changeset 12578:92555c9dbdc2

8169072: Backout JDK-8154015 Reviewed-by: ascarpino, igerasim
author mullan
date Mon, 07 Nov 2016 07:19:52 -0500
parents 873727181734
children 5654d6d65902
files src/share/classes/sun/security/provider/certpath/AlgorithmChecker.java src/share/classes/sun/security/provider/certpath/PKIX.java src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java src/share/classes/sun/security/util/CertConstraintParameters.java src/share/classes/sun/security/util/DisabledAlgorithmConstraints.java src/share/classes/sun/security/validator/PKIXValidator.java src/share/classes/sun/security/validator/Validator.java
diffstat 7 files changed, 30 insertions(+), 93 deletions(-) [+]
line wrap: on
line diff
--- a/src/share/classes/sun/security/provider/certpath/AlgorithmChecker.java	Mon Oct 24 03:14:50 2016 -0700
+++ b/src/share/classes/sun/security/provider/certpath/AlgorithmChecker.java	Mon Nov 07 07:19:52 2016 -0500
@@ -27,7 +27,6 @@
 
 import java.security.AlgorithmConstraints;
 import java.security.CryptoPrimitive;
-import java.security.Timestamp;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.Date;
@@ -78,7 +77,6 @@
     private final PublicKey trustedPubKey;
     private final Date pkixdate;
     private PublicKey prevPubKey;
-    private final Timestamp jarTimestamp;
 
     private final static Set<CryptoPrimitive> SIGNATURE_PRIMITIVE_SET =
         Collections.unmodifiableSet(EnumSet.of(CryptoPrimitive.SIGNATURE));
@@ -144,29 +142,6 @@
         this.trustedPubKey = null;
         this.constraints = constraints;
         this.pkixdate = null;
-        this.jarTimestamp = null;
-    }
-
-    /**
-     * Create a new {@code AlgorithmChecker} with the given
-     * {@code Timestamp}.
-     * <p>
-     * Note that this constructor will be used to check a certification
-     * path for signed JAR files that are timestamped.
-     *
-     * @param jarTimestamp Timestamp passed for JAR timestamp constraint
-     *                     checking. Set to null if not applicable.
-     */
-    public AlgorithmChecker(Timestamp jarTimestamp) {
-        this.prevPubKey = null;
-        this.trustedPubKey = null;
-        this.constraints = certPathDefaultConstraints;
-        if (jarTimestamp == null) {
-            throw new IllegalArgumentException(
-                    "Timestamp cannot be null");
-        }
-        this.pkixdate = jarTimestamp.getTimestamp();
-        this.jarTimestamp = jarTimestamp;
     }
 
     /**
@@ -204,7 +179,6 @@
         this.prevPubKey = trustedPubKey;
         this.constraints = constraints;
         this.pkixdate = pkixdate;
-        this.jarTimestamp = null;
     }
 
     /**
@@ -235,10 +209,6 @@
         return AnchorCertificates.contains(cert);
     }
 
-    Timestamp getJarTimestamp() {
-        return jarTimestamp;
-    }
-
     @Override
     public void init(boolean forward) throws CertPathValidatorException {
         //  Note that this class does not support forward mode.
@@ -326,7 +296,8 @@
         // permits() will throw exception on failure.
         certPathDefaultConstraints.permits(primitives,
                 new CertConstraintParameters((X509Certificate)cert,
-                        trustedMatch, pkixdate, jarTimestamp));
+                        trustedMatch, pkixdate));
+                // new CertConstraintParameters(x509Cert, trustedMatch));
         // If there is no previous key, set one and exit
         if (prevPubKey == null) {
             prevPubKey = currPubKey;
@@ -471,7 +442,7 @@
      * Check the signature algorithm with the specified public key.
      *
      * @param key the public key to verify the CRL signature
-     * @param algorithmId signature algorithm Algorithm ID
+     * @param crl the target CRL
      */
     static void check(PublicKey key, AlgorithmId algorithmId)
                         throws CertPathValidatorException {
--- a/src/share/classes/sun/security/provider/certpath/PKIX.java	Mon Oct 24 03:14:50 2016 -0700
+++ b/src/share/classes/sun/security/provider/certpath/PKIX.java	Mon Nov 07 07:19:52 2016 -0500
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2012, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -26,7 +26,6 @@
 
 import java.security.InvalidAlgorithmParameterException;
 import java.security.PublicKey;
-import java.security.Timestamp;
 import java.security.cert.*;
 import java.security.interfaces.DSAPublicKey;
 import java.util.*;
@@ -86,7 +85,6 @@
         private CertSelector constraints;
         private Set<TrustAnchor> anchors;
         private List<X509Certificate> certs;
-        private Timestamp timestamp;
 
