JDK-7187962 : sun.security.pkcs11.P11DSAKeyFactory.implTranslatePublicKey doesn't check if params is null
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 8
  • Priority: P4
  • Status: Closed
  • Resolution: Fixed
  • OS: linux
  • CPU: x86
  • Submitted: 2012-07-30
  • Updated: 2012-09-11
  • Resolved: 2012-09-11
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 8
8 b55Fixed
Related Reports
Relates :  
JDK-6854712 - Revocation checking enhancements (JEP-124)
Relates :  
JDK-7195409 - CertPath/CertPathValidatorTest/KeyParamsInheritanceTest fails with NullPointerException
Description
There is a sqe test named CertPath/CertPathValidatorTest/KeyParamsInheritanceTest failed recently with:
Test CertPath/CertPathValidatorTest/KeyParamsInheritanceTest fails for NullPointerException:

java.lang.NullPointerException
        at sun.security.pkcs11.P11DSAKeyFactory.implTranslatePublicKey(P11DSAKey
Factory.java:57)
        at sun.security.pkcs11.P11KeyFactory.engineTranslateKey(P11KeyFactory.ja
va:127)
        at sun.security.pkcs11.P11KeyFactory.convertKey(P11KeyFactory.java:64)
        at sun.security.pkcs11.P11Signature.engineInitVerify(P11Signature.java:3
78)
        at java.security.Signature$Delegate.init(Signature.java:1103)
        at java.security.Signature$Delegate.chooseProvider(Signature.java:1066)
        at java.security.Signature$Delegate.engineInitVerify(Signature.java:1121
)
        at java.security.Signature.initVerify(Signature.java:451)
        at sun.security.x509.X509CertImpl.verify(X509CertImpl.java:440)
        at sun.security.provider.certpath.BasicChecker.verifySignature(BasicChec
ker.java:160)
        at sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:1
41)
        at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(P
KIXMasterCertPathValidator.java:119)
        at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCer
tPathValidator.java:210)
        at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCer
tPathValidator.java:143)
        at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(P
KIXCertPathValidator.java:79)
        at java.security.cert.CertPathValidator.validate(CertPathValidator.java:
292)
        at ValidateCertPath.doValidate(ValidateCertPath.java:175)

This happened at:
Testing : failure validator test: initial trusted key has no params
validatorTestFailure(args, 1); -->ValidateCertPath.doValidate(certs, params, verbose); -->CertPathValidator.validate

Expect:
CertPathValidatorException

Actual:
java.lang.NullPointerException

In the P11DSAKeyFactory.implTranslatePublicKey method, it doesn't check if the returned "params" is null or not before doing "params.getP()" and etc. So in the case the key has no params, this method will throw un-catched NullPointerException.
Comments
EVALUATION I have re-worked this fix so that our PKIX CertPathValidator implementation detects if a TrustAnchor's DSA key has no parameters *before* using it to verify a signature. This is a cleaner fix, as it turns out there is quite a bit of existing code in JCE that already assumes a DSA key has parameters, and will throw an NPE if it doesn't. However, the SQE test still fails with this fix, because it expects the index of the CertPathValidatorException (getIndex) to be 1, and with this fix it is -1. I think the test should be changed to expect -1, since this is an issue that can be detected by our implementation during the initialization/setup phase of each of the PKIXCertPathCheckers (in this case the BasicChecker), and before the validation of the first certificate in the certificate chain. Therefore an index of -1 is appropriate.
09-08-2012
EVALUATION This bug was caused by the integration of JEP 124 (6854712). A change was made to sun.security.provider.BasicChecker.verifySignature. It used to catch all Exceptions and wrap them in a CertPathValidatorException. It now only catches a GeneralSecurityException. However, this change caused the NPE thrown by sun.security.pkcs11.P11DSAKeyFactory.implTranslatePublicKey to not be re-thrown as a CertPathValidatorException and broke the test which was expecting a CPVE instead of an NPE. My proposed change is to fix P11DSAKeyFactory.implTranslatePublicKey to detect if the DSA parameters are null and throw an InvalidKeyException instead. This fix is better in my opinion, and is consistent with our DSA implementation in the SUN provider.
06-08-2012