7195409: CertPath/CertPathValidatorTest/KeyParamsInheritanceTest fails with NullPointerException
Reviewed-by: xuelei
This commit is contained in:
Sean Mullan
parent
bb1c4324e9
commit
227d6c722e
jdk/src/share/classes/sun/security/provider/certpath
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 2009, 2011, Oracle and/or its affiliates. All rights reserved.
|
||||
* Copyright (c) 2009, 2012, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@ -259,8 +259,7 @@ final public class AlgorithmChecker extends PKIXCertPathChecker {
|
||||
}
|
||||
|
||||
// Inherit key parameters from previous key
|
||||
if (currPubKey instanceof DSAPublicKey &&
|
||||
((DSAPublicKey)currPubKey).getParams() == null) {
|
||||
if (PKIX.isDSAPublicKeyWithoutParams(currPubKey)) {
|
||||
// Inherit DSA parameters from previous key
|
||||
if (!(prevPubKey instanceof DSAPublicKey)) {
|
||||
throw new CertPathValidatorException("Input key is not " +
|
||||
|
||||
@ -101,9 +101,7 @@ class BasicChecker extends PKIXCertPathChecker {
|
||||
public void init(boolean forward) throws CertPathValidatorException {
|
||||
if (!forward) {
|
||||
prevPubKey = trustedPubKey;
|
||||
if (prevPubKey instanceof DSAPublicKey &&
|
||||
((DSAPublicKey)prevPubKey).getParams() == null)
|
||||
{
|
||||
if (PKIX.isDSAPublicKeyWithoutParams(prevPubKey)) {
|
||||
// If TrustAnchor is a DSA public key and it has no params, it
|
||||
// cannot be used to verify the signature of the first cert,
|
||||
// so throw exception
|
||||
@ -248,8 +246,7 @@ class BasicChecker extends PKIXCertPathChecker {
|
||||
currCert.getSubjectX500Principal() + "; serial#: " +
|
||||
currCert.getSerialNumber().toString());
|
||||
}
|
||||
if (cKey instanceof DSAPublicKey &&
|
||||
((DSAPublicKey)cKey).getParams() == null) {
|
||||
if (PKIX.isDSAPublicKeyWithoutParams(cKey)) {
|
||||
// cKey needs to inherit DSA parameters from prev key
|
||||
cKey = makeInheritedParamsKey(cKey, prevPubKey);
|
||||
if (debug != null) debug.println("BasicChecker.updateState Made " +
|
||||
|
||||
@ -817,36 +817,36 @@ class ForwardBuilder extends Builder {
|
||||
} else {
|
||||
continue;
|
||||
}
|
||||
} else {
|
||||
X500Principal principal = anchor.getCA();
|
||||
PublicKey publicKey = anchor.getCAPublicKey();
|
||||
}
|
||||
X500Principal principal = anchor.getCA();
|
||||
PublicKey publicKey = anchor.getCAPublicKey();
|
||||
|
||||
if (principal != null && publicKey != null &&
|
||||
principal.equals(cert.getSubjectX500Principal())) {
|
||||
if (publicKey.equals(cert.getPublicKey())) {
|
||||
// the cert itself is a trust anchor
|
||||
this.trustAnchor = anchor;
|
||||
return true;
|
||||
}
|
||||
// else, it is a self-issued certificate of the anchor
|
||||
if (principal != null && publicKey != null &&
|
||||
principal.equals(cert.getSubjectX500Principal())) {
|
||||
if (publicKey.equals(cert.getPublicKey())) {
|
||||
// the cert itself is a trust anchor
|
||||
this.trustAnchor = anchor;
|
||||
return true;
|
||||
}
|
||||
// else, it is a self-issued certificate of the anchor
|
||||
}
|
||||
|
||||
// Check subject/issuer name chaining
|
||||
if (principal == null ||
|
||||
!principal.equals(cert.getIssuerX500Principal())) {
|
||||
continue;
|
||||
}
|
||||
// Check subject/issuer name chaining
|
||||
if (principal == null ||
|
||||
!principal.equals(cert.getIssuerX500Principal())) {
|
||||
continue;
|
||||
}
|
||||
|
||||
// skip anchor if it contains a DSA key with no DSA params
|
||||
if (PKIX.isDSAPublicKeyWithoutParams(publicKey)) {
|
||||
continue;
|
||||
}
|
||||
|
||||
/*
|
||||
* Check signature
|
||||
*/
|
||||
try {
|
||||
// NOTE: the DSA public key in the buildParams may lack
|
||||
// parameters, yet there is no key to inherit the parameters
|
||||
// from. This is probably such a rare case that it is not worth
|
||||
// trying to detect the situation earlier.