         ValidatorParams(CertPath cp, PKIXParameters params)
             throws InvalidAlgorithmParameterException
@@ -102,10 +100,6 @@
         ValidatorParams(PKIXParameters params)
             throws InvalidAlgorithmParameterException
         {
-            if (params instanceof PKIXTimestampParameters) {
-                timestamp = ((PKIXTimestampParameters) params).getTimestamp();
-            }
-
             this.anchors = params.getTrustAnchors();
             // Make sure that none of the trust anchors include name constraints
             // (not supported).
@@ -195,10 +189,6 @@
         PKIXParameters getPKIXParameters() {
             return params;
         }
-
-        Timestamp timestamp() {
-            return timestamp;
-        }
     }
 
     static class BuilderParams extends ValidatorParams {
--- a/src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java	Mon Oct 24 03:14:50 2016 -0700
+++ b/src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java	Mon Nov 07 07:19:52 2016 -0500
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -172,11 +172,7 @@
         List<PKIXCertPathChecker> certPathCheckers = new ArrayList<>();
         // add standard checkers that we will be using
         certPathCheckers.add(untrustedChecker);
-        if (params.timestamp() == null) {
         certPathCheckers.add(new AlgorithmChecker(anchor, params.date()));
-        } else {
-            certPathCheckers.add(new AlgorithmChecker(params.timestamp()));
-        }
         certPathCheckers.add(new KeyChecker(certPathLen,
                                             params.targetCertConstraints()));
         certPathCheckers.add(new ConstraintsChecker(certPathLen));
@@ -193,14 +189,8 @@
                                              rootNode);
         certPathCheckers.add(pc);
         // default value for date is current time
-        BasicChecker bc;
-        if (params.timestamp() == null) {
-            bc = new BasicChecker(anchor, params.date(), params.sigProvider(),
-                    false);
-        } else {
-            bc = new BasicChecker(anchor, params.timestamp().getTimestamp(),
+        BasicChecker bc = new BasicChecker(anchor, params.date(),
                                            params.sigProvider(), false);
-        }
         certPathCheckers.add(bc);
 
         boolean revCheckerAdded = false;
--- a/src/share/classes/sun/security/util/CertConstraintParameters.java	Mon Oct 24 03:14:50 2016 -0700
+++ b/src/share/classes/sun/security/util/CertConstraintParameters.java	Mon Nov 07 07:19:52 2016 -0500
@@ -25,7 +25,6 @@
 
 package sun.security.util;
 
-import java.security.Timestamp;
 import java.security.cert.X509Certificate;
 import java.util.Date;
 
@@ -41,19 +40,16 @@
     private final boolean trustedMatch;
     // PKIXParameter date
     private final Date pkixDate;
-    // Timestamp of the signed JAR file
-    private final Timestamp jarTimestamp;
 
     public CertConstraintParameters(X509Certificate c, boolean match,
-            Date pkixdate, Timestamp jarTime) {
+            Date pkixdate) {
         cert = c;
         trustedMatch = match;
         pkixDate = pkixdate;
-        jarTimestamp = jarTime;
     }
 
     public CertConstraintParameters(X509Certificate c) {
-        this(c, false, null, null);
+        this(c, false, null);
     }
 
     // Returns if the trust anchor has a match if anchor checking is enabled.
@@ -69,8 +65,4 @@
         return pkixDate;
     }
 
-    public Timestamp getJARTimestamp() {
-        return jarTimestamp;
 }
-
-}
--- a/src/share/classes/sun/security/util/DisabledAlgorithmConstraints.java	Mon Oct 24 03:14:50 2016 -0700
+++ b/src/share/classes/sun/security/util/DisabledAlgorithmConstraints.java	Mon Nov 07 07:19:52 2016 -0500
@@ -606,9 +606,7 @@
                  throws CertPathValidatorException {
              Date currentDate;
 
