Mercurial > hg > openjdk > bsd-port > jdk

changeset 8755:1303ee1ee5b8

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
7195409: CertPath/CertPathValidatorTest/KeyParamsInheritanceTest fails with NullPointerException Reviewed-by: xuelei
author mullan
date Thu, 09 Nov 2017 06:17:15 +0000
parents 1edb6fe8456b
children 3a2a9ad6d2c5
files src/share/classes/sun/security/provider/certpath/AlgorithmChecker.java src/share/classes/sun/security/provider/certpath/BasicChecker.java src/share/classes/sun/security/provider/certpath/ForwardBuilder.java src/share/classes/sun/security/provider/certpath/ForwardState.java src/share/classes/sun/security/provider/certpath/PKIX.java src/share/classes/sun/security/provider/certpath/ReverseState.java src/share/classes/sun/security/provider/certpath/RevocationChecker.java src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java
diffstat 8 files changed, 43 insertions(+), 40 deletions(-) [+]
line wrap: on
line diff
--- a/src/share/classes/sun/security/provider/certpath/AlgorithmChecker.java	Thu Nov 09 06:08:09 2017 +0000
+++ b/src/share/classes/sun/security/provider/certpath/AlgorithmChecker.java	Thu Nov 09 06:17:15 2017 +0000
@@ -358,8 +358,7 @@
         }
 
         // Inherit key parameters from previous key
-        if (currPubKey instanceof DSAPublicKey &&
-            ((DSAPublicKey)currPubKey).getParams() == null) {
+        if (PKIX.isDSAPublicKeyWithoutParams(currPubKey)) {
             // Inherit DSA parameters from previous key
             if (!(prevPubKey instanceof DSAPublicKey)) {
                 throw new CertPathValidatorException("Input key is not " +
--- a/src/share/classes/sun/security/provider/certpath/BasicChecker.java	Thu Nov 09 06:08:09 2017 +0000
+++ b/src/share/classes/sun/security/provider/certpath/BasicChecker.java	Thu Nov 09 06:17:15 2017 +0000
@@ -235,8 +235,7 @@
                 currCert.getSubjectX500Principal() + "; serial#: " +
                 currCert.getSerialNumber().toString());
         }
-        if (cKey instanceof DSAPublicKey &&
-            ((DSAPublicKey)cKey).getParams() == null) {
+        if (PKIX.isDSAPublicKeyWithoutParams(cKey)) {
             //cKey needs to inherit DSA parameters from prev key
             cKey = makeInheritedParamsKey(cKey, prevPubKey);
             if (debug != null) debug.println("BasicChecker.updateState Made " +
--- a/src/share/classes/sun/security/provider/certpath/ForwardBuilder.java	Thu Nov 09 06:08:09 2017 +0000
+++ b/src/share/classes/sun/security/provider/certpath/ForwardBuilder.java	Thu Nov 09 06:17:15 2017 +0000
@@ -800,36 +800,36 @@
                 } else {
                     continue;
                 }
-            } else {
-                X500Principal principal = anchor.getCA();
-                PublicKey publicKey = anchor.getCAPublicKey();
+            }
+            X500Principal principal = anchor.getCA();
+            PublicKey publicKey = anchor.getCAPublicKey();
 
-                if (principal != null && publicKey != null &&
-                        principal.equals(cert.getSubjectX500Principal())) {
-                    if (publicKey.equals(cert.getPublicKey())) {
-                        // the cert itself is a trust anchor
-                        this.trustAnchor = anchor;
-                        return true;
-                    }
-                    // else, it is a self-issued certificate of the anchor
+            if (principal != null && publicKey != null &&
+                    principal.equals(cert.getSubjectX500Principal())) {
+                if (publicKey.equals(cert.getPublicKey())) {
+                    // the cert itself is a trust anchor
+                    this.trustAnchor = anchor;
+                    return true;
                 }
+                // else, it is a self-issued certificate of the anchor
+            }
 
-                // Check subject/issuer name chaining
-                if (principal == null ||
-                        !principal.equals(cert.getIssuerX500Principal())) {
-                    continue;
-                }
+            // Check subject/issuer name chaining
+            if (principal == null ||
+                    !principal.equals(cert.getIssuerX500Principal())) {
+                continue;
+            }
+
+            // skip anchor if it contains a DSA key with no DSA params
+            if (PKIX.isDSAPublicKeyWithoutParams(publicKey)) {
+                continue;
             }
 
             /*
              * Check signature
              */
             try {
-                // NOTE: the DSA public key in the buildParams may lack
-                // parameters, yet there is no key to inherit the parameters
-                // from.  This is probably such a rare case that it is not worth
-                // trying to detect the situation earlier.
-                cert.verify(anchor.getCAPublicKey(), buildParams.sigProvider());
+                cert.verify(publicKey, buildParams.sigProvider());
             } catch (InvalidKeyException ike) {
                 if (debug != null) {
                     debug.println("ForwardBuilder.isPathCompleted() invalid "
--- a/src/share/classes/sun/security/provider/certpath/ForwardState.java	Thu Nov 09 06:08:09 2017 +0000
+++ b/src/share/classes/sun/security/provider/certpath/ForwardState.java	Thu Nov 09 06:17:15 2017 +0000
@@ -26,12 +26,10 @@
 package sun.security.provider.certpath;
 
 import java.io.IOException;
-import java.security.PublicKey;
 import java.security.cert.CertificateException;
 import java.security.cert.CertPathValidatorException;
 import java.security.cert.PKIXCertPathChecker;
 import java.security.cert.X509Certificate;
-import java.security.interfaces.DSAPublicKey;
 import java.util.ArrayList;
 import java.util.HashSet;
 import java.util.List;
@@ -168,9 +166,7 @@
         X509CertImpl icert = X509CertImpl.toImpl(cert);
 
         /* see if certificate key has null parameters */
-        PublicKey newKey = icert.getPublicKey();
-        if (newKey instanceof DSAPublicKey &&
-            ((DSAPublicKey)newKey).getParams() == null) {
+        if (PKIX.isDSAPublicKeyWithoutParams(icert.getPublicKey())) {
             keyParamsNeededFlag = true;
         }
 
--- a/src/share/classes/sun/security/provider/certpath/PKIX.java	Thu Nov 09 06:08:09 2017 +0000
+++ b/src/share/classes/sun/security/provider/certpath/PKIX.java	Thu Nov 09 06:17:15 2017 +0000
@@ -26,8 +26,10 @@
 
 import java.security.InvalidAlgorithmParameterException;
 import java.security.KeyStore;
+import java.security.PublicKey;
 import java.security.Timestamp;
 import java.security.cert.*;
+import java.security.interfaces.DSAPublicKey;
 import java.util.*;
 import javax.security.auth.x500.X500Principal;
 
@@ -43,6 +45,11 @@
 
     private PKIX() { }
 
+    static boolean isDSAPublicKeyWithoutParams(PublicKey publicKey) {
+        return (publicKey instanceof DSAPublicKey &&
+               ((DSAPublicKey)publicKey).getParams() == null);
+    }
+
     static ValidatorParams checkParams(CertPath cp, CertPathParameters params)
         throws InvalidAlgorithmParameterException
     {
--- a/src/share/classes/sun/security/provider/certpath/ReverseState.java	Thu Nov 09 06:08:09 2017 +0000
+++ b/src/share/classes/sun/security/provider/certpath/ReverseState.java	Thu Nov 09 06:17:15 2017 +0000
@@ -32,7 +32,6 @@
 import java.security.cert.PKIXCertPathChecker;
 import java.security.cert.TrustAnchor;
 import java.security.cert.X509Certificate;
-import java.security.interfaces.DSAPublicKey;
 import java.util.ArrayList;
 import java.util.HashSet;
 import java.util.List;
@@ -281,8 +280,7 @@
         /* check for key needing to inherit alg parameters */
         X509CertImpl icert = X509CertImpl.toImpl(cert);
         PublicKey newKey = cert.getPublicKey();
-        if (newKey instanceof DSAPublicKey &&
-            (((DSAPublicKey)newKey).getParams() == null)) {
+        if (PKIX.isDSAPublicKeyWithoutParams(newKey)) {
             newKey = BasicChecker.makeInheritedParamsKey(newKey, pubKey);
         }
 
--- a/src/share/classes/sun/security/provider/certpath/RevocationChecker.java	Thu Nov 09 06:08:09 2017 +0000
+++ b/src/share/classes/sun/security/provider/certpath/RevocationChecker.java	Thu Nov 09 06:17:15 2017 +0000
@@ -38,7 +38,6 @@
 import java.security.cert.CertPathValidatorException.BasicReason;
 import java.security.cert.Extension;
 import java.security.cert.*;
-import java.security.interfaces.DSAPublicKey;
 import java.util.Arrays;
 import java.util.ArrayList;
 import java.util.Collection;
@@ -405,8 +404,7 @@
 
         // Make new public key if parameters are missing
         PublicKey pubKey = cert.getPublicKey();
-        if (pubKey instanceof DSAPublicKey &&
-            ((DSAPublicKey)pubKey).getParams() == null) {
+        if (PKIX.isDSAPublicKeyWithoutParams(pubKey)) {
             // pubKey needs to inherit DSA parameters from prev key
             pubKey = BasicChecker.makeInheritedParamsKey(pubKey, prevPubKey);
         }
--- a/src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java	Thu Nov 09 06:08:09 2017 +0000
+++ b/src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java	Thu Nov 09 06:17:15 2017 +0000
@@ -32,7 +32,6 @@
 import java.security.cert.*;
 import java.security.cert.CertPathValidatorException.BasicReason;
 import java.security.cert.PKIXReason;
-import java.security.interfaces.DSAPublicKey;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
@@ -242,6 +241,15 @@
                 break;
             }
 
+            // skip anchor if it contains a DSA key with no DSA params
+            X509Certificate trustedCert = anchor.getTrustedCert();
+            PublicKey pubKey = trustedCert != null ? trustedCert.getPublicKey()
+                                                   : anchor.getCAPublicKey();
+
+            if (PKIX.isDSAPublicKeyWithoutParams(pubKey)) {
+                continue;
+            }
+
             /* Initialize current state */
             currentState.initState(buildParams);
             currentState.updateState(anchor, buildParams);
@@ -714,9 +722,7 @@
                  * Extract and save the final target public key
                  */
                 finalPublicKey = cert.getPublicKey();
-                if (finalPublicKey instanceof DSAPublicKey &&
-                    ((DSAPublicKey)finalPublicKey).getParams() == null)
-                {
+                if (PKIX.isDSAPublicKeyWithoutParams(finalPublicKey)) {
                     finalPublicKey =
                         BasicChecker.makeInheritedParamsKey
                             (finalPublicKey, currentState.pubKey);