jdk Udiff src/java.base/share/classes/sun/security/validator/EndEntityChecker.java

src/java.base/share/classes/sun/security/validator/EndEntityChecker.java

@@ -1,7 +1,7 @@
 /*
- * Copyright (c) 2002, 2008, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License version 2 only, as
  * published by the Free Software Foundation.  Oracle designates this

@@ -121,25 +121,30 @@
     private final String variant;
 
     // type of the validator this checker belongs to
     private final String type;
 
+    // the end entity certificate's extensions
+    private Set<String> exts;
+
     private EndEntityChecker(String type, String variant) {
         this.type = type;
         this.variant = variant;
     }
 
     static EndEntityChecker getInstance(String type, String variant) {
         return new EndEntityChecker(type, variant);
     }
 
-    void check(X509Certificate cert, Object parameter)
-            throws CertificateException {
+    void check(X509Certificate cert, Object parameter,
+            boolean checkExtraExtensions) throws CertificateException {
         if (variant.equals(Validator.VAR_GENERIC)) {
-            // no checks
-            return;
-        } else if (variant.equals(Validator.VAR_TLS_SERVER)) {
+            return; // no checks
+        }
+
+        exts = getCriticalExtensions(cert);
+        if (variant.equals(Validator.VAR_TLS_SERVER)) {
             checkTLSServer(cert, (String)parameter);
         } else if (variant.equals(Validator.VAR_TLS_CLIENT)) {
             checkTLSClient(cert);
         } else if (variant.equals(Validator.VAR_CODE_SIGNING)) {
             checkCodeSigning(cert);

@@ -150,10 +155,15 @@
         } else if (variant.equals(Validator.VAR_TSA_SERVER)) {
             checkTSAServer(cert);
         } else {
             throw new CertificateException("Unknown variant: " + variant);
         }
+
+        // if neither VAR_GENERIC variant nor unknown variant
+        if (checkExtraExtensions) {
+            checkRemainingExtensions(exts);
+        }
     }
 
     /**
      * Utility method returning the Set of critical extensions for
      * certificate cert (never null).

@@ -219,12 +229,10 @@
      * authentication.
      * @throws CertificateException if not.
      */
     private void checkTLSClient(X509Certificate cert)
             throws CertificateException {
-        Set<String> exts = getCriticalExtensions(cert);
-
         if (checkKeyUsage(cert, KU_SIGNATURE) == false) {
             throw new ValidatorException
                 ("KeyUsage does not allow digital signatures",
                 ValidatorException.T_EE_EXTENSIONS, cert);
         }

@@ -243,24 +251,20 @@
 
         // remove extensions we checked
         exts.remove(SimpleValidator.OID_KEY_USAGE);
         exts.remove(SimpleValidator.OID_EXTENDED_KEY_USAGE);
         exts.remove(SimpleValidator.OID_NETSCAPE_CERT_TYPE);
-
-        checkRemainingExtensions(exts);
     }
 
     /**
      * Check whether this certificate can be used for TLS server authentication
      * using the specified authentication type parameter. See X509TrustManager
      * specification for details.
      * @throws CertificateException if not.
      */
     private void checkTLSServer(X509Certificate cert, String parameter)
             throws CertificateException {
-        Set<String> exts = getCriticalExtensions(cert);
-
         if (KU_SERVER_ENCRYPTION.contains(parameter)) {
             if (checkKeyUsage(cert, KU_KEY_ENCIPHERMENT) == false) {
                 throw new ValidatorException
                         ("KeyUsage does not allow key encipherment",
                         ValidatorException.T_EE_EXTENSIONS, cert);

@@ -301,22 +305,18 @@
 
         // remove extensions we checked
         exts.remove(SimpleValidator.OID_KEY_USAGE);
         exts.remove(SimpleValidator.OID_EXTENDED_KEY_USAGE);
         exts.remove(SimpleValidator.OID_NETSCAPE_CERT_TYPE);
-
-        checkRemainingExtensions(exts);
     }
 
     /**
      * Check whether this certificate can be used for code signing.
      * @throws CertificateException if not.
      */
     private void checkCodeSigning(X509Certificate cert)
             throws CertificateException {
-        Set<String> exts = getCriticalExtensions(cert);
-
         if (checkKeyUsage(cert, KU_SIGNATURE) == false) {
             throw new ValidatorException
                 ("KeyUsage does not allow digital signatures",
                 ValidatorException.T_EE_EXTENSIONS, cert);
         }

@@ -339,23 +339,19 @@
         }
 
         // remove extensions we checked
         exts.remove(SimpleValidator.OID_KEY_USAGE);
         exts.remove(SimpleValidator.OID_EXTENDED_KEY_USAGE);
-
-        checkRemainingExtensions(exts);
     }
 
     /**
      * Check whether this certificate can be used by a time stamping authority
      * server (see RFC 3161, section 2.3).
      * @throws CertificateException if not.
      */
     private void checkTSAServer(X509Certificate cert)
             throws CertificateException {
-        Set<String> exts = getCriticalExtensions(cert);
-
         if (checkKeyUsage(cert, KU_SIGNATURE) == false) {
             throw new ValidatorException
                 ("KeyUsage does not allow digital signatures",
                 ValidatorException.T_EE_EXTENSIONS, cert);
         }

@@ -374,9 +370,7 @@
         }
 
         // remove extensions we checked
         exts.remove(SimpleValidator.OID_KEY_USAGE);
         exts.remove(SimpleValidator.OID_EXTENDED_KEY_USAGE);
-
-        checkRemainingExtensions(exts);
     }
 }