NPE at TrustMaterial:167 if both CACERTS and JSSE_CACERTS are null
Opened this issue · 2 comments
If both CACERTS and JSSE_CACERTS are null, then an NPE occurs at https://github.com/narupley/not-going-to-be-commons-ssl/blob/0.3.20/src/main/java/org/apache/commons/ssl/TrustMaterial.java#L167
Here's an example the stack trace:
java.lang.NullPointerException
at org.apache.commons.ssl.TrustMaterial.<init>(TrustMaterial.java:167)
at org.apache.commons.ssl.TrustMaterial.<init>(TrustMaterial.java:158)
at org.apache.commons.ssl.TrustMaterial.<clinit>(TrustMaterial.java:148)
at org.opensaml.xml.security.x509.X509Util.decodeCertificate(X509Util.java:359)
This problem doesn't occur in 0.3.18. Therefore, I'm pretty sure this regression was caused in 48f7303
I have the same stack trace when using JDK11.
After debugging, I found my problem is that Keystore.getDefaultType() returns "PKCS12" and when calling tryJKS(KeyStore.getDefaultType(), stuffStream, jksPass, keyPass, forTrustMaterial); in org.apache.commons.ssl.KeyStoreBuilder#parse the NPE is thrown on line 494 because the password is null:
Caused by: java.lang.NullPointerException: No password supplied for PKCS#12 KeyStore.
at org.bouncycastle.jcajce.provider.keystore.pkcs12.PKCS12KeyStoreSpi.engineLoad(Unknown Source) ~[bcprov-jdk15on-1.60.jar:1.60.0]
at java.base/java.security.KeyStore.load(KeyStore.java:1479) ~[na:na]
at org.apache.commons.ssl.KeyStoreBuilder.tryJKS(KeyStoreBuilder.java:494) ~[not-going-to-be-commons-ssl-0.3.20.jar:0.3.20]
at org.apache.commons.ssl.KeyStoreBuilder.parse(KeyStoreBuilder.java:401) ~[not-going-to-be-commons-ssl-0.3.20.jar:0.3.20]
Is it possible to add a null check to avoid this problem ?