JDK-8165751 : NPE hit with java.security.debug=provider
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.crypto
  • Affected Version: 8u101,9
  • Priority: P3
  • Status: Closed
  • Resolution: Fixed
  • Submitted: 2016-09-09
  • Updated: 2017-12-21
  • Resolved: 2016-12-14
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 7 JDK 8 JDK 9 Other
7u161Fixed 8u152Fixed 9 b150Fixed openjdk7uFixed
Related Reports
Relates :  
JDK-8170876 - NPE in JCE engine classes with java.security.debug=provider
Relates :  
JDK-8056026 - Debug security logging should print Provider used for each crypto operation
Description
3rd party Jsafe provider registered in JDK. When initializing and debugging via java.security.debug=provider flag, we hit an NPE : 

     [java] Provider: MessageDigest.SHA-256 algorithm from: SUN
     [java] Provider: Signature.SHA256withRSA verification algorithm from: SunRsaSign
     [java] Provider: MessageDigest.SHA-256 algorithm from: SUN
     [java] Provider: MessageDigest.SHA algorithm from: JsafeJCE
     [java] Exception in thread "main" java.lang.ExceptionInInitializerError
     [java]     at javax.crypto.JceSecurity.loadPolicies(JceSecurity.java:318)
     [java]     at javax.crypto.JceSecurity.setupJurisdictionPolicies(JceSecurity.java:263)
     [java]     at javax.crypto.JceSecurity.access$000(JceSecurity.java:48)
     [java]     at javax.crypto.JceSecurity$1.run(JceSecurity.java:81)
     [java]     at java.security.AccessController.doPrivileged(Native Method)
     [java]     at javax.crypto.JceSecurity.<clinit>(JceSecurity.java:78)
     [java]     at javax.crypto.SecretKeyFactory.getInstance(SecretKeyFactory.java:204)
     [java]     at jce.common.AESKeyUtil.getSecretKey(AESKeyUtil.java:64)
     [java]     at jce.asymCipher.RSAEncryptWithOAEP.runSample(RSAEncryptWithOAEP.java:86)
     [java]     at jce.asymCipher.RSAEncryptWithOAEP.main(RSAEncryptWithOAEP.java:56)
     [java] Caused by: java.lang.SecurityException: Framework jar verification can not be initialized
     [java]     at javax.crypto.JarVerifier.<clinit>(JarVerifier.java:189)
     [java]     ... 10 more
     [java] Caused by: java.lang.NullPointerException
     [java]     at java.security.Signature.initVerify(Signature.java:462)
     [java]     at com.rsa.cryptoj.o.pq.a(Unknown Source)
     [java]     at com.rsa.cryptoj.o.pq.verify(Unknown Source)
     [java]     at javax.crypto.JarVerifier.testSignatures(JarVerifier.java:737)
     [java]     at javax.crypto.JarVerifier.access$400(JarVerifier.java:34)
     [java]     at javax.crypto.JarVerifier$1.run(JarVerifier.java:183)
     [java]     at javax.crypto.JarVerifier$1.run(JarVerifier.java:149)
     [java]     at java.security.AccessController.doPrivileged(Native Method)
     [java]     at javax.crypto.JarVerifier.<clinit>(JarVerifier.java:148)
Comments
My guess is that the RSA code is instantiating a subclass of Signature directly instead of calling one of the getInstance methods. Signature.getProvider could return null in that case. Best to check for null in the debug even though getProvider is not supposed to return null.
06-12-2016
corresponding Signature code : 455 public final void initVerify(PublicKey publicKey) 456 throws InvalidKeyException { 457 engineInitVerify(publicKey); 458 state = VERIFY; 459 460 if (!skipDebug && pdebug != null) { 461 pdebug.println("Signature." + algorithm + 462 " verification algorithm from: " + this.provider.getName()); 463 } 464 } Looks like this.provider could be null. Debug code was introduced via JDK-8056026
09-09-2016