7195409: CertPath/CertPathValidatorTest/KeyParamsInheritanceTest fails with NullPointerException

Reviewed-by: xuelei

7195409: CertPath/CertPathValidatorTest/KeyParamsInheritanceTest fails with NullPointerException
Reviewed-by: xuelei
d32b6188 · mullan · ca758867 · d32b6188 · d32b6188 · d32b6188
8 changed file
--- a/src/share/classes/sun/security/provider/certpath/AlgorithmChecker.java
+++ b/src/share/classes/sun/security/provider/certpath/AlgorithmChecker.java
 /*
- * Copyright (c) 2009, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2009, 2012, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -259,8 +259,7 @@ final public class AlgorithmChecker extends PKIXCertPathChecker {
            }

            // Inherit key parameters from previous key
-            if (currPubKey instanceof DSAPublicKey &&
-                ((DSAPublicKey)currPubKey).getParams() == null) {
+            if (PKIX.isDSAPublicKeyWithoutParams(currPubKey)) {
                // Inherit DSA parameters from previous key
                if (!(prevPubKey instanceof DSAPublicKey)) {
                    throw new CertPathValidatorException("Input key is not " +

--- a/src/share/classes/sun/security/provider/certpath/BasicChecker.java
+++ b/src/share/classes/sun/security/provider/certpath/BasicChecker.java
@@ -101,9 +101,7 @@ class BasicChecker extends PKIXCertPathChecker {
    public void init(boolean forward) throws CertPathValidatorException {
        if (!forward) {
            prevPubKey = trustedPubKey;
-            if (prevPubKey instanceof DSAPublicKey &&
-                ((DSAPublicKey)prevPubKey).getParams() == null)
-            {
+            if (PKIX.isDSAPublicKeyWithoutParams(prevPubKey)) {
                // If TrustAnchor is a DSA public key and it has no params, it
                // cannot be used to verify the signature of the first cert,
                // so throw exception
@@ -248,8 +246,7 @@ class BasicChecker extends PKIXCertPathChecker {
                currCert.getSubjectX500Principal() + "; serial#: " +
                currCert.getSerialNumber().toString());
        }
-        if (cKey instanceof DSAPublicKey &&
-            ((DSAPublicKey)cKey).getParams() == null) {
+        if (PKIX.isDSAPublicKeyWithoutParams(cKey)) {
            // cKey needs to inherit DSA parameters from prev key
            cKey = makeInheritedParamsKey(cKey, prevPubKey);
            if (debug != null) debug.println("BasicChecker.updateState Made " +

--- a/src/share/classes/sun/security/provider/certpath/ForwardBuilder.java
+++ b/src/share/classes/sun/security/provider/certpath/ForwardBuilder.java
@@ -817,36 +817,36 @@ class ForwardBuilder extends Builder {
                } else {
                    continue;
                }
-            } else {
-                X500Principal principal = anchor.getCA();
-                PublicKey publicKey = anchor.getCAPublicKey();
-
-                if (principal != null && publicKey != null &&
-                        principal.equals(cert.getSubjectX500Principal())) {
-                    if (publicKey.equals(cert.getPublicKey())) {
-                        // the cert itself is a trust anchor
-                        this.trustAnchor = anchor;
-                        return true;
-                    }
-                    // else, it is a self-issued certificate of the anchor
-                }
+            }
+            X500Principal principal = anchor.getCA();
+            PublicKey publicKey = anchor.getCAPublicKey();

-                // Check subject/issuer name chaining
-                if (principal == null ||
-                        !principal.equals(cert.getIssuerX500Principal())) {
-                    continue;
+            if (principal != null && publicKey != null &&
+                    principal.equals(cert.getSubjectX500Principal())) {
+                if (publicKey.equals(cert.getPublicKey())) {
+                    // the cert itself is a trust anchor
+                    this.trustAnchor = anchor;
+                    return true;
                }
+                // else, it is a self-issued certificate of the anchor
+            }
+
+            // Check subject/issuer name chaining
+            if (principal == null ||
+                    !principal.equals(cert.getIssuerX500Principal())) {
+                continue;
+            }
+
+            // skip anchor if it contains a DSA key with no DSA params
+            if (PKIX.isDSAPublicKeyWithoutParams(publicKey)) {
+                continue;
            }

            /*
             * Check signature
             */
            try {
-                // NOTE: the DSA public key in the buildParams may lack
-                // parameters, yet there is no key to inherit the parameters
-                // from.  This is probably such a rare case that it is not worth
-                // trying to detect the situation earlier.
-                cert.verify(anchor.getCAPublicKey(), buildParams.sigProvider());
+                cert.verify(publicKey, buildParams.sigProvider());
            } catch (InvalidKeyException ike) {
                if (debug != null) {
                    debug.println("ForwardBuilder.isPathCompleted() invalid "

--- a/src/share/classes/sun/security/provider/certpath/ForwardState.java
+++ b/src/share/classes/sun/security/provider/certpath/ForwardState.java
@@ -26,12 +26,10 @@
 package sun.security.provider.certpath;

 import java.io.IOException;
-import java.security.PublicKey;
 import java.security.cert.CertificateException;
 import java.security.cert.CertPathValidatorException;
 import java.security.cert.PKIXCertPathChecker;
 import java.security.cert.X509Certificate;
-import java.security.interfaces.DSAPublicKey;
 import java.util.ArrayList;
 import java.util.HashSet;
 import java.util.List;
@@ -169,9 +167,7 @@ class ForwardState implements State {
        X509CertImpl icert = X509CertImpl.toImpl(cert);

