Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8165751

NPE hit with java.security.debug=provider

    Details

    • Subcomponent:
    • Resolved In Build:
      b150
    • Verification:
      Verified

      Backports

        Description

        3rd party Jsafe provider registered in JDK. When initializing and debugging via java.security.debug=provider flag, we hit an NPE :

             [java] Provider: MessageDigest.SHA-256 algorithm from: SUN
             [java] Provider: Signature.SHA256withRSA verification algorithm from: SunRsaSign
             [java] Provider: MessageDigest.SHA-256 algorithm from: SUN
             [java] Provider: MessageDigest.SHA algorithm from: JsafeJCE
             [java] Exception in thread "main" java.lang.ExceptionInInitializerError
             [java] at javax.crypto.JceSecurity.loadPolicies(JceSecurity.java:318)
             [java] at javax.crypto.JceSecurity.setupJurisdictionPolicies(JceSecurity.java:263)
             [java] at javax.crypto.JceSecurity.access$000(JceSecurity.java:48)
             [java] at javax.crypto.JceSecurity$1.run(JceSecurity.java:81)
             [java] at java.security.AccessController.doPrivileged(Native Method)
             [java] at javax.crypto.JceSecurity.<clinit>(JceSecurity.java:78)
             [java] at javax.crypto.SecretKeyFactory.getInstance(SecretKeyFactory.java:204)
             [java] at jce.common.AESKeyUtil.getSecretKey(AESKeyUtil.java:64)
             [java] at jce.asymCipher.RSAEncryptWithOAEP.runSample(RSAEncryptWithOAEP.java:86)
             [java] at jce.asymCipher.RSAEncryptWithOAEP.main(RSAEncryptWithOAEP.java:56)
             [java] Caused by: java.lang.SecurityException: Framework jar verification can not be initialized
             [java] at javax.crypto.JarVerifier.<clinit>(JarVerifier.java:189)
             [java] ... 10 more
             [java] Caused by: java.lang.NullPointerException
             [java] at java.security.Signature.initVerify(Signature.java:462)
             [java] at com.rsa.cryptoj.o.pq.a(Unknown Source)
             [java] at com.rsa.cryptoj.o.pq.verify(Unknown Source)
             [java] at javax.crypto.JarVerifier.testSignatures(JarVerifier.java:737)
             [java] at javax.crypto.JarVerifier.access$400(JarVerifier.java:34)
             [java] at javax.crypto.JarVerifier$1.run(JarVerifier.java:183)
             [java] at javax.crypto.JarVerifier$1.run(JarVerifier.java:149)
             [java] at java.security.AccessController.doPrivileged(Native Method)
             [java] at javax.crypto.JarVerifier.<clinit>(JarVerifier.java:148)

          Issue Links

            Activity

            Hide
            coffeys Sean Coffey added a comment -
            corresponding Signature code :

            455 public final void initVerify(PublicKey publicKey)
            456 throws InvalidKeyException {
            457 engineInitVerify(publicKey);
            458 state = VERIFY;
            459
            460 if (!skipDebug && pdebug != null) {
            461 pdebug.println("Signature." + algorithm +
            462 " verification algorithm from: " + this.provider.getName());
            463 }
            464 }

            Looks like this.provider could be null. Debug code was introduced via JDK-8056026
            Show
            coffeys Sean Coffey added a comment - corresponding Signature code : 455 public final void initVerify(PublicKey publicKey) 456 throws InvalidKeyException { 457 engineInitVerify(publicKey); 458 state = VERIFY; 459 460 if (!skipDebug && pdebug != null) { 461 pdebug.println("Signature." + algorithm + 462 " verification algorithm from: " + this.provider.getName()); 463 } 464 } Looks like this.provider could be null. Debug code was introduced via JDK-8056026
            Hide
            mullan Sean Mullan added a comment -
            My guess is that the RSA code is instantiating a subclass of Signature directly instead of calling one of the getInstance methods. Signature.getProvider could return null in that case. Best to check for null in the debug even though getProvider is not supposed to return null.
            Show
            mullan Sean Mullan added a comment - My guess is that the RSA code is instantiating a subclass of Signature directly instead of calling one of the getInstance methods. Signature.getProvider could return null in that case. Best to check for null in the debug even though getProvider is not supposed to return null.
            Hide
            hgupdate HG Updates added a comment -
            URL: http://hg.openjdk.java.net/jdk9/dev/jdk/rev/a9fe693da587
            User: mullan
            Date: 2016-12-14 15:22:25 +0000
            Show
            hgupdate HG Updates added a comment - URL: http://hg.openjdk.java.net/jdk9/dev/jdk/rev/a9fe693da587 User: mullan Date: 2016-12-14 15:22:25 +0000
            Hide
            hgupdate HG Updates added a comment -
            URL: http://hg.openjdk.java.net/jdk9/jdk9/jdk/rev/a9fe693da587
            User: lana
            Date: 2016-12-21 16:40:05 +0000
            Show
            hgupdate HG Updates added a comment - URL: http://hg.openjdk.java.net/jdk9/jdk9/jdk/rev/a9fe693da587 User: lana Date: 2016-12-21 16:40:05 +0000

              People

              • Assignee:
                apetcher Adam Petcher
                Reporter:
                coffeys Sean Coffey
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: