--- old/src/share/classes/sun/security/pkcs/SignerInfo.java 2017-03-15 20:11:35.783639351 -0700
+++ new/src/share/classes/sun/security/pkcs/SignerInfo.java 2017-03-15 20:11:35.651639354 -0700
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -37,6 +37,7 @@
import java.security.Signature;
import java.security.SignatureException;
import java.security.Timestamp;
+import java.security.cert.CertPathValidatorException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertPath;
@@ -49,6 +50,7 @@
import sun.misc.HexDumpEncoder;
import sun.security.timestamp.TimestampToken;
+import sun.security.util.ConstraintsParameters;
import sun.security.util.Debug;
import sun.security.util.DerEncoder;
import sun.security.util.DerInputStream;
@@ -209,7 +211,7 @@
/**
* DER encode this object onto an output stream.
- * Implements the DerEncoder
interface.
+ * Implements the {@code DerEncoder} interface.
*
* @param out
* the output stream on which to write the DER encoding.
@@ -266,7 +268,7 @@
if (userCert == null)
return null;
- ArrayList certList = new ArrayList();
+ ArrayList certList = new ArrayList<>();
certList.add(userCert);
X509Certificate[] pkcsCerts = block.getCertificates();
@@ -321,6 +323,8 @@
data = content.getContentBytes();
}
+ ConstraintsParameters cparams =
+ new ConstraintsParameters(timestamp);
String digestAlgname = getDigestAlgorithmId().getName();
byte[] dataSigned;
@@ -347,11 +351,11 @@
if (messageDigest == null) // fail if there is no message digest
return null;
- // check that algorithm is not restricted
- if (!JAR_DISABLED_CHECK.permits(DIGEST_PRIMITIVE_SET,
- digestAlgname, null)) {
- throw new SignatureException("Digest check failed. " +
- "Disabled algorithm used: " + digestAlgname);
+ // check that digest algorithm is not restricted
+ try {
+ JAR_DISABLED_CHECK.permits(digestAlgname, cparams);
+ } catch (CertPathValidatorException e) {
+ throw new SignatureException(e.getMessage(), e);
}
MessageDigest md = MessageDigest.getInstance(digestAlgname);
@@ -385,17 +389,18 @@
String algname = AlgorithmId.makeSigAlg(
digestAlgname, encryptionAlgname);
- // check that algorithm is not restricted
- if (!JAR_DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, algname, null)) {
- throw new SignatureException("Signature check failed. " +
- "Disabled algorithm used: " + algname);
+ // check that jar signature algorithm is not restricted
+ try {
+ JAR_DISABLED_CHECK.permits(algname, cparams);
+ } catch (CertPathValidatorException e) {
+ throw new SignatureException(e.getMessage(), e);
}
X509Certificate cert = getCertificate(block);
- PublicKey key = cert.getPublicKey();
if (cert == null) {
return null;
}
+ PublicKey key = cert.getPublicKey();
// check if the public key is restricted
if (!JAR_DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, key)) {
@@ -519,7 +524,7 @@
* Extracts a timestamp from a PKCS7 SignerInfo.
*
* Examines the signer's unsigned attributes for a
- * signatureTimestampToken attribute. If present,
+ * {@code signatureTimestampToken} attribute. If present,
* then it is parsed to extract the date and time at which the
* timestamp was generated.
*