7195409: CertPath/CertPathValidatorTest/KeyParamsInheritanceTest fails with NullPointerException
authormullan
Sun, 16 Sep 2012 13:29:25 -0700
changeset 13806 b18118646a65
parent 13805 29e474ceeddc
child 13807 891c888389c9
7195409: CertPath/CertPathValidatorTest/KeyParamsInheritanceTest fails with NullPointerException Reviewed-by: xuelei
jdk/src/share/classes/sun/security/provider/certpath/AlgorithmChecker.java
jdk/src/share/classes/sun/security/provider/certpath/BasicChecker.java
jdk/src/share/classes/sun/security/provider/certpath/ForwardBuilder.java
jdk/src/share/classes/sun/security/provider/certpath/ForwardState.java
jdk/src/share/classes/sun/security/provider/certpath/PKIX.java
jdk/src/share/classes/sun/security/provider/certpath/ReverseState.java
jdk/src/share/classes/sun/security/provider/certpath/RevocationChecker.java
jdk/src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java
--- a/jdk/src/share/classes/sun/security/provider/certpath/AlgorithmChecker.java	Tue Sep 11 07:42:02 2012 -0700
+++ b/jdk/src/share/classes/sun/security/provider/certpath/AlgorithmChecker.java	Sun Sep 16 13:29:25 2012 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2009, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2009, 2012, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -259,8 +259,7 @@
             }
 
             // Inherit key parameters from previous key
-            if (currPubKey instanceof DSAPublicKey &&
-                ((DSAPublicKey)currPubKey).getParams() == null) {
+            if (PKIX.isDSAPublicKeyWithoutParams(currPubKey)) {
                 // Inherit DSA parameters from previous key
                 if (!(prevPubKey instanceof DSAPublicKey)) {
                     throw new CertPathValidatorException("Input key is not " +
--- a/jdk/src/share/classes/sun/security/provider/certpath/BasicChecker.java	Tue Sep 11 07:42:02 2012 -0700
+++ b/jdk/src/share/classes/sun/security/provider/certpath/BasicChecker.java	Sun Sep 16 13:29:25 2012 -0700
@@ -101,9 +101,7 @@
     public void init(boolean forward) throws CertPathValidatorException {
         if (!forward) {
             prevPubKey = trustedPubKey;
-            if (prevPubKey instanceof DSAPublicKey &&
-                ((DSAPublicKey)prevPubKey).getParams() == null)
-            {
+            if (PKIX.isDSAPublicKeyWithoutParams(prevPubKey)) {
                 // If TrustAnchor is a DSA public key and it has no params, it
                 // cannot be used to verify the signature of the first cert,
                 // so throw exception
@@ -248,8 +246,7 @@
                 currCert.getSubjectX500Principal() + "; serial#: " +
                 currCert.getSerialNumber().toString());
         }
-        if (cKey instanceof DSAPublicKey &&
-            ((DSAPublicKey)cKey).getParams() == null) {
+        if (PKIX.isDSAPublicKeyWithoutParams(cKey)) {
             // cKey needs to inherit DSA parameters from prev key
             cKey = makeInheritedParamsKey(cKey, prevPubKey);
             if (debug != null) debug.println("BasicChecker.updateState Made " +
--- a/jdk/src/share/classes/sun/security/provider/certpath/ForwardBuilder.java	Tue Sep 11 07:42:02 2012 -0700
+++ b/jdk/src/share/classes/sun/security/provider/certpath/ForwardBuilder.java	Sun Sep 16 13:29:25 2012 -0700
@@ -817,36 +817,36 @@
                 } else {
                     continue;
                 }
-            } else {
-                X500Principal principal = anchor.getCA();
-                PublicKey publicKey = anchor.getCAPublicKey();
+            }
+            X500Principal principal = anchor.getCA();
+            PublicKey publicKey = anchor.getCAPublicKey();
 
