Allow inherited DSAKey and ECKey parameters RFC 3279 sections 2.3.2 and 2.3.5 say that DSA and EC keys respectively may inherit from its issuer's key parameters. When setting "jdk.certpath.disabledAlgorithms=DSA keySize < 1024" and running the NIST PKIX test 4.1.5 Valid DSA Parameter Inheritance Test5 an exception is thrown because the key size of the DSA with inherited parameters is checked. However, inherited parameter DSA keys have null DSAParams which causes a NullPointerException. It's okay to skip checking this key, because the parent key from which it inherits its parameters will be rejected when it is tested and the certpath will fail to build. Bug: 26984935 Change-Id: I071578b19729a41d6ad64e9fe18e45b492ad4cff

commit: f3351bdaa7fcfff111a2b9a94ef384d5812b2d3f [log] [tgz]
author: Kenny Root <kroot@google.com> Fri Feb 05 03:05:17 2016 -0800
committer: Kenny Root <kroot@google.com> Fri Feb 05 03:22:32 2016 -0800
tree: 1bf0226d795aa91eb5292e9ec232bf6648871106
parent: d92cdfce1b3eb77850cd0b511d9da28bb833ccd8 [diff]
diff --git a/ojluni/src/main/java/sun/security/util/KeyUtil.java b/ojluni/src/main/java/sun/security/util/KeyUtil.java
index 6664dab..6ca9191 100755
--- a/ojluni/src/main/java/sun/security/util/KeyUtil.java
+++ b/ojluni/src/main/java/sun/security/util/KeyUtil.java

@@ -1,4 +1,5 @@
 /*
+ * Copyright 2016 The Android Open Source Project
  * Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
@@ -32,6 +33,8 @@
 import java.security.interfaces.ECKey;
 import java.security.interfaces.RSAKey;
 import java.security.interfaces.DSAKey;
+import java.security.interfaces.DSAParams;
+import java.security.spec.ECParameterSpec;
 import java.security.spec.KeySpec;
 import javax.crypto.SecretKey;
 import javax.crypto.interfaces.DHKey;
@@ -81,10 +84,26 @@
             size = pubk.getModulus().bitLength();
         } else if (key instanceof ECKey) {
             ECKey pubk = (ECKey)key;
-            size = pubk.getParams().getOrder().bitLength();
+            ECParameterSpec params = pubk.getParams();
+            // According to RFC 3279 section 2.3.5, EC keys are allowed
+            // to inherit parameters in an X.509 certificate issuer's
+            // key parameters, so the parameters may be null. The parent
+            // key will be rejected if its parameters don't pass, so this
+            // is okay.
+            if (params != null) {
+                size = params.getOrder().bitLength();
+            }
         } else if (key instanceof DSAKey) {
             DSAKey pubk = (DSAKey)key;
-            size = pubk.getParams().getP().bitLength();
+            DSAParams params = pubk.getParams();
+            // According to RFC 3279 section 2.3.2, DSA keys are allowed
+            // to inherit parameters in an X.509 certificate issuer's
+            // key parameters, so the parameters may be null. The parent
+            // key will be rejected if its parameters don't pass, so this
+            // is okay.
+            if (params != null) {
+                size = params.getP().bitLength();
+            }
         } else if (key instanceof DHKey) {
             DHKey pubk = (DHKey)key;
             size = pubk.getParams().getP().bitLength();
commit	f3351bdaa7fcfff111a2b9a94ef384d5812b2d3f	[log] [tgz]
author	Kenny Root <kroot@google.com>	Fri Feb 05 03:05:17 2016 -0800
committer	Kenny Root <kroot@google.com>	Fri Feb 05 03:22:32 2016 -0800
tree	1bf0226d795aa91eb5292e9ec232bf6648871106
parent	d92cdfce1b3eb77850cd0b511d9da28bb833ccd8 [diff]