        /* see if certificate key has null parameters */
-        PublicKey newKey = icert.getPublicKey();
-        if (newKey instanceof DSAPublicKey &&
-            ((DSAPublicKey)newKey).getParams() == null) {
+        if (PKIX.isDSAPublicKeyWithoutParams(icert.getPublicKey())) {
            keyParamsNeededFlag = true;
        }


--- a/src/share/classes/sun/security/provider/certpath/PKIX.java
+++ b/src/share/classes/sun/security/provider/certpath/PKIX.java
@@ -26,7 +26,9 @@ package sun.security.provider.certpath;

 import java.security.InvalidAlgorithmParameterException;
 import java.security.KeyStore;
+import java.security.PublicKey;
 import java.security.cert.*;
+import java.security.interfaces.DSAPublicKey;
 import java.util.*;
 import javax.security.auth.x500.X500Principal;

@@ -42,6 +44,11 @@ class PKIX {

    private PKIX() { }

+    static boolean isDSAPublicKeyWithoutParams(PublicKey publicKey) {
+        return (publicKey instanceof DSAPublicKey &&
+               ((DSAPublicKey)publicKey).getParams() == null);
+    }
+
    static ValidatorParams checkParams(CertPath cp, CertPathParameters params)
        throws InvalidAlgorithmParameterException
    {

--- a/src/share/classes/sun/security/provider/certpath/ReverseState.java
+++ b/src/share/classes/sun/security/provider/certpath/ReverseState.java
@@ -32,7 +32,6 @@ import java.security.cert.CertPathValidatorException;
 import java.security.cert.PKIXCertPathChecker;
 import java.security.cert.TrustAnchor;
 import java.security.cert.X509Certificate;
-import java.security.interfaces.DSAPublicKey;
 import java.util.ArrayList;
 import java.util.HashSet;
 import java.util.List;
@@ -287,8 +286,7 @@ class ReverseState implements State {
        /* check for key needing to inherit alg parameters */
        X509CertImpl icert = X509CertImpl.toImpl(cert);
        PublicKey newKey = cert.getPublicKey();
-        if (newKey instanceof DSAPublicKey &&
-            (((DSAPublicKey)newKey).getParams() == null)) {
+        if (PKIX.isDSAPublicKeyWithoutParams(newKey)) {
            newKey = BasicChecker.makeInheritedParamsKey(newKey, pubKey);
        }


--- a/src/share/classes/sun/security/provider/certpath/RevocationChecker.java
+++ b/src/share/classes/sun/security/provider/certpath/RevocationChecker.java
@@ -38,7 +38,6 @@ import java.security.Security;
 import java.security.cert.CertPathValidatorException.BasicReason;
 import java.security.cert.Extension;
 import java.security.cert.*;
-import java.security.interfaces.DSAPublicKey;
 import java.util.Arrays;
 import java.util.ArrayList;
 import java.util.Collection;
@@ -406,8 +405,7 @@ class RevocationChecker extends PKIXRevocationChecker {

        // Make new public key if parameters are missing
        PublicKey pubKey = cert.getPublicKey();
-        if (pubKey instanceof DSAPublicKey &&
-            ((DSAPublicKey)pubKey).getParams() == null) {
+        if (PKIX.isDSAPublicKeyWithoutParams(pubKey)) {
            // pubKey needs to inherit DSA parameters from prev key
            pubKey = BasicChecker.makeInheritedParamsKey(pubKey, prevPubKey);
        }

--- a/src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java
+++ b/src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java
@@ -31,7 +31,6 @@ import java.security.InvalidAlgorithmParameterException;
 import java.security.PublicKey;
 import java.security.cert.*;
 import java.security.cert.PKIXReason;
-import java.security.interfaces.DSAPublicKey;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
@@ -242,6 +241,15 @@ public final class SunCertPathBuilder extends CertPathBuilderSpi {
                break;
            }

+            // skip anchor if it contains a DSA key with no DSA params
+            X509Certificate trustedCert = anchor.getTrustedCert();
+            PublicKey pubKey = trustedCert != null ? trustedCert.getPublicKey()
+                                                   : anchor.getCAPublicKey();
+
+            if (PKIX.isDSAPublicKeyWithoutParams(pubKey)) {
+                continue;
+            }
+
            /* Initialize current state */
            currentState.initState(buildParams);
            currentState.updateState(anchor, buildParams);
@@ -705,9 +713,7 @@ public final class SunCertPathBuilder extends CertPathBuilderSpi {
                 * Extract and save the final target public key
                 */
                finalPublicKey = cert.getPublicKey();
-                if (finalPublicKey instanceof DSAPublicKey &&
-                    ((DSAPublicKey)finalPublicKey).getParams() == null)
-                {
+                if (PKIX.isDSAPublicKeyWithoutParams(finalPublicKey)) {
                    finalPublicKey =
                        BasicChecker.makeInheritedParamsKey
                            (finalPublicKey, currentState.pubKey);