Mercurial > hg > openjdk > jdk6 > jdk
changeset 1722:a2d20542b60b
8179998: Clear certificate chain connections
Reviewed-by: mullan, ahgross, rhalade, igerasim
author | igerasim |
---|---|
date | Sat, 13 May 2017 18:25:28 -0700 |
parents | 1f6558de9c57 |
children | ecd835dc3159 |
files | src/share/classes/sun/security/pkcs/SignerInfo.java src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java src/share/lib/security/java.security-linux src/share/lib/security/java.security-solaris src/share/lib/security/java.security-windows |
diffstat | 5 files changed, 35 insertions(+), 22 deletions(-) [+] |
line wrap: on
line diff
--- a/src/share/classes/sun/security/pkcs/SignerInfo.java Wed Apr 26 19:20:55 2017 -0700 +++ b/src/share/classes/sun/security/pkcs/SignerInfo.java Sat May 13 18:25:28 2017 -0700 @@ -323,6 +323,12 @@ data = content.getContentBytes(); } + Timestamp timestamp = null; + try { + timestamp = getTimestamp(); + } catch (Exception ignore) { + } + ConstraintsParameters cparams = new ConstraintsParameters(timestamp); String digestAlgname = getDigestAlgorithmId().getName();
--- a/src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java Wed Apr 26 19:20:55 2017 -0700 +++ b/src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java Sat May 13 18:25:28 2017 -0700 @@ -482,9 +482,16 @@ userCheckers.add(mustCheck, policyChecker); mustCheck++; + String variant = null; + + if (buildParams instanceof PKIXExtendedParameters) { + variant = ((PKIXExtendedParameters)buildParams).getVariant(); + } + // add the algorithm checker userCheckers.add(mustCheck, - new AlgorithmChecker(builder.trustAnchor, buildParams.getDate(), null)); + new AlgorithmChecker(builder.trustAnchor, + buildParams.getDate(), variant)); mustCheck++; if (nextState.keyParamsNeeded()) {
--- a/src/share/lib/security/java.security-linux Wed Apr 26 19:20:55 2017 -0700 +++ b/src/share/lib/security/java.security-linux Sat May 13 18:25:28 2017 -0700 @@ -430,21 +430,21 @@ # jdkCA # This constraint prohibits the specified algorithm only if the # algorithm is used in a certificate chain that terminates at a marked -# trust anchor in the lib/security/cacerts keystore. If the jdkCA -# constraint is not set, then all chains using the specified algorithm +# trust anchor in the lib/security/cacerts keystore. If the jdkCA +# constraint is not set, then all chains using the specified algorithm # are restricted. jdkCA may only be used once in a DisabledAlgorithm # expression. -# Example: To apply this constraint to SHA-1 certificates, include -# the following: "SHA1 jdkCA" +# Example: To apply this constraint to SHA-1 certificates, include +# the following: "SHA1 jdkCA" # # DenyAfterConstraint: # denyAfter YYYY-MM-DD # This constraint prohibits a certificate with the specified algorithm # from being used after the date regardless of the certificate's -# validity. JAR files that are signed and timestamped before the +# validity. JAR files that are signed and timestamped before the # constraint date with certificates containing the disabled algorithm -# will not be restricted. The date is processed in the UTC timezone. -# This constraint can only be used once in a DisabledAlgorithm +# will not be restricted. The date is processed in the UTC timezone. +# This constraint can only be used once in a DisabledAlgorithm # expression. # Example: To deny usage of RSA 2048 bit certificates after Feb 3 2020, # use the following: "RSA keySize == 2048 & denyAfter 2020-02-03"
--- a/src/share/lib/security/java.security-solaris Wed Apr 26 19:20:55 2017 -0700 +++ b/src/share/lib/security/java.security-solaris Sat May 13 18:25:28 2017 -0700 @@ -390,21 +390,21 @@ # jdkCA # This constraint prohibits the specified algorithm only if the # algorithm is used in a certificate chain that terminates at a marked -# trust anchor in the lib/security/cacerts keystore. If the jdkCA -# constraint is not set, then all chains using the specified algorithm +# trust anchor in the lib/security/cacerts keystore. If the jdkCA +# constraint is not set, then all chains using the specified algorithm # are restricted. jdkCA may only be used once in a DisabledAlgorithm # expression. -# Example: To apply this constraint to SHA-1 certificates, include -# the following: "SHA1 jdkCA" +# Example: To apply this constraint to SHA-1 certificates, include +# the following: "SHA1 jdkCA" # # DenyAfterConstraint: # denyAfter YYYY-MM-DD # This constraint prohibits a certificate with the specified algorithm # from being used after the date regardless of the certificate's -# validity. JAR files that are signed and timestamped before the +# validity. JAR files that are signed and timestamped before the # constraint date with certificates containing the disabled algorithm -# will not be restricted. The date is processed in the UTC timezone. -# This constraint can only be used once in a DisabledAlgorithm +# will not be restricted. The date is processed in the UTC timezone. +# This constraint can only be used once in a DisabledAlgorithm # expression. # Example: To deny usage of RSA 2048 bit certificates after Feb 3 2020, # use the following: "RSA keySize == 2048 & denyAfter 2020-02-03"
--- a/src/share/lib/security/java.security-windows Wed Apr 26 19:20:55 2017 -0700 +++ b/src/share/lib/security/java.security-windows Sat May 13 18:25:28 2017 -0700 @@ -407,21 +407,21 @@ # jdkCA # This constraint prohibits the specified algorithm only if the # algorithm is used in a certificate chain that terminates at a marked -# trust anchor in the lib/security/cacerts keystore. If the jdkCA -# constraint is not set, then all chains using the specified algorithm +# trust anchor in the lib/security/cacerts keystore. If the jdkCA +# constraint is not set, then all chains using the specified algorithm # are restricted. jdkCA may only be used once in a DisabledAlgorithm # expression. -# Example: To apply this constraint to SHA-1 certificates, include -# the following: "SHA1 jdkCA" +# Example: To apply this constraint to SHA-1 certificates, include +# the following: "SHA1 jdkCA" # # DenyAfterConstraint: # denyAfter YYYY-MM-DD # This constraint prohibits a certificate with the specified algorithm # from being used after the date regardless of the certificate's -# validity. JAR files that are signed and timestamped before the +# validity. JAR files that are signed and timestamped before the # constraint date with certificates containing the disabled algorithm -# will not be restricted. The date is processed in the UTC timezone. -# This constraint can only be used once in a DisabledAlgorithm +# will not be restricted. The date is processed in the UTC timezone. +# This constraint can only be used once in a DisabledAlgorithm # expression. # Example: To deny usage of RSA 2048 bit certificates after Feb 3 2020, # use the following: "RSA keySize == 2048 & denyAfter 2020-02-03"