Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8010112

NullPointerException in sun.security.provider.certpath.CertId()

    Details

    • Type: Bug
    • Status: Closed
    • Priority: P2
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 8
    • Component/s: security-libs
    • Labels:
    • Subcomponent:
    • Introduced In Version:
      8
    • Resolved In Build:
      b84
    • CPU:
      generic
    • OS:
      generic
    • Verification:
      Not verified

      Description

      Can occur, when revocation (OCSP and CRLs) is enabled in Java Plugin. Stack Trace:

      java.lang.NullPointerException
      at sun.security.provider.certpath.CertId.<init>(CertId.java:81)
      at sun.security.provider.certpath.RevocationChecker.checkOCSP(RevocationChecker.java:646)
      at sun.security.provider.certpath.RevocationChecker.check(RevocationChecker.java:342)
      at sun.security.provider.certpath.RevocationChecker.check(RevocationChecker.java:330)
      at sun.security.provider.certpath.SunCertPathBuilder.depthFirstSearchForward(SunCertPathBuilder.java:503)
      at sun.security.provider.certpath.SunCertPathBuilder.buildForward(SunCertPathBuilder.java:307)
      at sun.security.provider.certpath.SunCertPathBuilder.buildCertPath(SunCertPathBuilder.java:164)
      at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:135)
      at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:130)
      at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
      at sun.security.provider.certpath.DistributionPointFetcher.verifyCRL(DistributionPointFetcher.java:622)
      at sun.security.provider.certpath.DistributionPointFetcher.getCRLs(DistributionPointFetcher.java:189)
      at sun.security.provider.certpath.DistributionPointFetcher.getCRLs(DistributionPointFetcher.java:102)
      at sun.security.provider.certpath.RevocationChecker.checkCRLs(RevocationChecker.java:508)
      at sun.security.provider.certpath.RevocationChecker.checkCRLs(RevocationChecker.java:425)
      at sun.security.provider.certpath.RevocationChecker.check(RevocationChecker.java:370)
      at sun.security.provider.certpath.RevocationChecker.check(RevocationChecker.java:330)
      at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:119)
      at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:210)
      at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:143)
      at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:79)
      at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
      at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:347)
      at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:249)
      at sun.security.validator.Validator.validate(Validator.java:260)
      at sun.security.validator.Validator.validate(Validator.java:236)
      at sun.security.validator.Validator.validate(Validator.java:205)
      at com.sun.deploy.security.TrustDecider.getValidationState(Unknown Source)
      at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source)
      at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
      at sun.plugin2.applet.Plugin2ClassLoader.isTrustedByTrustDecider(Unknown Source)
      at sun.plugin2.applet.Plugin2ClassLoader.getTrustedCodeSources(Unknown Source)
      at com.sun.deploy.security.CPCallbackHandler$ParentCallback.strategy(Unknown Source)
      at com.sun.deploy.security.CPCallbackHandler$ParentCallback.openClassPathElement(Unknown Source)
      at com.sun.deploy.security.DeployURLClassPath$JarLoader.getJarFile(Unknown Source)
      at com.sun.deploy.security.DeployURLClassPath$JarLoader.access$1000(Unknown Source)
      at com.sun.deploy.security.DeployURLClassPath$JarLoader$1.run(Unknown Source)
      at java.security.AccessController.doPrivileged(Native Method)
      at com.sun.deploy.security.DeployURLClassPath$JarLoader.ensureOpen(Unknown Source)
      at com.sun.deploy.security.DeployURLClassPath$JarLoader.<init>(Unknown Source)
      at com.sun.deploy.security.DeployURLClassPath$3.run(Unknown Source)
      at java.security.AccessController.doPrivileged(Native Method)
      at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source)
      at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source)
      at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source)
      at sun.plugin2.applet.Plugin2ClassLoader$2.run(Unknown Source)
      at java.security.AccessController.doPrivileged(Native Method)
      at sun.plugin2.applet.Plugin2ClassLoader.findClassHelper(Unknown Source)
      at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
      at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
      at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
      at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
      at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
      at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
      at java.lang.ClassLoader.loadClass(ClassLoader.java:356)
      at sun.plugin2.applet.Plugin2ClassLoader.loadCode(Unknown Source)
      at sun.plugin2.applet.Plugin2Manager.initAppletAdapter(Unknown Source)
      at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
      at java.lang.Thread.run(Thread.java:722)

        Activity

        Hide
        mullan Sean Mullan added a comment -
        Doesn't occur on 7uX - the revocation code changed a lot in JDK 8 as part of JEP 124 so this bug is specific to JDK 8.
        Show
        mullan Sean Mullan added a comment - Doesn't occur on 7uX - the revocation code changed a lot in JDK 8 as part of JEP 124 so this bug is specific to JDK 8.
        Hide
        mullan Sean Mullan added a comment -
        There were 2 issues that needed to be fixed:

        1. CertId did not handle the case where a TrustAnchor was specified as a name/key pair. Added a new constructor to allow for that.

