< prev index next >
src/java.base/share/classes/sun/security/provider/certpath/OCSPResponse.java
Print this page
*** 462,471 ****
--- 462,473 ----
}
}
}
}
+ AlgorithmChecker algChecker = null;
+
// Check whether the signer cert returned by the responder is trusted
if (signerCert != null) {
// Check if the response is signed by the issuing CA
if (signerCert.getSubjectX500Principal().equals(
issuerInfo.getName()) &&
*** 505,517 ****
"OCSP responses", cpe);
}
// Check algorithm constraints specified in security property
// "jdk.certpath.disabledAlgorithms".
! AlgorithmChecker algChecker = new AlgorithmChecker(
! new TrustAnchor(issuerInfo.getName(),
! issuerInfo.getPublicKey(), null));
algChecker.init(false);
algChecker.check(signerCert, Collections.<String>emptySet());
// check the validity
try {
--- 507,517 ----
"OCSP responses", cpe);
}
// Check algorithm constraints specified in security property
// "jdk.certpath.disabledAlgorithms".
! algChecker = new AlgorithmChecker(issuerInfo.getAnchor(), date);
algChecker.init(false);
algChecker.check(signerCert, Collections.<String>emptySet());
// check the validity
try {
*** 567,577 ****
// Confirm that the signed response was generated using the public
// key from the trusted responder cert
if (signerCert != null) {
// Check algorithm constraints specified in security property
// "jdk.certpath.disabledAlgorithms".
! AlgorithmChecker.check(signerCert.getPublicKey(), sigAlgId);
if (!verifySignature(signerCert)) {
throw new CertPathValidatorException(
"Error verifying OCSP Response's signature");
}
--- 567,582 ----
// Confirm that the signed response was generated using the public
// key from the trusted responder cert
if (signerCert != null) {
// Check algorithm constraints specified in security property
// "jdk.certpath.disabledAlgorithms".
! if (algChecker == null) {
! algChecker =
! new AlgorithmChecker(issuerInfo.getAnchor(), date);
! algChecker.init(false);
! }
! algChecker.check(signerCert.getPublicKey(), sigAlgId);
if (!verifySignature(signerCert)) {
throw new CertPathValidatorException(
"Error verifying OCSP Response's signature");
}
*** 980,1016 ****
}
/**
* Helper class that allows consumers to pass in issuer information. This
* will always consist of the issuer's name and public key, but may also
! * contain a certificate if the originating data is in that form.
*/
static final class IssuerInfo {
! private final X509Certificate certificate;
! private final X500Principal name;
! private final PublicKey pubKey;
!
! IssuerInfo(X509Certificate issuerCert) {
! certificate = Objects.requireNonNull(issuerCert,
! "Constructor requires non-null certificate");
! name = certificate.getSubjectX500Principal();
! pubKey = certificate.getPublicKey();
! }
!
! IssuerInfo(X500Principal subjectName, PublicKey key) {
! certificate = null;
! name = Objects.requireNonNull(subjectName,
! "Constructor requires non-null subject");
! pubKey = Objects.requireNonNull(key,
! "Constructor requires non-null public key");
! }
IssuerInfo(TrustAnchor anchor) {
! certificate = anchor.getTrustedCert();
! if (certificate != null) {
! name = certificate.getSubjectX500Principal();
! pubKey = certificate.getPublicKey();
} else {
name = anchor.getCA();
pubKey = anchor.getCAPublicKey();
}
}
--- 985,1022 ----
}
/**
* Helper class that allows consumers to pass in issuer information. This
* will always consist of the issuer's name and public key, but may also
! * contain a certificate if the originating data is in that form. The
! * trust anchor for the certificate chain will be included for certpath
! * disabled algorithm checking.
*/
static final class IssuerInfo {
! private final TrustAnchor anchor;
! private X509Certificate certificate;
! private X500Principal name;
! private PublicKey pubKey;
IssuerInfo(TrustAnchor anchor) {
! this.anchor = Objects.requireNonNull(anchor,
! "Constructor requires non-null anchor");
! init(anchor.getTrustedCert());
! }
!
! IssuerInfo(TrustAnchor anchor, X509Certificate issuerCert) {
! this.anchor = Objects.requireNonNull(anchor,
! "Constructor requires non-null anchor");
! init(issuerCert);
! }
!
! /* Initialize Issuer Info */
! private void init(X509Certificate issuerCert) {
! if (issuerCert != null) {
! name = issuerCert.getSubjectX500Principal();
! pubKey = issuerCert.getPublicKey();
! certificate = issuerCert;
} else {
name = anchor.getCA();
pubKey = anchor.getCAPublicKey();
}
}
*** 1045,1054 ****
--- 1051,1075 ----
PublicKey getPublicKey() {
return pubKey;
}
/**
+ * Get the TrustAnchor for the certificate chain.
+ *
+ * @return a {@code TrustAnchor}.
+ */
+ TrustAnchor getAnchor() {
+ return anchor;
+ }
+
+ void setIssuerCert(X509Certificate issuerCert) {
+ Objects.requireNonNull(issuerCert,
+ "setIssuerCert requires non-null issuerCert");
+ init(issuerCert);
+ }
+
+ /**
* Create a string representation of this IssuerInfo.
*
* @return a {@code String} form of this IssuerInfo object.
*/
@Override
< prev index next >