JDK-8014805 : NPE is thrown during certpath validation if certificate does not have AuthorityKeyIdentifier extension
  • Type: Bug
  • Component: security-libs
  • Affected Version: 7u6
  • Priority: P2
  • Status: Closed
  • Resolution: Fixed
  • OS: generic
  • CPU: generic
  • Submitted: 2013-05-17
  • Updated: 2014-10-31
  • Resolved: 2013-07-12
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 6 JDK 7
6u95Fixed 7u40 b34Fixed
Related Reports
Relates :  
JDK-2224873 - Signature validation can fail under certain circumstances
Description
CertPathValidator throws NPE if trusted certificate does not have  AuthorityKeyIdentifier extension:

certpath: PolicyChecker.checkPolicy() certificate policies verified
certpath: -checker5 validation succeeded
certpath: -Using checker6 ... [sun.security.provider.certpath.BasicChecker]
certpath: ---checking timestamp:Fri May 17 17:42:50 MSK 2013...
certpath: timestamp verified.
certpath: ---checking subject/issuer name chaining...
certpath: subject/issuer name chaining verified.
certpath: ---checking signature...
certpath: signature verified.
certpath: BasicChecker.updateState issuer: CN=VeriSign Class 2 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US; subject: CN=Oracle Root CA, OU=VeriSign Trust Network, O=Oracle Corporation, C=US; serial#: 100662332940862603838457626880723060860
certpath: -checker6 validation succeeded
certpath: -Using checker7 ... [sun.security.provider.certpath.OCSPChecker]
Exception in thread "main" java.lang.NullPointerException
	at sun.security.x509.X509CertImpl.getIssuerKeyIdentifier(X509CertImpl.java:1077)
	at sun.security.provider.certpath.OCSPChecker.check(OCSPChecker.java:251)
	at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:133)
	at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:351)
	at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:191)
	at java.security.cert.CertPathValidator.validate(CertPathValidator.java:279)
Comments
Verified with regression test on Windows x64 with jdk 7u40 b34
29-07-2013
SQE is OK with this fix
24-06-2013
Is this bug also affecting the Deploy OCSP checker ?
11-06-2013
Product(s) tested: 7u25 b10 OS/architecture: Linux x64 Reproducible: Always Is it a Regression: Yes Regression introduced in release/build: 7u6 b17 Test result on the last GAed release for this train: Fail on 7u21 fcs Is it a platform specific issue: No Steps to reproduce: see attached test.tar This regression was caused by JDK-2224873, see http://hg.openjdk.java.net/jdk7u/jdk7u6-dev/jdk/diff/52ab0f489dab/src/share/classes/sun/security/x509/X509CertImpl.java : + * Return the issuing authority's key identifier bytes, or null + */ + public byte[] getIssuerKeyIdentifier() + { + if (issuerKeyId == null) { + AuthorityKeyIdentifierExtension aki = + getAuthorityKeyIdentifierExtension(); + if (aki != null) { + + try { + issuerKeyId = ((KeyIdentifier) + aki.get(AuthorityKeyIdentifierExtension.KEY_ID)) + .getIdentifier(); <--- NPE + } catch (IOException e) { + // should never happen (because KEY_ID attr is supported) + } + + } else { + issuerKeyId = new byte[0]; // no AKID present + } + } + + return issuerKeyId.length != 0 ? issuerKeyId : null; + } root self-signed signer3.pem certificate from attached test does not contain any extension, but getAuthorityKeyIdentifierExtension() method does not return null. But returned object has null KeyIdentifier. As a result, NPE is thrown. Suggested fix: getIssuerKeyIdentifier() method can check if KeyIdentifier is null: --- X509CertImpl.java.orig 2013-05-17 18:24:00.000000000 +0400 +++ X509CertImpl.java 2013-05-17 18:03:05.000000000 +0400 @@ -1073,11 +1073,14 @@ AuthorityKeyIdentifierExtension aki = getAuthorityKeyIdentifierExtension(); if (aki != null) { - try { - issuerKeyId = ((KeyIdentifier) - aki.get(AuthorityKeyIdentifierExtension.KEY_ID)) - .getIdentifier(); + KeyIdentifier ki = ((KeyIdentifier) aki.get(AuthorityKeyIdentifierExtension.KEY_ID)); + if(ki != null) { + issuerKeyId = ki.getIdentifier(); + } + else { + issuerKeyId = new byte[0]; // no AKID present + } } catch (IOException e) { // should never happen (because KEY_ID attr is supported) } I attached fixed X509CertImpl.java file (see test.tar). But maybe getAuthorityKeyIdentifierExtension() , getExtension() or getExtensions() method should be fixed because they return extensions objects if the certificate does not actually have any extensions. Tested certificates were issued by Verisign.
17-05-2013