-                if (principal != null && publicKey != null &&
-                        principal.equals(cert.getSubjectX500Principal())) {
-                    if (publicKey.equals(cert.getPublicKey())) {
-                        // the cert itself is a trust anchor
-                        this.trustAnchor = anchor;
-                        return true;
-                    }
-                    // else, it is a self-issued certificate of the anchor
+            if (principal != null && publicKey != null &&
+                    principal.equals(cert.getSubjectX500Principal())) {
+                if (publicKey.equals(cert.getPublicKey())) {
+                    // the cert itself is a trust anchor
+                    this.trustAnchor = anchor;
+                    return true;
                 }
+                // else, it is a self-issued certificate of the anchor
+            }
 
-                // Check subject/issuer name chaining
-                if (principal == null ||
-                        !principal.equals(cert.getIssuerX500Principal())) {
-                    continue;
-                }
+            // Check subject/issuer name chaining
+            if (principal == null ||
+                    !principal.equals(cert.getIssuerX500Principal())) {
+                continue;
+            }
+
+            // skip anchor if it contains a DSA key with no DSA params
+            if (PKIX.isDSAPublicKeyWithoutParams(publicKey)) {
+                continue;
             }
 
             /*
              * Check signature
              */
             try {
-                // NOTE: the DSA public key in the buildParams may lack
-                // parameters, yet there is no key to inherit the parameters
-                // from.  This is probably such a rare case that it is not worth
-                // trying to detect the situation earlier.
-                cert.verify(anchor.getCAPublicKey(), buildParams.sigProvider());
+                cert.verify(publicKey, buildParams.sigProvider());
             } catch (InvalidKeyException ike) {
                 if (debug != null) {
                     debug.println("ForwardBuilder.isPathCompleted() invalid "
--- a/jdk/src/share/classes/sun/security/provider/certpath/ForwardState.java	Tue Sep 11 07:42:02 2012 -0700
+++ b/jdk/src/share/classes/sun/security/provider/certpath/ForwardState.java	Sun Sep 16 13:29:25 2012 -0700
@@ -26,12 +26,10 @@
 package sun.security.provider.certpath;
 
 import java.io.IOException;
-import java.security.PublicKey;
 import java.security.cert.CertificateException;
 import java.security.cert.CertPathValidatorException;
 import java.security.cert.PKIXCertPathChecker;
 import java.security.cert.X509Certificate;
-import java.security.interfaces.DSAPublicKey;
 import java.util.ArrayList;
 import java.util.HashSet;
 import java.util.List;
@@ -169,9 +167,7 @@
         X509CertImpl icert = X509CertImpl.toImpl(cert);
 
         /* see if certificate key has null parameters */
-        PublicKey newKey = icert.getPublicKey();
-        if (newKey instanceof DSAPublicKey &&
-            ((DSAPublicKey)newKey).getParams() == null) {
+        if (PKIX.isDSAPublicKeyWithoutParams(icert.getPublicKey())) {
             keyParamsNeededFlag = true;
         }
 
--- a/jdk/src/share/classes/sun/security/provider/certpath/PKIX.java	Tue Sep 11 07:42:02 2012 -0700
+++ b/jdk/src/share/classes/sun/security/provider/certpath/PKIX.java	Sun Sep 16 13:29:25 2012 -0700
@@ -26,7 +26,9 @@
 
 import java.security.InvalidAlgorithmParameterException;
 import java.security.KeyStore;
+import java.security.PublicKey;
 import java.security.cert.*;
+import java.security.interfaces.DSAPublicKey;
 import java.util.*;
 import javax.security.auth.x500.X500Principal;
 
