,7 @@ /* check for key needing to inherit alg parameters */ X509CertImpl icert = X509CertImpl.toImpl(cert); PublicKey newKey = cert.getPublicKey(); - if (newKey instanceof DSAPublicKey && - (((DSAPublicKey)newKey).getParams() == null)) { + if (PKIX.isDSAPublicKeyWithoutParams(newKey)) { newKey = BasicChecker.makeInheritedParamsKey(newKey, pubKey); }
--- a/src/share/classes/sun/security/provider/certpath/RevocationChecker.java Thu Nov 09 06:08:09 2017 +0000 +++ b/src/share/classes/sun/security/provider/certpath/RevocationChecker.java Thu Nov 09 06:17:15 2017 +0000 @@ -38,7 +38,6 @@ import java.security.cert.CertPathValidatorException.BasicReason; import java.security.cert.Extension; import java.security.cert.*; -import java.security.interfaces.DSAPublicKey; import java.util.Arrays; import java.util.ArrayList; import java.util.Collection; @@ -405,8 +404,7 @@ // Make new public key if parameters are missing PublicKey pubKey = cert.getPublicKey(); - if (pubKey instanceof DSAPublicKey && - ((DSAPublicKey)pubKey).getParams() == null) { + if (PKIX.isDSAPublicKeyWithoutParams(pubKey)) { // pubKey needs to inherit DSA parameters from prev key pubKey = BasicChecker.makeInheritedParamsKey(pubKey, prevPubKey); }
--- a/src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java Thu Nov 09 06:08:09 2017 +0000 +++ b/src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java Thu Nov 09 06:17:15 2017 +0000 @@ -32,7 +32,6 @@ import java.security.cert.*; import java.security.cert.CertPathValidatorException.BasicReason; import java.security.cert.PKIXReason; -import java.security.interfaces.DSAPublicKey; import java.util.ArrayList; import java.util.Collection; import java.util.Collections; @@ -242,6 +241,15 @@ break; } + // skip anchor if it contains a DSA key with no DSA params + X509Certificate trustedCert = anchor.getTrustedCert(); + PublicKey pubKey = trustedCert != null ? trustedCert.getPublicKey() + : anchor.getCAPublicKey(); + + if (PKIX.isDSAPublicKeyWithoutParams(pubKey)) { + continue; + } + /* Initialize current state */ currentState.initState(buildParams); currentState.updateState(anchor, buildParams); @@ -714,9 +722,7 @@ * Extract and save the final target public key */ finalPublicKey = cert.getPublicKey(); - if (finalPublicKey instanceof DSAPublicKey && - ((DSAPublicKey)finalPublicKey).getParams() == null) - { + if (PKIX.isDSAPublicKeyWithoutParams(finalPublicKey)) { finalPublicKey = BasicChecker.makeInheritedParamsKey (finalPublicKey, currentState.pubKey);