< prev index next >

src/java.base/share/classes/sun/security/provider/certpath/OCSPResponse.java

Print this page

        

*** 462,471 **** --- 462,473 ---- } } } } + AlgorithmChecker algChecker = null; + // Check whether the signer cert returned by the responder is trusted if (signerCert != null) { // Check if the response is signed by the issuing CA if (signerCert.getSubjectX500Principal().equals( issuerInfo.getName()) &&
*** 505,517 **** "OCSP responses", cpe); } // Check algorithm constraints specified in security property // "jdk.certpath.disabledAlgorithms". ! AlgorithmChecker algChecker = new AlgorithmChecker( ! new TrustAnchor(issuerInfo.getName(), ! issuerInfo.getPublicKey(), null)); algChecker.init(false); algChecker.check(signerCert, Collections.<String>emptySet()); // check the validity try { --- 507,517 ---- "OCSP responses", cpe); } // Check algorithm constraints specified in security property // "jdk.certpath.disabledAlgorithms". ! algChecker = new AlgorithmChecker(issuerInfo.getAnchor(), date); algChecker.init(false); algChecker.check(signerCert, Collections.<String>emptySet()); // check the validity try {
*** 567,577 **** // Confirm that the signed response was generated using the public // key from the trusted responder cert if (signerCert != null) { // Check algorithm constraints specified in security property // "jdk.certpath.disabledAlgorithms". ! AlgorithmChecker.check(signerCert.getPublicKey(), sigAlgId); if (!verifySignature(signerCert)) { throw new CertPathValidatorException( "Error verifying OCSP Response's signature"); } --- 567,582 ---- // Confirm that the signed response was generated using the public // key from the trusted responder cert if (signerCert != null) { // Check algorithm constraints specified in security property // "jdk.certpath.disabledAlgorithms". ! if (algChecker == null) { ! algChecker = ! new AlgorithmChecker(issuerInfo.getAnchor(), date); ! algChecker.init(false); ! } ! algChecker.check(signerCert.getPublicKey(), sigAlgId); if (!verifySignature(signerCert)) { throw new CertPathValidatorException( "Error verifying OCSP Response's signature"); }
*** 980,1016 **** } /** * Helper class that allows consumers to pass in issuer information. This * will always consist of the issuer's name and public key, but may also ! * contain a certificate if the originating data is in that form. */ static final class IssuerInfo { ! private final X509Certificate certificate; ! private final X500Principal name; ! private final PublicKey pubKey; ! ! IssuerInfo(X509Certificate issuerCert) { ! certificate = Objects.requireNonNull(issuerCert, ! "Constructor requires non-null certificate"); ! name = certificate.getSubjectX500Principal(); ! pubKey = certificate.getPublicKey(); ! } ! ! IssuerInfo(X500Principal subjectName, PublicKey key) { ! certificate = null; ! name = Objects.requireNonNull(subjectName, ! "Constructor requires non-null subject"); ! pubKey = Objects.requireNonNull(key, ! "Constructor requires non-null public key"); ! } IssuerInfo(TrustAnchor anchor) { ! certificate = anchor.getTrustedCert(); ! if (certificate != null) { ! name = certificate.getSubjectX500Principal(); ! pubKey = certificate.getPublicKey(); } else { name = anchor.getCA(); pubKey = anchor.getCAPublicKey(); } } --- 985,1022 ---- } /** * Helper class that allows consumers to pass in issuer information. This * will always consist of the issuer's name and public key, but may also ! * contain a certificate if the originating data is in that form. The ! * trust anchor for the certificate chain will be included for certpath ! * disabled algorithm checking. */ static final class IssuerInfo { ! private final TrustAnchor anchor; ! private X509Certificate certificate; ! private X500Principal name; ! private PublicKey pubKey; IssuerInfo(TrustAnchor anchor) { ! this.anchor = Objects.requireNonNull(anchor, ! "Constructor requires non-null anchor"); ! init(anchor.getTrustedCert()); ! } ! ! IssuerInfo(TrustAnchor anchor, X509Certificate issuerCert) { ! this.anchor = Objects.requireNonNull(anchor, ! "Constructor requires non-null anchor"); ! init(issuerCert); ! } ! ! /* Initialize Issuer Info */ ! private void init(X509Certificate issuerCert) { ! if (issuerCert != null) { ! name = issuerCert.getSubjectX500Principal(); ! pubKey = issuerCert.getPublicKey(); ! certificate = issuerCert; } else { name = anchor.getCA(); pubKey = anchor.getCAPublicKey(); } }
*** 1045,1054 **** --- 1051,1075 ---- PublicKey getPublicKey() { return pubKey; } /** + * Get the TrustAnchor for the certificate chain. + * + * @return a {@code TrustAnchor}. + */ + TrustAnchor getAnchor() { + return anchor; + } + + void setIssuerCert(X509Certificate issuerCert) { + Objects.requireNonNull(issuerCert, + "setIssuerCert requires non-null issuerCert"); + init(issuerCert); + } + + /** * Create a string representation of this IssuerInfo. * * @return a {@code String} form of this IssuerInfo object. */ @Override
< prev index next >