-             if (cp.getJARTimestamp() != null) {
-                 currentDate = cp.getJARTimestamp().getTimestamp();
-             } else if (cp.getPKIXParamDate() != null) {
+             if (cp.getPKIXParamDate() != null) {
                  currentDate = cp.getPKIXParamDate();
              } else {
                  currentDate = new Date();
--- a/src/share/classes/sun/security/validator/PKIXValidator.java	Mon Oct 24 03:14:50 2016 -0700
+++ b/src/share/classes/sun/security/validator/PKIXValidator.java	Mon Nov 07 07:19:52 2016 -0500
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -33,7 +33,6 @@
 import javax.security.auth.x500.X500Principal;
 import sun.security.action.GetBooleanAction;
 import sun.security.provider.certpath.AlgorithmChecker;
-import sun.security.provider.certpath.PKIXTimestampParameters;
 
 /**
  * Validator implementation built on the PKIX CertPath API. This
@@ -209,23 +208,13 @@
                 ("null or zero-length certificate chain");
         }
 
-        // Check if 'parameter' affects 'pkixParameters'
-        PKIXBuilderParameters pkixParameters = null;
-        if (parameter instanceof Timestamp && plugin) {
-            try {
-                pkixParameters = new PKIXTimestampParameters(
-                        (PKIXBuilderParameters) parameterTemplate.clone(),
-                        (Timestamp) parameter);
-            } catch (InvalidAlgorithmParameterException e) {
-                // ignore exception
-            }
-        } else {
-            pkixParameters = (PKIXBuilderParameters) parameterTemplate.clone();
-        }
-
         // add  new algorithm constraints checker
+        PKIXBuilderParameters pkixParameters =
+                    (PKIXBuilderParameters) parameterTemplate.clone();
+        AlgorithmChecker algorithmChecker = null;
         if (constraints != null) {
-            pkixParameters.addCertPathChecker(new AlgorithmChecker(constraints));
+            algorithmChecker = new AlgorithmChecker(constraints);
+            pkixParameters.addCertPathChecker(algorithmChecker);
         }
 
         if (TRY_VALIDATOR) {
--- a/src/share/classes/sun/security/validator/Validator.java	Mon Oct 24 03:14:50 2016 -0700
+++ b/src/share/classes/sun/security/validator/Validator.java	Mon Nov 07 07:19:52 2016 -0500
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -219,7 +219,14 @@
      * Validate the given certificate chain. If otherCerts is non-null, it is
      * a Collection of additional X509Certificates that could be helpful for
      * path building.
-     *
+     * <p>
+     * Parameter is an additional parameter with variant specific meaning.
+     * Currently, it is only defined for TLS_SERVER variant validators, where
+     * it must be non null and the name of the TLS key exchange algorithm being
+     * used (see JSSE X509TrustManager specification). In the future, it
+     * could be used to pass in a PKCS#7 object for code signing to check time
+     * stamps.
+     * <p>
      * @return a non-empty chain that was used to validate the path. The
      * end entity cert is at index 0, the trust anchor at index n-1.
      */
@@ -237,12 +244,12 @@
      *        could be helpful for path building (or null)
      * @param constraints algorithm constraints for certification path
      *        processing
-     * @param parameter an additional parameter object to pass specific data.
-     *        This parameter object maybe one of the two below:
-     *        1) TLS_SERVER variant validators, where it must be non null and
-     *        the name of the TLS key exchange algorithm being used
-     *        (see JSSE X509TrustManager specification).
-     *        2) {@code Timestamp} object from a signed JAR file.
+     * @param parameter an additional parameter with variant specific meaning.
+     *        Currently, it is only defined for TLS_SERVER variant validators,
+     *        where it must be non null and the name of the TLS key exchange
+     *        algorithm being used (see JSSE X509TrustManager specification).
+     *        In the future, it could be used to pass in a PKCS#7 object for
+     *        code signing to check time stamps.
      * @return a non-empty chain that was used to validate the path. The
      *        end entity cert is at index 0, the trust anchor at index n-1.
      */