8010112: NullPointerException in sun.security.provider.certpath.CertId()
Reviewed-by: vinnie
--- a/jdk/src/share/classes/sun/security/provider/certpath/CertId.java Thu Mar 14 11:29:16 2013 -0700
+++ b/jdk/src/share/classes/sun/security/provider/certpath/CertId.java Wed Mar 20 10:58:20 2013 -0400
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -29,8 +29,10 @@
import java.math.BigInteger;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
+import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.Arrays;
+import javax.security.auth.x500.X500Principal;
import sun.misc.HexDumpEncoder;
import sun.security.x509.*;
import sun.security.util.*;
@@ -70,6 +72,13 @@
public CertId(X509Certificate issuerCert, SerialNumber serialNumber)
throws IOException {
+ this(issuerCert.getSubjectX500Principal(),
+ issuerCert.getPublicKey(), serialNumber);
+ }
+
+ public CertId(X500Principal issuerName, PublicKey issuerKey,
+ SerialNumber serialNumber) throws IOException {
+
// compute issuerNameHash
MessageDigest md = null;
try {
@@ -78,11 +87,11 @@
throw new IOException("Unable to create CertId", nsae);
}
hashAlgId = SHA1_ALGID;
- md.update(issuerCert.getSubjectX500Principal().getEncoded());
+ md.update(issuerName.getEncoded());
issuerNameHash = md.digest();
// compute issuerKeyHash (remove the tag and length)
- byte[] pubKey = issuerCert.getPublicKey().getEncoded();
+ byte[] pubKey = issuerKey.getEncoded();
DerValue val = new DerValue(pubKey);
DerValue[] seq = new DerValue[2];
seq[0] = val.data.getDerValue(); // AlgorithmID
@@ -94,7 +103,7 @@
if (debug) {
HexDumpEncoder encoder = new HexDumpEncoder();
- System.out.println("Issuer Certificate is " + issuerCert);
+ System.out.println("Issuer Name is " + issuerName);
System.out.println("issuerNameHash is " +
encoder.encodeBuffer(issuerNameHash));
System.out.println("issuerKeyHash is " +
--- a/jdk/src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java Thu Mar 14 11:29:16 2013 -0700
+++ b/jdk/src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java Wed Mar 20 10:58:20 2013 -0400
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2002, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -345,10 +345,8 @@
return false;
} else {
// in case of self-issued indirect CRL issuer.
- byte[] certAKID = certImpl.getExtensionValue(
- AuthorityKey_Id.toString());
- byte[] crlAKID = crlImpl.getExtensionValue(
- AuthorityKey_Id.toString());
+ KeyIdentifier certAKID = certImpl.getAuthKeyId();
+ KeyIdentifier crlAKID = crlImpl.getAuthKeyId();
if (certAKID == null || crlAKID == null) {
// cannot recognize indirect CRL without AKID
@@ -359,7 +357,7 @@
// reset the public key used to verify the CRL's signature
prevKey = certImpl.getPublicKey();
}
- } else if (!Arrays.equals(certAKID, crlAKID)) {
+ } else if (!certAKID.equals(crlAKID)) {
// we accept the case that a CRL issuer provide status
// information for itself.
if (issues(certImpl, crlImpl, provider)) {
--- a/jdk/src/share/classes/sun/security/provider/certpath/RevocationChecker.java Thu Mar 14 11:29:16 2013 -0700
+++ b/jdk/src/share/classes/sun/security/provider/certpath/RevocationChecker.java Wed Mar 20 10:58:20 2013 -0400
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2012, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -643,7 +643,14 @@
OCSPResponse response = null;
CertId certId = null;
try {
- certId = new CertId(issuerCert, currCert.getSerialNumberObject());
+ if (issuerCert != null) {
+ certId = new CertId(issuerCert,
+ currCert.getSerialNumberObject());
+ } else {
+ // must be an anchor name and key
+ certId = new CertId(anchor.getCA(), anchor.getCAPublicKey(),
+ currCert.getSerialNumberObject());
+ }
// check if there is a cached OCSP response available
byte[] responseBytes = ocspResponses.get(cert);
--- a/jdk/src/share/classes/sun/security/x509/X509CertImpl.java Thu Mar 14 11:29:16 2013 -0700
+++ b/jdk/src/share/classes/sun/security/x509/X509CertImpl.java Wed Mar 20 10:58:20 2013 -0400
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1996, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -1095,6 +1095,18 @@
}
}
+ public KeyIdentifier getAuthKeyId() {
+ AuthorityKeyIdentifierExtension aki
+ = getAuthorityKeyIdentifierExtension();
+ if (aki != null) {
+ try {
+ return (KeyIdentifier)aki.get(
+ AuthorityKeyIdentifierExtension.KEY_ID);
+ } catch (IOException ioe) {} // not possible
+ }
+ return null;
+ }
+
/**
* Get AuthorityKeyIdentifier extension
* @return AuthorityKeyIdentifier object or null (if no such object