7142172: Custom TrustManagers that return null for getAcceptedIssuers will NPE

Reviewed-by: xuelei

src/share/classes/sun/security/ssl/SSLContextImpl.java

 /*
- * Copyright (c) 1999, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2012, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -774,12 +774,8 @@ final class AbstractTrustManagerWrapper extends X509ExtendedTrustManager
     // the delegated trust manager
     private final X509TrustManager tm;
 
-    // Cache the trusted certificate to optimize the performance.
-    private final Collection<X509Certificate> trustedCerts = new HashSet<>();
-
     AbstractTrustManagerWrapper(X509TrustManager tm) {
         this.tm = tm;
-        Collections.addAll(trustedCerts, tm.getAcceptedIssuers());
     }
 
     @Override
@@ -920,6 +916,13 @@ final class AbstractTrustManagerWrapper extends X509ExtendedTrustManager
         try {
             // Does the certificate chain end with a trusted certificate?
             int checkedLength = chain.length - 1;
+
+            Collection<X509Certificate> trustedCerts = new HashSet<>();
+            X509Certificate[] certs = tm.getAcceptedIssuers();
+            if ((certs != null) && (certs.length > 0)){
+                Collections.addAll(trustedCerts, certs);
+            }
+
             if (trustedCerts.contains(chain[checkedLength])) {
                     checkedLength--;
             }

test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/NullGetAcceptedIssuers.java

+/*
+ * Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 7142172
+ * @summary Custom TrustManagers that return null for getAcceptedIssuers
+ *          will NPE.
+ *     SunJSSE does not support dynamic system properties, no way to
+ *     re-use system properties in samevm/agentvm mode.
+ * @run main/othervm NullGetAcceptedIssuers
+ */
+
+import javax.net.ssl.*;
+
+public class NullGetAcceptedIssuers {
+
+    public static void main(String[] args) throws Exception {
+        SSLContext sslContext;
+
+        // Create a trust manager that does not validate certificate chains
+        TrustManager[] trustAllCerts =
+            new TrustManager[] {new X509TrustManager() {
+
+                public void checkClientTrusted(
+                        java.security.cert.X509Certificate[] certs,
+                        String authType) {
+                }
+
+                public void checkServerTrusted(
+                        java.security.cert.X509Certificate[] certs,
+                        String authType) {
+                }
+
+                // API says empty array, but some custom TMs are
+                // returning null.
+                public java.security.cert.X509Certificate[]
+                        getAcceptedIssuers() {
+                    return null;
+                }
+            }};
+
+        sslContext = javax.net.ssl.SSLContext.getInstance("SSL");
+        sslContext.init(null, trustAllCerts, null);
+    }
+}