From de9f3b6aac85edb39af67db887af78906e8d5da0 Mon Sep 17 00:00:00 2001 From: Matthew Donovan Date: Fri, 10 Mar 2023 14:10:41 +0000 Subject: [PATCH] 8296400: pointCrlIssuers might be null in DistributionPointFetcher::verifyURL Reviewed-by: weijun --- .../provider/certpath/DistributionPointFetcher.java | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/java.base/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java b/src/java.base/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java index 7f5dc361b78..e2e3a1475ff 100644 --- a/src/java.base/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java +++ b/src/java.base/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java @@ -430,7 +430,7 @@ public class DistributionPointFetcher { debug.println("DP relativeName:" + relativeName); } if (indirectCRL) { - if (pointCrlIssuers.size() != 1) { + if (pointCrlIssuers == null || pointCrlIssuers.size() != 1) { // RFC 5280: there must be only 1 CRL issuer // name when relativeName is present if (debug != null) { @@ -439,6 +439,9 @@ public class DistributionPointFetcher { } return false; } + // if pointCrlIssuers is not null, pointCrlIssuer + // will also be non-null or the code would have + // returned before now pointNames = getFullNames (pointCrlIssuer, relativeName); } else { @@ -475,6 +478,9 @@ public class DistributionPointFetcher { // verify that one of the names in the IDP matches one of // the names in the cRLIssuer of the cert's DP boolean match = false; + // the DP's fullName and relativeName fields are null + // which means pointCrlIssuers is non-null; the three + // cannot all be missing from a certificate. for (Iterator t = pointCrlIssuers.iterator(); !match && t.hasNext(); ) { GeneralNameInterface crlIssuerName = t.next().getName();