JDK-8236671 : NullPointerException in JKS keystore
- Type: Bug
- Component: security-libs
- Sub-Component: javax.crypto
- Affected Version: 8,11,14,15
- Priority: P3
- Status: Resolved
- Resolution: Fixed
- OS: generic
- CPU: generic
- Submitted: 2020-01-06
- Updated: 2025-01-24
- Resolved: 2021-04-30
The Version table provides details related to the release that this issue/RFE will be addressed.
Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.
To download the current JDK release, click here.
Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.
To download the current JDK release, click here.
| JDK 11 | JDK 17 |
|---|---|
| 11.0.13-oracleFixed | 17 b21Fixed  |
Related Reports
|
Relates :
|
|
|
Relates :
|
Description
NullPointerException happens in JKS keystore if we don't set any password for key entries. This is a regression from task JDK-8208583. Previously, JDK were throwing IllegalArgumentException with proper message during this scenario, after the fix of JDK-8208583, JDK throws NullPointerException.
IllegalArgumentException were throwing from KeyProtector.java by below statement in the constructor "throw new IllegalArgumentException("password can't be null");" But now code flow is got changed by below part of code during the fix of JDK-8208583 :
- keyProtector = new KeyProtector(password);
+ passwordBytes = convertToBytes(password);
+ keyProtector = new KeyProtector(passwordBytes);
Now convertToBytes() is getting invoked before invoking KeyProtector() constructor. The convertToBytes() doesn't check the password is null, directly try to get password.length, that results in NPE.
How to reproduce:
Attached a reproducible test case.
Since pkcs12 is the default key store in JDK 9 and above execute test with "JKS" as parameter in JDK 9 and above.
Eg: java TestKeyStore JKS
Reproducibility in different JDK version:
JDK 15 build 4: Fail
JDK 14 build 30: Fail
JDK12 build 6 : Fail
JDK 12 build 5: Pass
JDK11.0.2 build b02: Fail
JDK11.0.2 build b01: Pass
JDK 8u201 b01: Fail
JDK8u191 - Pass
Actual Behaviour : NullPointerException
Exception in thread "main" java.lang.NullPointerException
at java.base/sun.security.provider.JavaKeyStore.convertToBytes(JavaKeyStore.java:827)
at java.base/sun.security.provider.JavaKeyStore.engineSetKeyEntry(JavaKeyStore.java:274)
at java.base/sun.security.util.KeyStoreDelegator.engineSetKeyEntry(KeyStoreDelegator.java:111)
at java.base/java.security.KeyStore.setKeyEntry(KeyStore.java:1167)
at TestKeyStore.main(TestKeyStore.java:45)
Expected Behaviour : java.lang.IllegalArgumentException: password can't be null
Exception in thread "main" java.lang.IllegalArgumentException: password can't be null
at java.base/sun.security.provider.KeyProtector.<init>(KeyProtector.java:136)
at java.base/sun.security.provider.JavaKeyStore.engineSetKeyEntry(JavaKeyStore.java:267)
at java.base/sun.security.util.KeyStoreDelegator.engineSetKeyEntry(KeyStoreDelegator.java:111)
at java.base/java.security.KeyStore.setKeyEntry(KeyStore.java:1174)
at TestKeyStore.main(TestKeyStore.java:45)
Comments
|