changeset 5568:0d383753b6a0

7197652: Impossible to run any signed JNLP applications or applets, OCSP off by default Reviewed-by: mullan, valeriep, xuelei
author vinnie
date Tue, 02 Oct 2012 12:14:45 +0100
parents b43b874ea9ee
children 6bd9cb9e37a4
files src/share/classes/sun/security/provider/certpath/OCSPChecker.java src/share/classes/sun/security/provider/certpath/OCSPResponse.java
diffstat 2 files changed, 36 insertions(+), 28 deletions(-) [+]
line wrap: on
line diff
--- a/src/share/classes/sun/security/provider/certpath/OCSPChecker.java	Wed Jul 25 05:12:10 2012 +0100
+++ b/src/share/classes/sun/security/provider/certpath/OCSPChecker.java	Tue Oct 02 12:14:45 2012 +0100
@@ -257,18 +257,21 @@
                         }
                     }
 
-                    // Check that the key identifiers match
+                    // Check that the key identifiers match, if both are present
+                    byte[] anchorKeyId = null;
                     if (certIssuerKeyId != null &&
-                        !Arrays.equals(certIssuerKeyId, getKeyId(anchorCert))) {
+                        (anchorKeyId =
+                            OCSPChecker.getKeyId(anchorCert)) != null) {
+                        if (!Arrays.equals(certIssuerKeyId, anchorKeyId)) {
+                            continue; // try next cert
+                        }
 
-                        continue; // try next cert
-                    }
-
-                    if (DEBUG != null && certIssuerKeyId != null) {
-                        DEBUG.println("Issuer certificate key ID: " +
-                            String.format("0x%0" +
-                                (certIssuerKeyId.length * 2) + "x",
-                                    new BigInteger(1, certIssuerKeyId)));
+                        if (DEBUG != null) {
+                            DEBUG.println("Issuer certificate key ID: " +
+                                String.format("0x%0" +
+                                    (certIssuerKeyId.length * 2) + "x",
+                                        new BigInteger(1, certIssuerKeyId)));
+                        }
                     }
 
                     issuerCert = anchorCert;
--- a/src/share/classes/sun/security/provider/certpath/OCSPResponse.java	Wed Jul 25 05:12:10 2012 +0100
+++ b/src/share/classes/sun/security/provider/certpath/OCSPResponse.java	Tue Oct 02 12:14:45 2012 +0100
@@ -264,6 +264,7 @@
                 DEBUG.println("OCSP Responder name: " + responderName);
             }
         } else if (tag == KEY_TAG) {
+            seq = seq.data.getDerValue(); // consume tag and length
             if (DEBUG != null) {
                 byte[] responderKeyId = seq.getOctetString();
                 DEBUG.println("OCSP Responder key ID: " +
@@ -392,21 +393,29 @@
                     // Retrieve the issuer's key identifier
                     if (certIssuerKeyId == null) {
                         certIssuerKeyId = signerCert.getIssuerKeyIdentifier();
+                        if (certIssuerKeyId == null) {
+                            if (DEBUG != null) {
+                                DEBUG.println("No issuer key identifier (AKID) "
+                                    + "in the signer certificate");
+                            }
+                        }
                     }
 
-                    // Check that the key identifiers match
-                    if (certIssuerKeyId == null ||
-                        !Arrays.equals(certIssuerKeyId,
-                            OCSPChecker.getKeyId(responderCert))) {
+                    // Check that the key identifiers match, if both are present
+                    byte[] responderKeyId = null;
+                    if (certIssuerKeyId != null &&
+                        (responderKeyId =
+                            OCSPChecker.getKeyId(responderCert)) != null) {
+                        if (!Arrays.equals(certIssuerKeyId, responderKeyId)) {
+                            continue; // try next cert
+                        }
 
-                        continue; // try next cert
-                    }
-
-                    if (DEBUG != null) {
-                        DEBUG.println("Issuer certificate key ID: " +
-                            String.format("0x%0" +
-                                (certIssuerKeyId.length * 2) + "x",
-                                    new BigInteger(1, certIssuerKeyId)));
+                        if (DEBUG != null) {
+                            DEBUG.println("Issuer certificate key ID: " +
+                                String.format("0x%0" +
+                                    (certIssuerKeyId.length * 2) + "x",
+                                        new BigInteger(1, certIssuerKeyId)));
+                        }
                     }
 
                     // Check for the OCSPSigning key purpose
@@ -433,15 +442,11 @@
 
                     // Check the date validity
                     try {
-                        if (dateCheckedAgainst == null) {
-                            signerCert.checkValidity();
-                        } else {
-                            signerCert.checkValidity(dateCheckedAgainst);
-                        }
+                        signerCert.checkValidity();
                     } catch (GeneralSecurityException e) {
                         if (DEBUG != null) {
                             DEBUG.println("Responder's certificate not within" +
-                            " the validity period" + e);
+                            " the validity period " + e);
                         }
                         continue; // try next cert
                     }