--- old/src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java 2017-03-15 20:11:36.591639329 -0700 +++ new/src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java 2017-03-15 20:11:36.479639332 -0700 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2002, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -33,6 +33,7 @@ import java.util.*; import sun.security.util.Debug; +import sun.security.validator.Validator; import static sun.security.x509.PKIXExtensions.*; import sun.security.x509.*; @@ -66,6 +67,20 @@ * an X509CRLSelector with certificateChecking set. */ public static Collection getCRLs(X509CRLSelector selector, + boolean signFlag, PublicKey prevKey, String provider, + List certStores, boolean[] reasonsMask, + Set trustAnchors, Date validity, String variant) + throws CertStoreException + { + return getCRLs(selector, signFlag, prevKey, null, provider, certStores, + reasonsMask, trustAnchors, validity, variant); + } + /** + * Return the X509CRLs matching this selector. The selector must be + * an X509CRLSelector with certificateChecking set. + */ + // Called by com.sun.deploy.security.RevocationChecker + public static Collection getCRLs(X509CRLSelector selector, boolean signFlag, PublicKey prevKey, String provider, @@ -76,7 +91,7 @@ throws CertStoreException { return getCRLs(selector, signFlag, prevKey, null, provider, certStores, - reasonsMask, trustAnchors, validity); + reasonsMask, trustAnchors, validity, Validator.VAR_GENERIC); } /** @@ -91,7 +106,8 @@ List certStores, boolean[] reasonsMask, Set trustAnchors, - Date validity) + Date validity, + String variant) throws CertStoreException { X509Certificate cert = selector.getCertificateChecking(); @@ -120,7 +136,7 @@ DistributionPoint point = t.next(); Collection crls = getCRLs(selector, certImpl, point, reasonsMask, signFlag, prevKey, prevCert, provider, - certStores, trustAnchors, validity); + certStores, trustAnchors, validity, variant); results.addAll(crls); } if (debug != null) { @@ -145,7 +161,7 @@ X509CertImpl certImpl, DistributionPoint point, boolean[] reasonsMask, boolean signFlag, PublicKey prevKey, X509Certificate prevCert, String provider, List certStores, - Set trustAnchors, Date validity) + Set trustAnchors, Date validity, String variant) throws CertStoreException { // check for full name @@ -208,7 +224,7 @@ selector.setIssuerNames(null); if (selector.match(crl) && verifyCRL(certImpl, point, crl, reasonsMask, signFlag, prevKey, prevCert, provider, - trustAnchors, certStores, validity)) { + trustAnchors, certStores, validity, variant)) { crls.add(crl); } } catch (IOException | CRLException e) { @@ -317,7 +333,7 @@ X509CRL crl, boolean[] reasonsMask, boolean signFlag, PublicKey prevKey, X509Certificate prevCert, String provider, Set trustAnchors, List certStores, - Date validity) throws CRLException, IOException { + Date validity, String variant) throws CRLException, IOException { if (debug != null) { debug.println("DistributionPointFetcher.verifyCRL: " + @@ -443,7 +459,7 @@ } if (indirectCRL) { if (pointCrlIssuers.size() != 1) { - // RFC 3280: there must be only 1 CRL issuer + // RFC 5280: there must be only 1 CRL issuer // name when relativeName is present if (debug != null) { debug.println("must only be one CRL " + @@ -664,7 +680,7 @@ // check the crl signature algorithm try { - AlgorithmChecker.check(prevKey, crl); + AlgorithmChecker.check(prevKey, crl, variant); } catch (CertPathValidatorException cpve) { if (debug != null) { debug.println("CRL signature algorithm check failed: " + cpve);