Mercurial > hg > openjdk > jdk6 > jdk

changeset 1722:a2d20542b60b

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
8179998: Clear certificate chain connections Reviewed-by: mullan, ahgross, rhalade, igerasim
author igerasim
date Sat, 13 May 2017 18:25:28 -0700
parents 1f6558de9c57
children ecd835dc3159
files src/share/classes/sun/security/pkcs/SignerInfo.java src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java src/share/lib/security/java.security-linux src/share/lib/security/java.security-solaris src/share/lib/security/java.security-windows
diffstat 5 files changed, 35 insertions(+), 22 deletions(-) [+]
line wrap: on
line diff
--- a/src/share/classes/sun/security/pkcs/SignerInfo.java	Wed Apr 26 19:20:55 2017 -0700
+++ b/src/share/classes/sun/security/pkcs/SignerInfo.java	Sat May 13 18:25:28 2017 -0700
@@ -323,6 +323,12 @@
                 data = content.getContentBytes();
             }
 
+            Timestamp timestamp = null;
+            try {
+                timestamp = getTimestamp();
+            } catch (Exception ignore) {
+            }
+
             ConstraintsParameters cparams =
                     new ConstraintsParameters(timestamp);
             String digestAlgname = getDigestAlgorithmId().getName();
--- a/src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java	Wed Apr 26 19:20:55 2017 -0700
+++ b/src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java	Sat May 13 18:25:28 2017 -0700
@@ -482,9 +482,16 @@
                 userCheckers.add(mustCheck, policyChecker);
                 mustCheck++;
 
+                String variant = null;
+
+                if (buildParams instanceof  PKIXExtendedParameters) {
+                    variant = ((PKIXExtendedParameters)buildParams).getVariant();
+                }
+
                 // add the algorithm checker
                 userCheckers.add(mustCheck,
-                        new AlgorithmChecker(builder.trustAnchor, buildParams.getDate(), null));
+                        new AlgorithmChecker(builder.trustAnchor,
+                                buildParams.getDate(), variant));
                 mustCheck++;
 
                 if (nextState.keyParamsNeeded()) {
--- a/src/share/lib/security/java.security-linux	Wed Apr 26 19:20:55 2017 -0700
+++ b/src/share/lib/security/java.security-linux	Sat May 13 18:25:28 2017 -0700
@@ -430,21 +430,21 @@
 #     jdkCA
 #       This constraint prohibits the specified algorithm only if the
 #       algorithm is used in a certificate chain that terminates at a marked
-#       trust anchor in the lib/security/cacerts keystore.  If the jdkCA
-#       constraint is not set, then all chains using the specified algorithm
+#       trust anchor in the lib/security/cacerts keystore.  If the jdkCA
+#       constraint is not set, then all chains using the specified algorithm
 #       are restricted.  jdkCA may only be used once in a DisabledAlgorithm
 #       expression.
-#       Example:  To apply this constraint to SHA-1 certificates, include
-#       the following:  "SHA1 jdkCA"
+#       Example:  To apply this constraint to SHA-1 certificates, include
+#       the following:  "SHA1 jdkCA"
 #
 #   DenyAfterConstraint:
 #     denyAfter YYYY-MM-DD
 #       This constraint prohibits a certificate with the specified algorithm
 #       from being used after the date regardless of the certificate's
-#       validity.  JAR files that are signed and timestamped before the
+#       validity.  JAR files that are signed and timestamped before the
 #       constraint date with certificates containing the disabled algorithm
-#       will not be restricted.  The date is processed in the UTC timezone.
-#       This constraint can only be used once in a DisabledAlgorithm
+#       will not be restricted.  The date is processed in the UTC timezone.
+#       This constraint can only be used once in a DisabledAlgorithm
 #       expression.
 #       Example:  To deny usage of RSA 2048 bit certificates after Feb 3 2020,
 #       use the following:  "RSA keySize == 2048 & denyAfter 2020-02-03"
--- a/src/share/lib/security/java.security-solaris	Wed Apr 26 19:20:55 2017 -0700
+++ b/src/share/lib/security/java.security-solaris	Sat May 13 18:25:28 2017 -0700
@@ -390,21 +390,21 @@
 #     jdkCA
 #       This constraint prohibits the specified algorithm only if the
 #       algorithm is used in a certificate chain that terminates at a marked
-#       trust anchor in the lib/security/cacerts keystore.  If the jdkCA
-#       constraint is not set, then all chains using the specified algorithm
+#       trust anchor in the lib/security/cacerts keystore.  If the jdkCA
+#       constraint is not set, then all chains using the specified algorithm
 #       are restricted.  jdkCA may only be used once in a DisabledAlgorithm
 #       expression.
-#       Example:  To apply this constraint to SHA-1 certificates, include
-#       the following:  "SHA1 jdkCA"
+#       Example:  To apply this constraint to SHA-1 certificates, include
+#       the following:  "SHA1 jdkCA"
 #
 #   DenyAfterConstraint:
 #     denyAfter YYYY-MM-DD
 #       This constraint prohibits a certificate with the specified algorithm
 #       from being used after the date regardless of the certificate's
-#       validity.  JAR files that are signed and timestamped before the
+#       validity.  JAR files that are signed and timestamped before the
 #       constraint date with certificates containing the disabled algorithm
-#       will not be restricted.  The date is processed in the UTC timezone.
-#       This constraint can only be used once in a DisabledAlgorithm
+#       will not be restricted.  The date is processed in the UTC timezone.
+#       This constraint can only be used once in a DisabledAlgorithm
 #       expression.
 #       Example:  To deny usage of RSA 2048 bit certificates after Feb 3 2020,
 #       use the following:  "RSA keySize == 2048 & denyAfter 2020-02-03"
--- a/src/share/lib/security/java.security-windows	Wed Apr 26 19:20:55 2017 -0700
+++ b/src/share/lib/security/java.security-windows	Sat May 13 18:25:28 2017 -0700
@@ -407,21 +407,21 @@
 #     jdkCA
 #       This constraint prohibits the specified algorithm only if the
 #       algorithm is used in a certificate chain that terminates at a marked
-#       trust anchor in the lib/security/cacerts keystore.  If the jdkCA
-#       constraint is not set, then all chains using the specified algorithm
+#       trust anchor in the lib/security/cacerts keystore.  If the jdkCA
+#       constraint is not set, then all chains using the specified algorithm
 #       are restricted.  jdkCA may only be used once in a DisabledAlgorithm
 #       expression.
-#       Example:  To apply this constraint to SHA-1 certificates, include
-#       the following:  "SHA1 jdkCA"
+#       Example:  To apply this constraint to SHA-1 certificates, include
+#       the following:  "SHA1 jdkCA"
 #
 #   DenyAfterConstraint:
 #     denyAfter YYYY-MM-DD
 #       This constraint prohibits a certificate with the specified algorithm
 #       from being used after the date regardless of the certificate's
-#       validity.  JAR files that are signed and timestamped before the
+#       validity.  JAR files that are signed and timestamped before the
 #       constraint date with certificates containing the disabled algorithm
-#       will not be restricted.  The date is processed in the UTC timezone.
-#       This constraint can only be used once in a DisabledAlgorithm
+#       will not be restricted.  The date is processed in the UTC timezone.
+#       This constraint can only be used once in a DisabledAlgorithm
 #       expression.
 #       Example:  To deny usage of RSA 2048 bit certificates after Feb 3 2020,
 #       use the following:  "RSA keySize == 2048 & denyAfter 2020-02-03"