United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
Bug ID: JDK-8014805 NPE is thrown during certpath validation if certificate does not have AuthorityKeyIdentifier extension
JDK-8014805 : NPE is thrown during certpath validation if certificate does not have AuthorityKeyIdentifier extension

Details
Type:
Bug
Submit Date:
2013-05-17
Status:
Closed
Updated Date:
2013-07-29
Project Name:
JDK
Resolved Date:
2013-07-12
Component:
security-libs
OS:
generic
Sub-Component:
Empty
CPU:
generic
Priority:
P2
Resolution:
Fixed
Affected Versions:
7u6
Fixed Versions:
7u40 (b34)

Related Reports
Backport:
Backport:
Relates:

Sub Tasks

Description
CertPathValidator throws NPE if trusted certificate does not have  AuthorityKeyIdentifier extension:

certpath: PolicyChecker.checkPolicy() certificate policies verified
certpath: -checker5 validation succeeded
certpath: -Using checker6 ... [sun.security.provider.certpath.BasicChecker]
certpath: ---checking timestamp:Fri May 17 17:42:50 MSK 2013...
certpath: timestamp verified.
certpath: ---checking subject/issuer name chaining...
certpath: subject/issuer name chaining verified.
certpath: ---checking signature...
certpath: signature verified.
certpath: BasicChecker.updateState issuer: CN=VeriSign Class 2 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US; subject: CN=Oracle Root CA, OU=VeriSign Trust Network, O=Oracle Corporation, C=US; serial#: 100662332940862603838457626880723060860
certpath: -checker6 validation succeeded
certpath: -Using checker7 ... [sun.security.provider.certpath.OCSPChecker]
Exception in thread "main" java.lang.NullPointerException
	at sun.security.x509.X509CertImpl.getIssuerKeyIdentifier(X509CertImpl.java:1077)
	at sun.security.provider.certpath.OCSPChecker.check(OCSPChecker.java:251)
	at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:133)
	at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:351)
	at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:191)
	at java.security.cert.CertPathValidator.validate(CertPathValidator.java:279)
                                    

Comments
Product(s) tested: 7u25 b10
OS/architecture: Linux x64
Reproducible: Always
Is it a Regression: Yes
Regression introduced in release/build: 7u6 b17
Test result on the last GAed release for this train: Fail on 7u21 fcs
Is it a platform specific issue: No

Steps to reproduce: see attached test.tar

This regression was caused by JDK-2224873, see http://hg.openjdk.java.net/jdk7u/jdk7u6-dev/jdk/diff/52ab0f489dab/src/share/classes/sun/security/x509/X509CertImpl.java :

+     * Return the issuing authority's key identifier bytes, or null
+     */
+    public byte[] getIssuerKeyIdentifier()
+    {
+        if (issuerKeyId == null) {
+            AuthorityKeyIdentifierExtension aki =
+                getAuthorityKeyIdentifierExtension();
+            if (aki != null) {
+
+                try {
+                    issuerKeyId = ((KeyIdentifier)
+                        aki.get(AuthorityKeyIdentifierExtension.KEY_ID))
+                            .getIdentifier(); <--- NPE
+                } catch (IOException e) {
+                    // should never happen (because KEY_ID attr is supported)
+                }
+
+            } else {
+                issuerKeyId = new byte[0]; // no AKID present
+            }
+        }
+
+        return issuerKeyId.length != 0 ? issuerKeyId : null;
+    }

root self-signed signer3.pem certificate from attached test does not contain any extension, but getAuthorityKeyIdentifierExtension() method does not return null. But returned object has null KeyIdentifier. As a result, NPE is thrown.

Suggested fix: getIssuerKeyIdentifier() method can check if KeyIdentifier is null:

--- X509CertImpl.java.orig	2013-05-17 18:24:00.000000000 +0400
+++ X509CertImpl.java	2013-05-17 18:03:05.000000000 +0400
@@ -1073,11 +1073,14 @@
             AuthorityKeyIdentifierExtension aki =
                 getAuthorityKeyIdentifierExtension();
             if (aki != null) {
-
                 try {
-                    issuerKeyId = ((KeyIdentifier)
-                        aki.get(AuthorityKeyIdentifierExtension.KEY_ID))
-                            .getIdentifier();
+		    KeyIdentifier ki = ((KeyIdentifier) aki.get(AuthorityKeyIdentifierExtension.KEY_ID));
+   		    if(ki != null) {
+                    	issuerKeyId = ki.getIdentifier();
+                    }
+                    else {
+                        issuerKeyId = new byte[0]; // no AKID present
+                    }
                 } catch (IOException e) {
                     // should never happen (because KEY_ID attr is supported)
                 }

I attached fixed X509CertImpl.java file (see test.tar). But maybe getAuthorityKeyIdentifierExtension() , getExtension() or getExtensions() method should be fixed because they return extensions objects if the certificate does not actually have any extensions.

Tested certificates were issued by Verisign.
                                     
2013-05-17
Affected tests:

CertPath/CertPathValidatorTest/OCSP_verisign_oracle_good_1
CertPath/CertPathValidatorTest/OCSP_verisign_oracle_good_2
CertPath/CertPathValidatorTest/OCSP_verisign_oracle_revoked
CertPath/CertPathValidatorTest/OCSP_verisign_sun_expired_1
CertPath/CertPathValidatorTest/OCSP_verisign_sun_expired_2

Logs: http://aurora.ru.oracle.com/functional/faces/RunDetails.xhtml?names=226073.ute.st2-2

The tests fail with the following exception message:

ava.lang.NullPointerException
	at sun.security.x509.X509CertImpl.getIssuerKeyIdentifier(X509CertImpl.java:1077)
	at sun.security.provider.certpath.OCSPChecker.check(OCSPChecker.java:251)
	at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:133)
	at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:351)
	at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:191)
	at java.security.cert.CertPathValidator.validate(CertPathValidator.java:279)
	at TestOCSP.run(TestOCSP.java:234)
	at TestOCSP.main(TestOCSP.java:62)
                                     
2013-05-28
Is this bug also affecting the Deploy OCSP checker ?
                                     
2013-06-11
SQE is OK with this fix
                                     
2013-06-24
URL:   http://hg.openjdk.java.net/jdk7u/jdk7u40-dev/jdk/rev/a568c4ab0973
User:  vinnie
Date:  2013-07-12 13:46:25 +0000

                                     
2013-07-12
Verified with regression test on Windows x64 with jdk 7u40 b34
                                     
2013-07-29
URL:   http://hg.openjdk.java.net/jdk7u/jdk7u40/jdk/rev/a568c4ab0973
User:  lana
Date:  2013-07-17 06:01:47 +0000

                                     
2013-07-17



Hardware and Software, Engineered to Work Together