From 18eb6d9e34afa0df168c1794a9a41b23e5a17915 Mon Sep 17 00:00:00 2001 From: Sean Coffey Date: Fri, 22 Jan 2021 15:31:35 +0000 Subject: [PATCH] 8255348: NPE in PKIXCertPathValidator event logging code Reviewed-by: mullan --- .../certpath/PKIXCertPathValidator.java | 8 ++-- .../security/TestX509CertificateEvent.java | 9 ++--- .../security/TestX509ValidationEvent.java | 39 +++++++++++++++++-- .../logging/TestX509CertificateLog.java | 5 +-- .../logging/TestX509ValidationLog.java | 9 ++++- .../test/lib/security/TestCertificate.java | 31 +++++++++++---- 6 files changed, 76 insertions(+), 25 deletions(-) diff --git a/src/java.base/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java b/src/java.base/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java index fe0e2fc5daf..49cf2646f2e 100644 --- a/src/java.base/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java +++ b/src/java.base/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java @@ -241,13 +241,13 @@ public final class PKIXCertPathValidator extends CertPathValidatorSpi { X509ValidationEvent xve = new X509ValidationEvent(); if (xve.shouldCommit() || EventHelper.isLoggingSecurity()) { int[] certIds = params.certificates().stream() - .mapToInt(x -> x.hashCode()) + .mapToInt(Certificate::hashCode) .toArray(); - int anchorCertId = - anchor.getTrustedCert().hashCode(); + int anchorCertId = (anchorCert != null) ? + anchorCert.hashCode() : anchor.getCAPublicKey().hashCode(); if (xve.shouldCommit()) { xve.certificateId = anchorCertId; - int certificatePos = 1; //anchor cert + int certificatePos = 1; // most trusted CA xve.certificatePosition = certificatePos; xve.validationCounter = validationCounter.incrementAndGet(); xve.commit(); diff --git a/test/jdk/jdk/jfr/event/security/TestX509CertificateEvent.java b/test/jdk/jdk/jfr/event/security/TestX509CertificateEvent.java index 7d771d5ab2d..02035ad2533 100644 --- a/test/jdk/jdk/jfr/event/security/TestX509CertificateEvent.java +++ b/test/jdk/jdk/jfr/event/security/TestX509CertificateEvent.java @@ -48,12 +48,11 @@ public class TestX509CertificateEvent { recording.enable(EventNames.X509Certificate); recording.start(); - CertificateFactory cf = CertificateFactory.getInstance("X.509"); - TestCertificate.ONE.generate(cf); - TestCertificate.TWO.generate(cf); + TestCertificate.ONE.certificate(); + TestCertificate.TWO.certificate(); // Generate twice to make sure only one event per certificate is generated - TestCertificate.ONE.generate(cf); - TestCertificate.TWO.generate(cf); + TestCertificate.ONE.certificate(); + TestCertificate.TWO.certificate(); recording.stop(); diff --git a/test/jdk/jdk/jfr/event/security/TestX509ValidationEvent.java b/test/jdk/jdk/jfr/event/security/TestX509ValidationEvent.java index c6327753df1..50f472301f0 100644 --- a/test/jdk/jdk/jfr/event/security/TestX509ValidationEvent.java +++ b/test/jdk/jdk/jfr/event/security/TestX509ValidationEvent.java @@ -47,8 +47,8 @@ public class TestX509ValidationEvent { try (Recording recording = new Recording()) { recording.enable(EventNames.X509Validation); recording.start(); - // intermeditate certificate test - TestCertificate.generateChain(false); + // intermediate certificate test + TestCertificate.generateChain(false, true); recording.stop(); List events = Events.fromRecording(recording); Asserts.assertEquals(events.size(), 3, "Incorrect number of events"); @@ -59,12 +59,23 @@ public class TestX509ValidationEvent { recording.enable(EventNames.X509Validation); recording.start(); // self signed certificate test - TestCertificate.generateChain(true); + TestCertificate.generateChain(true, true); recording.stop(); List events = Events.fromRecording(recording); Asserts.assertEquals(events.size(), 2, "Incorrect number of events"); assertEvent2(events); } + + try (Recording recording = new Recording()) { + recording.enable(EventNames.X509Validation); + recording.start(); + // intermediate certificate test, with no Cert for trust anchor + TestCertificate.generateChain(true, false); + recording.stop(); + List events = Events.fromRecording(recording); + Asserts.assertEquals(events.size(), 2, "Incorrect number of events"); + assertEvent3(events); + } } private static void assertEvent1(List events) throws Exception { @@ -108,4 +119,26 @@ public class TestX509ValidationEvent { } } } + /* + * Self signed certificate test + */ + private static void assertEvent3(List events) throws Exception { + for (RecordedEvent e : events) { + int pos = e.getInt("certificatePosition"); + switch (pos) { + // use public key of cert provided in TrustAnchor + case 1: + Asserts.assertEquals(e.getLong("certificateId"), + Long.valueOf(TestCertificate.ROOT_CA.certificate().getPublicKey().hashCode())); + break; + case 2: + Events.assertField(e, "certificateId") + .equal(TestCertificate.ROOT_CA.certId); + break; + default: + System.out.println(events); + throw new Exception("Unexpected position:" + pos); + } + } + } } diff --git a/test/jdk/jdk/security/logging/TestX509CertificateLog.java b/test/jdk/jdk/security/logging/TestX509CertificateLog.java index 215e62f4a3e..cbeb03039d1 100644 --- a/test/jdk/jdk/security/logging/TestX509CertificateLog.java +++ b/test/jdk/jdk/security/logging/TestX509CertificateLog.java @@ -58,9 +58,8 @@ public class TestX509CertificateLog { public static class GenerateX509Certicate { public static void main(String[] args) throws Exception { - CertificateFactory cf = CertificateFactory.getInstance("X.509"); - TestCertificate.ONE.generate(cf); - TestCertificate.TWO.generate(cf); + TestCertificate.ONE.certificate(); + TestCertificate.TWO.certificate(); } } } diff --git a/test/jdk/jdk/security/logging/TestX509ValidationLog.java b/test/jdk/jdk/security/logging/TestX509ValidationLog.java index 7fe659764b8..1963fd83294 100644 --- a/test/jdk/jdk/security/logging/TestX509ValidationLog.java +++ b/test/jdk/jdk/security/logging/TestX509ValidationLog.java @@ -43,14 +43,19 @@ public class TestX509ValidationLog { l.addExpected("FINE: ValidationChain: " + TestCertificate.ROOT_CA.certId + ", " + TestCertificate.ROOT_CA.certId); + l.addExpected("FINE: ValidationChain: " + + TestCertificate.ROOT_CA.certificate().getPublicKey().hashCode() + + ", " + TestCertificate.ROOT_CA.certId); l.testExpected(); } public static class GenerateCertificateChain { public static void main(String[] args) throws Exception { - TestCertificate.generateChain(false); + TestCertificate.generateChain(false, true); // self signed test - TestCertificate.generateChain(true); + TestCertificate.generateChain(true, true); + // no cert for trust anchor + TestCertificate.generateChain(true, false); } } } diff --git a/test/lib/jdk/test/lib/security/TestCertificate.java b/test/lib/jdk/test/lib/security/TestCertificate.java index 098cd2f1197..47fd9de0d06 100644 --- a/test/lib/jdk/test/lib/security/TestCertificate.java +++ b/test/lib/jdk/test/lib/security/TestCertificate.java @@ -122,6 +122,8 @@ public enum TestCertificate { "J2GyCaJINsyaI/I2\n" + "-----END CERTIFICATE-----"); + private static final CertificateFactory CERTIFICATE_FACTORY = getCertificateFactory(); + public String serialNumber; public String algorithm; public String subject; @@ -143,22 +145,35 @@ public enum TestCertificate { this.keyLength = 2048; } - public X509Certificate generate(CertificateFactory cf) throws CertificateException { - ByteArrayInputStream is = new ByteArrayInputStream(encoded.getBytes()); - return (X509Certificate) cf.generateCertificate(is); + private static CertificateFactory getCertificateFactory() { + try { + return CertificateFactory.getInstance("X.509"); + } catch (CertificateException e) { + throw new RuntimeException(e); + } } - public static void generateChain(boolean selfSignedTest) throws Exception { + public X509Certificate certificate() throws CertificateException { + ByteArrayInputStream is = new ByteArrayInputStream(encoded.getBytes()); + return (X509Certificate) CERTIFICATE_FACTORY.generateCertificate(is); + } + + public static void generateChain(boolean selfSignedTest, boolean trustAnchorCert) throws Exception { // Do path validation as if it is always Tue, 06 Sep 2016 22:12:21 GMT // This value is within the lifetimes of all certificates. Date testDate = new Date(1473199941000L); CertificateFactory cf = CertificateFactory.getInstance("X.509"); - X509Certificate c1 = TestCertificate.ONE.generate(cf); - X509Certificate c2 = TestCertificate.TWO.generate(cf); - X509Certificate ca = TestCertificate.ROOT_CA.generate(cf); + X509Certificate c1 = TestCertificate.ONE.certificate(); + X509Certificate c2 = TestCertificate.TWO.certificate(); + X509Certificate ca = TestCertificate.ROOT_CA.certificate(); - TrustAnchor ta = new TrustAnchor(ca, null); + TrustAnchor ta; + if (trustAnchorCert) { + ta = new TrustAnchor(ca, null); + } else { + ta = new TrustAnchor(ca.getIssuerX500Principal(), ca.getPublicKey(), null); + } CertPathValidator validator = CertPathValidator.getInstance("PKIX"); PKIXParameters params = new PKIXParameters(Collections.singleton(ta));