423 x509Certs[i++] = (X509Certificate)cf.generateCertificate(
424 new ByteArrayInputStream(encodedCert));
425 }
426 } catch (CertificateException ce) {
427 chc.conContext.fatal(Alert.BAD_CERTIFICATE,
428 "Failed to parse server certificates", ce);
429 }
430
431 // Allow server certificate change in client side during
432 // renegotiation after a session-resumption abbreviated
433 // initial handshake?
434 //
435 // DO NOT need to check allowUnsafeServerCertChange here. We only
436 // reserve server certificates when allowUnsafeServerCertChange is
437 // false.
438 if (chc.reservedServerCerts != null &&
439 !chc.handshakeSession.useExtendedMasterSecret) {
440 // It is not necessary to check the certificate update if
441 // endpoint identification is enabled.
442 String identityAlg = chc.sslConfig.identificationProtocol;
443 if ((identityAlg == null || identityAlg.length() == 0) &&
444 !isIdentityEquivalent(x509Certs[0],
445 chc.reservedServerCerts[0])) {
446 chc.conContext.fatal(Alert.BAD_CERTIFICATE,
447 "server certificate change is restricted " +
448 "during renegotiation");
449 }
450 }
451
452 // ask the trust manager to verify the chain
453 if (chc.staplingActive) {
454 // Defer the certificate check until after we've received the
455 // CertificateStatus message. If that message doesn't come in
456 // immediately following this message we will execute the
457 // check from CertificateStatus' absent handler.
458 chc.deferredCerts = x509Certs;
459 } else {
460 // We're not doing stapling, so perform the check right now
461 checkServerCerts(chc, x509Certs);
462 }
463
|
423 x509Certs[i++] = (X509Certificate)cf.generateCertificate(
424 new ByteArrayInputStream(encodedCert));
425 }
426 } catch (CertificateException ce) {
427 chc.conContext.fatal(Alert.BAD_CERTIFICATE,
428 "Failed to parse server certificates", ce);
429 }
430
431 // Allow server certificate change in client side during
432 // renegotiation after a session-resumption abbreviated
433 // initial handshake?
434 //
435 // DO NOT need to check allowUnsafeServerCertChange here. We only
436 // reserve server certificates when allowUnsafeServerCertChange is
437 // false.
438 if (chc.reservedServerCerts != null &&
439 !chc.handshakeSession.useExtendedMasterSecret) {
440 // It is not necessary to check the certificate update if
441 // endpoint identification is enabled.
442 String identityAlg = chc.sslConfig.identificationProtocol;
443 if ((identityAlg == null || identityAlg.isEmpty()) &&
444 !isIdentityEquivalent(x509Certs[0],
445 chc.reservedServerCerts[0])) {
446 chc.conContext.fatal(Alert.BAD_CERTIFICATE,
447 "server certificate change is restricted " +
448 "during renegotiation");
449 }
450 }
451
452 // ask the trust manager to verify the chain
453 if (chc.staplingActive) {
454 // Defer the certificate check until after we've received the
455 // CertificateStatus message. If that message doesn't come in
456 // immediately following this message we will execute the
457 // check from CertificateStatus' absent handler.
458 chc.deferredCerts = x509Certs;
459 } else {
460 // We're not doing stapling, so perform the check right now
461 checkServerCerts(chc, x509Certs);
462 }
463
|