# HG changeset patch # User ascarpino # Date 1494602411 25200 # Node ID d7236673d84537473d3eb10a913a1b92dbff5279 # Parent b4e0fd996868c573803fb3a6e60978e75dae218d 8179998: Clear certificate chain connections Reviewed-by: mullan, ahgross, rhalade, igerasim diff -r b4e0fd996868 -r d7236673d845 src/java.base/share/classes/sun/security/pkcs/SignerInfo.java --- a/src/java.base/share/classes/sun/security/pkcs/SignerInfo.java Fri May 12 18:21:13 2017 +0530 +++ b/src/java.base/share/classes/sun/security/pkcs/SignerInfo.java Fri May 12 08:20:11 2017 -0700 @@ -323,6 +323,12 @@ data = content.getContentBytes(); } + Timestamp timestamp = null; + try { + timestamp = getTimestamp(); + } catch (Exception ignore) { + } + ConstraintsParameters cparams = new ConstraintsParameters(timestamp); String digestAlgname = getDigestAlgorithmId().getName(); diff -r b4e0fd996868 -r d7236673d845 src/java.base/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java --- a/src/java.base/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java Fri May 12 18:21:13 2017 +0530 +++ b/src/java.base/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java Fri May 12 08:20:11 2017 -0700 @@ -344,7 +344,7 @@ // add the algorithm checker checkers.add(new AlgorithmChecker(builder.trustAnchor, - buildParams.date(), null)); + buildParams.date(), buildParams.variant())); BasicChecker basicChecker = null; if (nextState.keyParamsNeeded()) { diff -r b4e0fd996868 -r d7236673d845 src/java.base/share/conf/security/java.security --- a/src/java.base/share/conf/security/java.security Fri May 12 18:21:13 2017 +0530 +++ b/src/java.base/share/conf/security/java.security Fri May 12 08:20:11 2017 -0700 @@ -545,21 +545,21 @@ # jdkCA # This constraint prohibits the specified algorithm only if the # algorithm is used in a certificate chain that terminates at a marked -# trust anchor in the lib/security/cacerts keystore. If the jdkCA -# constraint is not set, then all chains using the specified algorithm +# trust anchor in the lib/security/cacerts keystore. If the jdkCA +# constraint is not set, then all chains using the specified algorithm # are restricted. jdkCA may only be used once in a DisabledAlgorithm # expression. -# Example:  To apply this constraint to SHA-1 certificates, include -# the following:  "SHA1 jdkCA" +# Example: To apply this constraint to SHA-1 certificates, include +# the following: "SHA1 jdkCA" # # DenyAfterConstraint: # denyAfter YYYY-MM-DD # This constraint prohibits a certificate with the specified algorithm # from being used after the date regardless of the certificate's -# validity.  JAR files that are signed and timestamped before the +# validity. JAR files that are signed and timestamped before the # constraint date with certificates containing the disabled algorithm -# will not be restricted.  The date is processed in the UTC timezone. -# This constraint can only be used once in a DisabledAlgorithm +# will not be restricted. The date is processed in the UTC timezone. +# This constraint can only be used once in a DisabledAlgorithm # expression. # Example: To deny usage of RSA 2048 bit certificates after Feb 3 2020, # use the following: "RSA keySize == 2048 & denyAfter 2020-02-03"