|
||||
cert.verify(anchor.getCAPublicKey(), buildParams.sigProvider());
|
||||
cert.verify(publicKey, buildParams.sigProvider());
|
||||
} catch (InvalidKeyException ike) {
|
||||
if (debug != null) {
|
||||
debug.println("ForwardBuilder.isPathCompleted() invalid "
|
||||
|
||||
@ -26,12 +26,10 @@
|
||||
package sun.security.provider.certpath;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.security.PublicKey;
|
||||
import java.security.cert.CertificateException;
|
||||
import java.security.cert.CertPathValidatorException;
|
||||
import java.security.cert.PKIXCertPathChecker;
|
||||
import java.security.cert.X509Certificate;
|
||||
import java.security.interfaces.DSAPublicKey;
|
||||
import java.util.ArrayList;
|
||||
import java.util.HashSet;
|
||||
import java.util.List;
|
||||
@ -169,9 +167,7 @@ class ForwardState implements State {
|
||||
X509CertImpl icert = X509CertImpl.toImpl(cert);
|
||||
|
||||
/* see if certificate key has null parameters */
|
||||
PublicKey newKey = icert.getPublicKey();
|
||||
if (newKey instanceof DSAPublicKey &&
|
||||
((DSAPublicKey)newKey).getParams() == null) {
|
||||
if (PKIX.isDSAPublicKeyWithoutParams(icert.getPublicKey())) {
|
||||
keyParamsNeededFlag = true;
|
||||
}
|
||||
|
||||
|
||||
@ -26,7 +26,9 @@ package sun.security.provider.certpath;
|
||||
|
||||
import java.security.InvalidAlgorithmParameterException;
|
||||
import java.security.KeyStore;
|
||||
import java.security.PublicKey;
|
||||
import java.security.cert.*;
|
||||
import java.security.interfaces.DSAPublicKey;
|
||||
import java.util.*;
|
||||
import javax.security.auth.x500.X500Principal;
|
||||
|
||||
@ -42,6 +44,11 @@ class PKIX {
|
||||
|
||||
private PKIX() { }
|
||||
|
||||
static boolean isDSAPublicKeyWithoutParams(PublicKey publicKey) {
|
||||
return (publicKey instanceof DSAPublicKey &&
|
||||
((DSAPublicKey)publicKey).getParams() == null);
|
||||
}
|
||||
|
||||
static ValidatorParams checkParams(CertPath cp, CertPathParameters params)
|
||||
throws InvalidAlgorithmParameterException
|
||||
{
|
||||
|
||||
@ -32,7 +32,6 @@ import java.security.cert.CertPathValidatorException;
|
||||
import java.security.cert.PKIXCertPathChecker;
|
||||
import java.security.cert.TrustAnchor;
|
||||
import java.security.cert.X509Certificate;
|
||||
import java.security.interfaces.DSAPublicKey;
|
||||
import java.util.ArrayList;
|
||||
import java.util.HashSet;
|
||||
import java.util.List;
|
||||
@ -287,8 +286,7 @@ class ReverseState implements State {
|
||||
/* check for key needing to inherit alg parameters */
|
||||
X509CertImpl icert = X509CertImpl.toImpl(cert);
|
||||
PublicKey newKey = cert.getPublicKey();
|
||||
if (newKey instanceof DSAPublicKey &&
|
||||
(((DSAPublicKey)newKey).getParams() == null)) {
|
||||
if (PKIX.isDSAPublicKeyWithoutParams(newKey)) {
|
||||
newKey = BasicChecker.makeInheritedParamsKey(newKey, pubKey);
|
||||
}
|
||||
|
||||
|
||||
@ -38,7 +38,6 @@ import java.security.Security;
|
||||
import java.security.cert.CertPathValidatorException.BasicReason;
|
||||
import java.security.cert.Extension;
|
||||
import java.security.cert.*;
|
||||
import java.security.interfaces.DSAPublicKey;
|
||||
import java.util.Arrays;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Collection;
|
||||
@ -406,8 +405,7 @@ class RevocationChecker extends PKIXRevocationChecker {
|
||||
|
||||
// Make new public key if parameters are missing
|
||||
PublicKey pubKey = cert.getPublicKey();
|
||||
if (pubKey instanceof DSAPublicKey &&
|
||||
((DSAPublicKey)pubKey).getParams() == null) {
|
||||
if (PKIX.isDSAPublicKeyWithoutParams(pubKey)) {
|
||||
// pubKey needs to inherit DSA parameters from prev key
|
||||
pubKey = BasicChecker.makeInheritedParamsKey(pubKey, prevPubKey);
|
||||
}
|
||||
|
||||
@ -31,7 +31,6 @@ import java.security.InvalidAlgorithmParameterException;
|
||||
import java.security.PublicKey;
|
||||
import java.security.cert.*;
|
||||
import java.security.cert.PKIXReason;
|
||||
import java.security.interfaces.DSAPublicKey;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Collection;
|
||||
import java.util.Collections;
|
||||
@ -242,6 +241,15 @@ public final class SunCertPathBuilder extends CertPathBuilderSpi {
|
||||
break;
|
||||
}
|
||||
|
||||
// skip anchor if it contains a DSA key with no DSA params
|
||||
X509Certificate trustedCert = anchor.getTrustedCert();
|
||||
PublicKey pubKey = trustedCert != null ? trustedCert.getPublicKey()
|
||||
: anchor.getCAPublicKey();
|
||||
|
||||
if (PKIX.isDSAPublicKeyWithoutParams(pubKey)) {
|
||||
continue;
|
||||
}
|
||||
|
||||
/* Initialize current state */
|
||||
currentState.initState(buildParams);
|
||||
currentState.updateState(anchor, buildParams);
|
||||
@ -705,9 +713,7 @@ public final class SunCertPathBuilder extends CertPathBuilderSpi {
|
||||
* Extract and save the final target public key
|
||||
*/
|
||||
finalPublicKey = cert.getPublicKey();
|
||||
if (finalPublicKey instanceof DSAPublicKey &&
|
||||
((DSAPublicKey)finalPublicKey).getParams() == null)
|
||||
{
|
||||
if (PKIX.isDSAPublicKeyWithoutParams(finalPublicKey)) {
|
||||
finalPublicKey =
|
||||
BasicChecker.makeInheritedParamsKey
|
||||
(finalPublicKey, currentState.pubKey);
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user