JDK-6712739 : OCSPChecker throws NPE when OPTIONAL "certs" missing from BasicOCSPResponse.
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 5.0
  • Priority: P4
  • Status: Closed
  • Resolution: Duplicate
  • OS: windows_xp
  • CPU: x86
  • Submitted: 2008-06-10
  • Updated: 2012-06-08
  • Resolved: 2012-06-08
Related Reports
Duplicate :  
JDK-6869739 - Cannot check revocation of single certificate without validating the entire chain
Description
FULL PRODUCT VERSION :
java version "1.5.0_06"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_06-b05)
Java HotSpot(TM) Client VM (build 1.5.0_06-b05, mixed mode, sharing)

ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows XP [Version 5.1.2600]

A DESCRIPTION OF THE PROBLEM :
If a BasicOCSPResponse structure omits the "certs" member, which is optional, a NullPointerException is raised.

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Try to validate a CertPath against a responder that returns no "certs" member in its BasicOCSPResponses.

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
A subject in the CertPath should be found to be valid if signed by an explicitly configured responder certificate or by its issuer in the path.
ACTUAL -
A NullPointerException is raised.

ERROR MESSAGES/STACK TRACES THAT OCCUR :
certpath: CrlRevocationChecker.verifyWithSeparateSigningKey() got exception sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
java.security.cert.CertPathValidatorException: java.lang.NullPointerException
	at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(Unknown Source)
	at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(Unknown Source)
	at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(Unknown Source)
	at java.security.cert.CertPathValidator.validate(Unknown Source)
	at com.partnet.security.ocsp.DummyTrustManager.checkServerTrusted(Test.java:138)
	at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(Unknown Source)
	at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source)
	at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source)
	at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
	at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
	at com.partnet.security.ocsp.Test.main(Test.java:55)
Caused by: java.lang.NullPointerException
	at sun.security.provider.certpath.OCSPResponse.<init>(Unknown Source)
	at sun.security.provider.certpath.OCSPChecker.check(Unknown Source)
	... 14 more


REPRODUCIBILITY :
This bug can be reproduced always.

CUSTOMER SUBMITTED WORKAROUND :
Disable revocation checking in PKIXParameters and substitute custom PKIXCertPathChecker that does OCSP correctly.
Comments
EVALUATION This was fixed as part of 6869739. The code in OCSPResponse that caused the NPE: // Check whether the cert returned by the responder is trusted if (x509Certs[0] != null) { was changed to: // Check whether the cert returned by the responder is trusted if (x509Certs != null && x509Certs[0] != null) {
08-06-2012