Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-4422738

PKIX{Builder}Parameters constructors should throw exceptions for illegal args.

XMLWordPrintable

    • beta
    • sparc
    • solaris_7
    • Verified


      sean.mullan@ireland 2001-03-07

      The constructors PKIXParameters(PublicKey, String),
      PKIXBuilderParameters(PublicKey, String, CertSelector) and the
      setCAPublicKeyAndName() method should not
      allow null public-keys or null/empty CA DNs to be specified. Add the
      following @throws clauses to each constructor/method:
       
         @throws NullPointerException if the specified public key or CA name parameter
               is <code>null</code>
         @throws InvalidAlgorithmParameterException if the specified CA name parameter
               is set to the empty String ("")

      Also, PKIX new-part1-04 now defines what a self-issued certificate is. They
      say it's a certificate where the issuer DN is equal to the subject DN,
      but not null/empty. Our code doesn't check for a null/empty issuer DN.
      The simplest fix (and probably the right thing to do) is to reject
      any certificate that contains a null/empty (equals("")) issuer DN
      (since PKIX says CAs MUST NOT do that).

      Finally, the constructors PKIXParameters(Set). PKIXBuilderParameters(Set,
      CertSelector) and method setTrustedCerts() should throw an exception if
      the Set of trusted certs doesn't contain at least one element:

         @throws NullPointerException if the specified Set is <code>null</code>
         @throws InvalidAlgorithmParameterException if the specified Set is empty

      Our CertPathValidator and Builder implementation should also probably check
      that these parameters are not null (and throw an exception if they are)
      before using them.

      sean.mullan@ireland 2001-03-28

      RFE 4426578 (Need new java.security.cert.TrustAnchor class) has changed the
      details on this bug slightly (but the rationale is the same):

      PKIXParameters(Set), & PKIXBuilderParameters(Set,
      CertSelector) and method setTrustAnchors() should throw an exception if
      the Set of trust anchors doesn't contain at least one element:

           * @throws InvalidAlgorithmParameterException if the specified
           * <code>Set</code> is empty <code>(trustAnchors.isEmpty() == true)</code>
           * @throws NullPointerException if the specified <code>Set</code> is
           * <code>null</code>

      and a ClassCastException if any of the elements are not of type TrustAnchor:
           
           * @throws ClassCastException if any of the elements in the <code>Set</code>
           * are not of type <code>java.security.cert.TrustAnchor</code>

      The setCAPublicKeyName() and constructors that take a PublicKey and String
      have been removed and moved to the TrustAnchor class, which is covered by
      bugid 4426578.

            mullan Sean Mullan
            mullan Sean Mullan
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated:
              Resolved:
              Imported:
              Indexed: