--- old/src/java.base/share/classes/sun/security/provider/certpath/AlgorithmChecker.java 2016-10-10 11:49:57.283347902 -0700 +++ new/src/java.base/share/classes/sun/security/provider/certpath/AlgorithmChecker.java 2016-10-10 11:49:57.171347907 -0700 @@ -464,7 +464,7 @@ } AlgorithmId algorithmId = x509CRLImpl.getSigAlgId(); - check(key, algorithmId); + check(algorithmId.getName(), key, algorithmId.getParameters()); } /** @@ -473,10 +473,15 @@ * @param key the public key to verify the CRL signature * @param algorithmId signature algorithm Algorithm ID */ - static void check(PublicKey key, AlgorithmId algorithmId) + void check(PublicKey key, AlgorithmId algorithmId) throws CertPathValidatorException { - String sigAlgName = algorithmId.getName(); - AlgorithmParameters sigAlgParams = algorithmId.getParameters(); + check(algorithmId.getName(), key, algorithmId.getParameters()); + } + + + private static void check(String sigAlgName, PublicKey key, + AlgorithmParameters sigAlgParams) + throws CertPathValidatorException { if (!certPathDefaultConstraints.permits( SIGNATURE_PRIMITIVE_SET, sigAlgName, key, sigAlgParams)) { --- old/src/java.base/share/classes/sun/security/provider/certpath/OCSP.java 2016-10-10 11:49:57.591347890 -0700 +++ new/src/java.base/share/classes/sun/security/provider/certpath/OCSP.java 2016-10-10 11:49:57.479347894 -0700 @@ -35,6 +35,7 @@ import java.security.cert.CertPathValidatorException.BasicReason; import java.security.cert.CRLReason; import java.security.cert.Extension; +import java.security.cert.TrustAnchor; import java.security.cert.X509Certificate; import java.util.Arrays; import java.util.Collections; @@ -125,8 +126,8 @@ ("Exception while encoding OCSPRequest", e); } OCSPResponse ocspResponse = check(Collections.singletonList(certId), - responderURI, new OCSPResponse.IssuerInfo(issuerCert), null, null, - Collections.emptyList()); + responderURI, new OCSPResponse.IssuerInfo(null, issuerCert), null, + null, Collections.emptyList()); return (RevocationStatus)ocspResponse.getSingleResponse(certId); } @@ -164,6 +165,20 @@ Date date, List extensions) throws IOException, CertPathValidatorException { + return check(cert, responderURI, + new TrustAnchor(issuerCert.getSubjectX500Principal(), + issuerCert.getPublicKey(), null), + issuerCert, responderCert, date, extensions); + } + + public static RevocationStatus check(X509Certificate cert, + URI responderURI, + TrustAnchor anchor, + X509Certificate issuerCert, + X509Certificate responderCert, + Date date, List extensions) + throws IOException, CertPathValidatorException + { CertId certId = null; try { X509CertImpl certImpl = X509CertImpl.toImpl(cert); @@ -173,8 +188,8 @@ ("Exception while encoding OCSPRequest", e); } OCSPResponse ocspResponse = check(Collections.singletonList(certId), - responderURI, new OCSPResponse.IssuerInfo(issuerCert), - responderCert, date, extensions); + responderURI, new OCSPResponse.IssuerInfo(anchor, issuerCert), + responderCert, date, extensions); return (RevocationStatus) ocspResponse.getSingleResponse(certId); } --- old/src/java.base/share/classes/sun/security/provider/certpath/OCSPResponse.java 2016-10-10 11:49:57.895347878 -0700 +++ new/src/java.base/share/classes/sun/security/provider/certpath/OCSPResponse.java 2016-10-10 11:49:57.783347882 -0700 @@ -464,6 +464,8 @@ } } + AlgorithmChecker algChecker = null; + // Check whether the signer cert returned by the responder is trusted if (signerCert != null) { // Check if the response is signed by the issuing CA @@ -507,9 +509,7 @@ // Check algorithm constraints specified in security property // "jdk.certpath.disabledAlgorithms". - AlgorithmChecker algChecker = new AlgorithmChecker( - new TrustAnchor(issuerInfo.getName(), - issuerInfo.getPublicKey(), null)); + algChecker = new AlgorithmChecker(issuerInfo.getAnchor(), date); algChecker.init(false); algChecker.check(signerCert, Collections.emptySet()); @@ -569,7 +569,12 @@ if (signerCert != null) { // Check algorithm constraints specified in security property // "jdk.certpath.disabledAlgorithms". - AlgorithmChecker.check(signerCert.getPublicKey(), sigAlgId); + if (algChecker == null) { + algChecker = + new AlgorithmChecker(issuerInfo.getAnchor(), date); + algChecker.init(false); + } + algChecker.check(signerCert.getPublicKey(), sigAlgId); if (!verifySignature(signerCert)) { throw new CertPathValidatorException( @@ -982,33 +987,34 @@ /** * Helper class that allows consumers to pass in issuer information. This * will always consist of the issuer's name and public key, but may also - * contain a certificate if the originating data is in that form. + * contain a certificate if the originating data is in that form. The + * trust anchor for the certificate chain will be included for certpath + * disabled algorithm checking. */ static final class IssuerInfo { - private final X509Certificate certificate; - private final X500Principal name; - private final PublicKey pubKey; - - IssuerInfo(X509Certificate issuerCert) { - certificate = Objects.requireNonNull(issuerCert, - "Constructor requires non-null certificate"); - name = certificate.getSubjectX500Principal(); - pubKey = certificate.getPublicKey(); - } - - IssuerInfo(X500Principal subjectName, PublicKey key) { - certificate = null; - name = Objects.requireNonNull(subjectName, - "Constructor requires non-null subject"); - pubKey = Objects.requireNonNull(key, - "Constructor requires non-null public key"); - } + private final TrustAnchor anchor; + private X509Certificate certificate; + private X500Principal name; + private PublicKey pubKey; IssuerInfo(TrustAnchor anchor) { - certificate = anchor.getTrustedCert(); - if (certificate != null) { - name = certificate.getSubjectX500Principal(); - pubKey = certificate.getPublicKey(); + this.anchor = Objects.requireNonNull(anchor, + "Constructor requires non-null anchor"); + init(anchor.getTrustedCert()); + } + + IssuerInfo(TrustAnchor anchor, X509Certificate issuerCert) { + this.anchor = Objects.requireNonNull(anchor, + "Constructor requires non-null anchor"); + init(issuerCert); + } + + /* Initialize Issuer Info */ + private void init(X509Certificate issuerCert) { + if (issuerCert != null) { + name = issuerCert.getSubjectX500Principal(); + pubKey = issuerCert.getPublicKey(); + certificate = issuerCert; } else { name = anchor.getCA(); pubKey = anchor.getCAPublicKey(); @@ -1047,6 +1053,21 @@ } /** + * Get the TrustAnchor for the certificate chain. + * + * @return a {@code TrustAnchor}. + */ + TrustAnchor getAnchor() { + return anchor; + } + + void setIssuerCert(X509Certificate issuerCert) { + Objects.requireNonNull(issuerCert, + "setIssuerCert requires non-null issuerCert"); + init(issuerCert); + } + + /** * Create a string representation of this IssuerInfo. * * @return a {@code String} form of this IssuerInfo object. --- old/src/java.base/share/classes/sun/security/provider/certpath/RevocationChecker.java 2016-10-10 11:49:58.207347865 -0700 +++ new/src/java.base/share/classes/sun/security/provider/certpath/RevocationChecker.java 2016-10-10 11:49:58.095347870 -0700 @@ -437,7 +437,7 @@ private void updateState(X509Certificate cert) throws CertPathValidatorException { - issuerInfo = new OCSPResponse.IssuerInfo(cert); + issuerInfo.setIssuerCert(cert); // Make new public key if parameters are missing PublicKey pubKey = cert.getPublicKey();