        2. DistributionPointFetcher.verifyCRL was not comparing Authority Key Ids correctly. It was comparing the bytes of the entire extension value, instead of just the KeyIdentifier field. It turns out that there are some AKID extensions that have matching key ids but also may include additional information in the other fields, causing the previous comparison to fail even though the key identifiers match.
        Show
        mullan Sean Mullan added a comment - There were 2 issues that needed to be fixed: 1. CertId did not handle the case where a TrustAnchor was specified as a name/key pair. Added a new constructor to allow for that. 2. DistributionPointFetcher.verifyCRL was not comparing Authority Key Ids correctly. It was comparing the bytes of the entire extension value, instead of just the KeyIdentifier field. It turns out that there are some AKID extensions that have matching key ids but also may include additional information in the other fields, causing the previous comparison to fail even though the key identifiers match.
        Hide
        mullan Sean Mullan added a comment -
        Added noreg-hard label, since it would require a complex setup to reproduce this. The bug can be reproduced by running minecraft: http://minecraft.net/classic/play with revocation options enabled in the Control Panel (both OCSP and CRLs).
        Show
        mullan Sean Mullan added a comment - Added noreg-hard label, since it would require a complex setup to reproduce this. The bug can be reproduced by running minecraft: http://minecraft.net/classic/play with revocation options enabled in the Control Panel (both OCSP and CRLs).
        Hide
        hgupdate HG Updates added a comment -
        URL: http://hg.openjdk.java.net/jdk8/tl/jdk/rev/38116bfe5323
        User: mullan
        Date: 2013-03-20 16:07:47 +0000
        Show
        hgupdate HG Updates added a comment - URL: http://hg.openjdk.java.net/jdk8/tl/jdk/rev/38116bfe5323 User: mullan Date: 2013-03-20 16:07:47 +0000
        Hide
        hgupdate HG Updates added a comment -
        URL: http://hg.openjdk.java.net/jdk8/jdk8/jdk/rev/38116bfe5323
        User: lana
        Date: 2013-04-02 17:50:39 +0000
        Show
        hgupdate HG Updates added a comment - URL: http://hg.openjdk.java.net/jdk8/jdk8/jdk/rev/38116bfe5323 User: lana Date: 2013-04-02 17:50:39 +0000
        Hide
        nisriniv Nithya Srinivasan (Inactive) added a comment -
        Artem, is evaluating if this needs additional tests from SQE side.
        Show
        nisriniv Nithya Srinivasan (Inactive) added a comment - Artem, is evaluating if this needs additional tests from SQE side.
        Hide
        asmotrak Artem Smotrakov added a comment -
        I am working on interop tests with real CAs for 7u25, and I am going to add certificates that were used to sign Minecraft. I am going to push my test to Security SQE 8 workspace when I finish it for 7u25. I will check if the bug is reproducible with my test. If no, I will file a new bug for test development.
        Show
        asmotrak Artem Smotrakov added a comment - I am working on interop tests with real CAs for 7u25, and I am going to add certificates that were used to sign Minecraft. I am going to push my test to Security SQE 8 workspace when I finish it for 7u25. I will check if the bug is reproducible with my test. If no, I will file a new bug for test development.
        Hide
        asmotrak Artem Smotrakov added a comment -
        Existing SQE tests that use minecraft's certificates don't reproduce the failure on JDK 8 b82. I filed INTJDK-7607043 to create new tests.
        Show
        asmotrak Artem Smotrakov added a comment - Existing SQE tests that use minecraft's certificates don't reproduce the failure on JDK 8 b82. I filed INTJDK-7607043 to create new tests.
        Hide
        nisriniv Nithya Srinivasan (Inactive) added a comment -
         Bug is noreg-hard. Additional test development is tracked by INTJDK-7607043
        Show
        nisriniv Nithya Srinivasan (Inactive) added a comment -  Bug is noreg-hard. Additional test development is tracked by INTJDK-7607043

          People

          • Assignee:
            mullan Sean Mullan
            Reporter:
            mullan Sean Mullan
          • Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: