Fix NPE and add extra checks

peterdettman · peterdettman · commit 6f53ba134153 · 2025-09-22T18:33:22.000+07:00
- see #2166
diff --git a/pkix/src/main/java/org/bouncycastle/operator/jcajce/OperatorHelper.java b/pkix/src/main/java/org/bouncycastle/operator/jcajce/OperatorHelper.java
@@ -26,6 +26,7 @@
 import org.bouncycastle.asn1.ASN1Encodable;
 import org.bouncycastle.asn1.ASN1Integer;
 import org.bouncycastle.asn1.ASN1ObjectIdentifier;
+import org.bouncycastle.asn1.ASN1Primitive;
 import org.bouncycastle.asn1.ASN1Sequence;
 import org.bouncycastle.asn1.DERNull;
 import org.bouncycastle.asn1.DERSequence;
@@ -207,52 +208,62 @@ KeyAgreement createKeyAgreement(ASN1ObjectIdentifier algorithm)
     Cipher createAsymmetricWrapper(AlgorithmIdentifier algorithmID, Map extraAlgNames)
         throws OperatorCreationException
     {
-        ASN1ObjectIdentifier algorithm = algorithmID.getAlgorithm();
+        if (algorithmID == null)
+        {
+            throw new NullPointerException("'algorithmID' cannot be null");
+        }
+
+        ASN1ObjectIdentifier algOID = algorithmID.getAlgorithm();
         try
         {
             String cipherName = null;
 
-            if (!extraAlgNames.isEmpty())
+            if (extraAlgNames != null && !extraAlgNames.isEmpty())
             {
-                cipherName = (String)extraAlgNames.get(algorithm);
+                cipherName = (String)extraAlgNames.get(algOID);
             }
 
             if (cipherName == null)
             {
-                cipherName = (String)asymmetricWrapperAlgNames.get(algorithm);
+                cipherName = (String)asymmetricWrapperAlgNames.get(algOID);
+            }
+
+            if (cipherName != null)
+            {
                 if (cipherName.indexOf("OAEPPadding") > 0)
                 {
-                    ASN1Encodable params = algorithmID.getParameters().toASN1Primitive();
-                    if ((params instanceof ASN1Sequence))
+                    ASN1Encodable algParams = algorithmID.getParameters();
+                    if (algParams != null)
                     {
-                        ASN1Sequence paramSeq = ASN1Sequence.getInstance(params);
-                        if (paramSeq.size() == 0)
+                        ASN1Primitive primitive = algParams.toASN1Primitive();
+                        if ((primitive instanceof ASN1Sequence))
                         {
-                            cipherName = "RSA/ECB/OAEPWithSHA-1AndMGF1Padding";
-                        }
-                        else if (paramSeq.size() >= 2)
-                        {
-                            // we only check the first 2 as pSource may be different
-                            paramSeq = new DERSequence(new ASN1Encodable[]{ paramSeq.getObjectAt(0), paramSeq.getObjectAt(1) });
-                            if (oaepParams_sha256.equals(paramSeq))
-                            {
-                                cipherName = "RSA/ECB/OAEPWithSHA-256AndMGF1Padding";
-                            }
-                            else if (oaepParams_sha512.equals(paramSeq))
+                            ASN1Sequence oaepParams = (ASN1Sequence)primitive;
+                            if (oaepParams.size() == 0)
                             {
-                                cipherName = "RSA/ECB/OAEPWithSHA-512AndMGF1Padding";
+                                cipherName = "RSA/ECB/OAEPWithSHA-1AndMGF1Padding";
                             }
-                            else if (oaepParams_sha384.equals(paramSeq))
+                            else if (oaepParams.size() >= 2)
                             {
-                                cipherName = "RSA/ECB/OAEPWithSHA-384AndMGF1Padding";
+                                // we only check the first 2 as pSource may be different
+                                oaepParams = new DERSequence(new ASN1Encodable[]{ oaepParams.getObjectAt(0), oaepParams.getObjectAt(1) });
+                                if (oaepParams_sha256.equals(oaepParams))
+                                {
+                                    cipherName = "RSA/ECB/OAEPWithSHA-256AndMGF1Padding";
+                                }
+                                else if (oaepParams_sha512.equals(oaepParams))
+                                {
+                                    cipherName = "RSA/ECB/OAEPWithSHA-512AndMGF1Padding";
+                                }
+                                else if (oaepParams_sha384.equals(oaepParams))
+                                {
+                                    cipherName = "RSA/ECB/OAEPWithSHA-384AndMGF1Padding";
+                                }
                             }
                         }
                     }
                 }
-            }
 
-            if (cipherName != null)
-            {
                 try
                 {
                     // this is reversed as the Sun policy files now allow unlimited strength RSA
@@ -288,7 +299,7 @@ else if (cipherName.indexOf("ECB/OAEPWith") > 0)
                 }
             }
 
-            return helper.createCipher(algorithm.getId());
+            return helper.createCipher(algOID.getId());
         }
         catch (GeneralSecurityException e)
         {

Original file line number	Diff line number	Diff line change
`@@ -26,6 +26,7 @@`
`26`	`26`	`import org.bouncycastle.asn1.ASN1Encodable;`
`27`	`27`	`import org.bouncycastle.asn1.ASN1Integer;`
`28`	`28`	`import org.bouncycastle.asn1.ASN1ObjectIdentifier;`
	`29`	`+import org.bouncycastle.asn1.ASN1Primitive;`
`29`	`30`	`import org.bouncycastle.asn1.ASN1Sequence;`
`30`	`31`	`import org.bouncycastle.asn1.DERNull;`
`31`	`32`	`import org.bouncycastle.asn1.DERSequence;`
`@@ -207,52 +208,62 @@ KeyAgreement createKeyAgreement(ASN1ObjectIdentifier algorithm)`
`207`	`208`	`Cipher createAsymmetricWrapper(AlgorithmIdentifier algorithmID, Map extraAlgNames)`
`208`	`209`	`throws OperatorCreationException`
`209`	`210`	`{`
`210`		`- ASN1ObjectIdentifier algorithm = algorithmID.getAlgorithm();`
	`211`	`+ if (algorithmID == null)`
	`212`	`+ {`
	`213`	`+ throw new NullPointerException("'algorithmID' cannot be null");`
	`214`	`+ }`
	`215`	`+`
	`216`	`+ ASN1ObjectIdentifier algOID = algorithmID.getAlgorithm();`
`211`	`217`	`try`
`212`	`218`	`{`
`213`	`219`	`String cipherName = null;`
`214`	`220`
`215`		`- if (!extraAlgNames.isEmpty())`
	`221`	`+ if (extraAlgNames != null && !extraAlgNames.isEmpty())`
`216`	`222`	`{`
`217`		`- cipherName = (String)extraAlgNames.get(algorithm);`
	`223`	`+ cipherName = (String)extraAlgNames.get(algOID);`
`218`	`224`	`}`
`219`	`225`
`220`	`226`	`if (cipherName == null)`
`221`	`227`	`{`
`222`		`- cipherName = (String)asymmetricWrapperAlgNames.get(algorithm);`
	`228`	`+ cipherName = (String)asymmetricWrapperAlgNames.get(algOID);`
	`229`	`+ }`
	`230`	`+`
	`231`	`+ if (cipherName != null)`
	`232`	`+ {`
`223`	`233`	`if (cipherName.indexOf("OAEPPadding") > 0)`
`224`	`234`	`{`
`225`		`- ASN1Encodable params = algorithmID.getParameters().toASN1Primitive();`
`226`		`- if ((params instanceof ASN1Sequence))`
	`235`	`+ ASN1Encodable algParams = algorithmID.getParameters();`
	`236`	`+ if (algParams != null)`
`227`	`237`	`{`
`228`		`- ASN1Sequence paramSeq = ASN1Sequence.getInstance(params);`
`229`		`- if (paramSeq.size() == 0)`
	`238`	`+ ASN1Primitive primitive = algParams.toASN1Primitive();`
	`239`	`+ if ((primitive instanceof ASN1Sequence))`
`230`	`240`	`{`
`231`		`- cipherName = "RSA/ECB/OAEPWithSHA-1AndMGF1Padding";`
`232`		`- }`
`233`		`- else if (paramSeq.size() >= 2)`
`234`		`- {`
`235`		`- // we only check the first 2 as pSource may be different`
`236`		`- paramSeq = new DERSequence(new ASN1Encodable[]{ paramSeq.getObjectAt(0), paramSeq.getObjectAt(1) });`
`237`		`- if (oaepParams_sha256.equals(paramSeq))`
`238`		`- {`
`239`		`- cipherName = "RSA/ECB/OAEPWithSHA-256AndMGF1Padding";`
`240`		`- }`
`241`		`- else if (oaepParams_sha512.equals(paramSeq))`
	`241`	`+ ASN1Sequence oaepParams = (ASN1Sequence)primitive;`
	`242`	`+ if (oaepParams.size() == 0)`
`242`	`243`	`{`
`243`		`- cipherName = "RSA/ECB/OAEPWithSHA-512AndMGF1Padding";`
	`244`	`+ cipherName = "RSA/ECB/OAEPWithSHA-1AndMGF1Padding";`
`244`	`245`	`}`
`245`		`- else if (oaepParams_sha384.equals(paramSeq))`
	`246`	`+ else if (oaepParams.size() >= 2)`
`246`	`247`	`{`
`247`		`- cipherName = "RSA/ECB/OAEPWithSHA-384AndMGF1Padding";`
	`248`	`+ // we only check the first 2 as pSource may be different`
	`249`	`+ oaepParams = new DERSequence(new ASN1Encodable[]{ oaepParams.getObjectAt(0), oaepParams.getObjectAt(1) });`
	`250`	`+ if (oaepParams_sha256.equals(oaepParams))`
	`251`	`+ {`
	`252`	`+ cipherName = "RSA/ECB/OAEPWithSHA-256AndMGF1Padding";`
	`253`	`+ }`
	`254`	`+ else if (oaepParams_sha512.equals(oaepParams))`
	`255`	`+ {`
	`256`	`+ cipherName = "RSA/ECB/OAEPWithSHA-512AndMGF1Padding";`
	`257`	`+ }`
	`258`	`+ else if (oaepParams_sha384.equals(oaepParams))`
	`259`	`+ {`
	`260`	`+ cipherName = "RSA/ECB/OAEPWithSHA-384AndMGF1Padding";`
	`261`	`+ }`
`248`	`262`	`}`
`249`	`263`	`}`
`250`	`264`	`}`
`251`	`265`	`}`
`252`		`- }`
`253`	`266`
`254`		`- if (cipherName != null)`
`255`		`- {`
`256`	`267`	`try`
`257`	`268`	`{`
`258`	`269`	`// this is reversed as the Sun policy files now allow unlimited strength RSA`
`@@ -288,7 +299,7 @@ else if (cipherName.indexOf("ECB/OAEPWith") > 0)`
`288`	`299`	`}`
`289`	`300`	`}`
`290`	`301`
`291`		`- return helper.createCipher(algorithm.getId());`
	`302`	`+ return helper.createCipher(algOID.getId());`
`292`	`303`	`}`
`293`	`304`	`catch (GeneralSecurityException e)`
`294`	`305`	`{`