7197652: Impossible to run any signed JNLP applications or applets, OCSP off by default
Reviewed-by: mullan, valeriep, xuelei
--- a/src/share/classes/sun/security/provider/certpath/OCSPChecker.java Tue Dec 11 14:33:27 2012 -0500
+++ b/src/share/classes/sun/security/provider/certpath/OCSPChecker.java Thu Dec 13 15:25:23 2012 +0000
@@ -257,18 +257,21 @@ class OCSPChecker extends PKIXCertPathCh
}
}
- // Check that the key identifiers match
+ // Check that the key identifiers match, if both are present
+ byte[] anchorKeyId = null;
if (certIssuerKeyId != null &&
- !Arrays.equals(certIssuerKeyId, getKeyId(anchorCert))) {
-
- continue; // try next cert
- }
-
- if (DEBUG != null && certIssuerKeyId != null) {
- DEBUG.println("Issuer certificate key ID: " +
- String.format("0x%0" +
- (certIssuerKeyId.length * 2) + "x",
- new BigInteger(1, certIssuerKeyId)));
+ (anchorKeyId =
+ OCSPChecker.getKeyId(anchorCert)) != null) {
+ if (!Arrays.equals(certIssuerKeyId, anchorKeyId)) {
+ continue; // try next cert
+ }
+
+ if (DEBUG != null) {
+ DEBUG.println("Issuer certificate key ID: " +
+ String.format("0x%0" +
+ (certIssuerKeyId.length * 2) + "x",
+ new BigInteger(1, certIssuerKeyId)));
+ }
}
issuerCert = anchorCert;
--- a/src/share/classes/sun/security/provider/certpath/OCSPResponse.java Tue Dec 11 14:33:27 2012 -0500
+++ b/src/share/classes/sun/security/provider/certpath/OCSPResponse.java Thu Dec 13 15:25:23 2012 +0000
@@ -264,6 +264,7 @@ public final class OCSPResponse {
DEBUG.println("OCSP Responder name: " + responderName);
}
} else if (tag == KEY_TAG) {
+ seq = seq.data.getDerValue(); // consume tag and length
if (DEBUG != null) {
byte[] responderKeyId = seq.getOctetString();
DEBUG.println("OCSP Responder key ID: " +
@@ -392,21 +393,29 @@ public final class OCSPResponse {
// Retrieve the issuer's key identifier
if (certIssuerKeyId == null) {
certIssuerKeyId = signerCert.getIssuerKeyIdentifier();
- }
-
- // Check that the key identifiers match
- if (certIssuerKeyId == null ||
- !Arrays.equals(certIssuerKeyId,
- OCSPChecker.getKeyId(responderCert))) {
-
- continue; // try next cert
- }
-
- if (DEBUG != null) {
- DEBUG.println("Issuer certificate key ID: " +
- String.format("0x%0" +
- (certIssuerKeyId.length * 2) + "x",
- new BigInteger(1, certIssuerKeyId)));
+ if (certIssuerKeyId == null) {
+ if (DEBUG != null) {
+ DEBUG.println("No issuer key identifier (AKID) "
+ + "in the signer certificate");
+ }
+ }
+ }
+
+ // Check that the key identifiers match, if both are present
+ byte[] responderKeyId = null;
+ if (certIssuerKeyId != null &&
+ (responderKeyId =
+ OCSPChecker.getKeyId(responderCert)) != null) {
+ if (!Arrays.equals(certIssuerKeyId, responderKeyId)) {
+ continue; // try next cert
+ }
+
+ if (DEBUG != null) {
+ DEBUG.println("Issuer certificate key ID: " +
+ String.format("0x%0" +
+ (certIssuerKeyId.length * 2) + "x",
+ new BigInteger(1, certIssuerKeyId)));
+ }
}
// Check for the OCSPSigning key purpose
@@ -441,7 +450,7 @@ public final class OCSPResponse {
} catch (GeneralSecurityException e) {
if (DEBUG != null) {
DEBUG.println("Responder's certificate not within" +
- " the validity period" + e);
+ " the validity period " + e);
}
continue; // try next cert
}