@@ -42,6 +44,11 @@
 
     private PKIX() { }
 
+    static boolean isDSAPublicKeyWithoutParams(PublicKey publicKey) {
+        return (publicKey instanceof DSAPublicKey &&
+               ((DSAPublicKey)publicKey).getParams() == null);
+    }
+
     static ValidatorParams checkParams(CertPath cp, CertPathParameters params)
         throws InvalidAlgorithmParameterException
     {
--- a/jdk/src/share/classes/sun/security/provider/certpath/ReverseState.java	Tue Sep 11 07:42:02 2012 -0700
+++ b/jdk/src/share/classes/sun/security/provider/certpath/ReverseState.java	Sun Sep 16 13:29:25 2012 -0700
@@ -32,7 +32,6 @@
 import java.security.cert.PKIXCertPathChecker;
 import java.security.cert.TrustAnchor;
 import java.security.cert.X509Certificate;
-import java.security.interfaces.DSAPublicKey;
 import java.util.ArrayList;
 import java.util.HashSet;
 import java.util.List;
@@ -287,8 +286,7 @@
         /* check for key needing to inherit alg parameters */
         X509CertImpl icert = X509CertImpl.toImpl(cert);
         PublicKey newKey = cert.getPublicKey();
-        if (newKey instanceof DSAPublicKey &&
-            (((DSAPublicKey)newKey).getParams() == null)) {
+        if (PKIX.isDSAPublicKeyWithoutParams(newKey)) {
             newKey = BasicChecker.makeInheritedParamsKey(newKey, pubKey);
         }
 
--- a/jdk/src/share/classes/sun/security/provider/certpath/RevocationChecker.java	Tue Sep 11 07:42:02 2012 -0700
+++ b/jdk/src/share/classes/sun/security/provider/certpath/RevocationChecker.java	Sun Sep 16 13:29:25 2012 -0700
@@ -38,7 +38,6 @@
 import java.security.cert.CertPathValidatorException.BasicReason;
 import java.security.cert.Extension;
 import java.security.cert.*;
-import java.security.interfaces.DSAPublicKey;
 import java.util.Arrays;
 import java.util.ArrayList;
 import java.util.Collection;
@@ -406,8 +405,7 @@
 
         // Make new public key if parameters are missing
         PublicKey pubKey = cert.getPublicKey();
-        if (pubKey instanceof DSAPublicKey &&
-            ((DSAPublicKey)pubKey).getParams() == null) {
+        if (PKIX.isDSAPublicKeyWithoutParams(pubKey)) {
             // pubKey needs to inherit DSA parameters from prev key
             pubKey = BasicChecker.makeInheritedParamsKey(pubKey, prevPubKey);
         }
--- a/jdk/src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java	Tue Sep 11 07:42:02 2012 -0700
+++ b/jdk/src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java	Sun Sep 16 13:29:25 2012 -0700
@@ -31,7 +31,6 @@
 import java.security.PublicKey;
 import java.security.cert.*;
 import java.security.cert.PKIXReason;
-import java.security.interfaces.DSAPublicKey;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
@@ -242,6 +241,15 @@
                 break;
             }
 
+            // skip anchor if it contains a DSA key with no DSA params
+            X509Certificate trustedCert = anchor.getTrustedCert();
+            PublicKey pubKey = trustedCert != null ? trustedCert.getPublicKey()
+                                                   : anchor.getCAPublicKey();
+
+            if (PKIX.isDSAPublicKeyWithoutParams(pubKey)) {
+                continue;
+            }
+
             /* Initialize current state */
             currentState.initState(buildParams);
             currentState.updateState(anchor, buildParams);
@@ -705,9 +713,7 @@
                  * Extract and save the final target public key
                  */
                 finalPublicKey = cert.getPublicKey();
-                if (finalPublicKey instanceof DSAPublicKey &&
-                    ((DSAPublicKey)finalPublicKey).getParams() == null)
-                {
+                if (PKIX.isDSAPublicKeyWithoutParams(finalPublicKey)) {
                     finalPublicKey =
                         BasicChecker.makeInheritedParamsKey
                             (finalPublicKey, currentState.pubKey);