8068720: Better certificate options checking

Reviewed-by: mullan

8068720: Better certificate options checking
Reviewed-by: mullan
10819814 · igerasim · b4169827 · 10819814 · 10819814 · 10819814
4 changed file
--- a/src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java
+++ b/src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java
 /*
- * Copyright (c) 2002, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -541,10 +541,10 @@ public class DistributionPointFetcher {
                // set interim reasons mask to the intersection of
                // reasons in the DP and onlySomeReasons in the IDP
                boolean[] idpReasonFlags = reasons.getFlags();
-                for (int i = 0; i < idpReasonFlags.length; i++) {
+                for (int i = 0; i < interimReasonsMask.length; i++) {
-                    if (idpReasonFlags[i] && pointReasonFlags[i]) {
+                    interimReasonsMask[i] =
-                        interimReasonsMask[i] = true;
+                        (i < idpReasonFlags.length && idpReasonFlags[i]) &&
-                    }
+                        (i < pointReasonFlags.length && pointReasonFlags[i]);
                }
            } else {
                // set interim reasons mask to the value of
@@ -558,7 +558,6 @@ public class DistributionPointFetcher {
                interimReasonsMask = pointReasonFlags.clone();
            } else {
                // set interim reasons mask to the special value all-reasons
-                interimReasonsMask = new boolean[9];
                Arrays.fill(interimReasonsMask, true);
            }
        }
@@ -567,7 +566,9 @@ public class DistributionPointFetcher {
        // not included in the reasons mask
        boolean oneOrMore = false;
        for (int i = 0; i < interimReasonsMask.length && !oneOrMore; i++) {
-            if (!reasonsMask[i] && interimReasonsMask[i]) {
+            if (interimReasonsMask[i] &&
+                    !(i < reasonsMask.length && reasonsMask[i]))
+            {
                oneOrMore = true;
            }
        }
@@ -693,11 +694,11 @@ public class DistributionPointFetcher {
        }
        // update reasonsMask
-        for (int i = 0; i < interimReasonsMask.length; i++) {
+        for (int i = 0; i < reasonsMask.length; i++) {
-            if (!reasonsMask[i] && interimReasonsMask[i]) {
+            reasonsMask[i] = reasonsMask[i] ||
-                reasonsMask[i] = true;
+                    (i < interimReasonsMask.length && interimReasonsMask[i]);
-            }
        }
        return true;
    }

--- a/src/share/classes/sun/security/x509/KeyUsageExtension.java
+++ b/src/share/classes/sun/security/x509/KeyUsageExtension.java
 /*
- * Copyright (c) 1997, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -83,7 +83,8 @@ implements CertAttrSet<String> {
     * @param position the position in the bit string to check.
     */
    private boolean isSet(int position) {
-        return bitString[position];
+        return (position < bitString.length) &&
+                bitString[position];
    }
    /**
@@ -275,41 +276,40 @@ implements CertAttrSet<String> {
     * Returns a printable representation of the KeyUsage.
     */
    public String toString() {
-        String s = super.toString() + "KeyUsage [\n";
+        StringBuilder sb = new StringBuilder();
+        sb.append(super.toString());
+        sb.append("KeyUsage [\n");
-        try {
+        if (isSet(0)) {
-            if (isSet(0)) {
+            sb.append("  DigitalSignature\n");
-                s += "  DigitalSignature\n";
+        }
-            }
+        if (isSet(1)) {
-            if (isSet(1)) {
+            sb.append("  Non_repudiation\n");
-                s += "  Non_repudiation\n";
+        }
-            }
+        if (isSet(2)) {
-            if (isSet(2)) {
+            sb.append("  Key_Encipherment\n");
-                s += "  Key_Encipherment\n";
+        }
-            }
+        if (isSet(3)) {
-            if (isSet(3)) {
+            sb.append("  Data_Encipherment\n");
-                s += "  Data_Encipherment\n";
+        }
-            }
+        if (isSet(4)) {
-            if (isSet(4)) {
+            sb.append("  Key_Agreement\n");
-                s += "  Key_Agreement\n";
+        }
-            }
+        if (isSet(5)) {
-            if (isSet(5)) {
+            sb.append("  Key_CertSign\n");
-                s += "  Key_CertSign\n";
+        }
-            }
+        if (isSet(6)) {
-            if (isSet(6)) {
+            sb.append("  Crl_Sign\n");
-                s += "  Crl_Sign\n";
+        }
-            }
+        if (isSet(7)) {
-            if (isSet(7)) {
+            sb.append("  Encipher_Only\n");
-                s += "  Encipher_Only\n";
+        }
-            }
+        if (isSet(8)) {
-            if (isSet(8)) {
+            sb.append("  Decipher_Only\n");
-                s += "  Decipher_Only\n";
+        }
-            }
+        sb.append("]\n");
-        } catch (ArrayIndexOutOfBoundsException ex) {}
-        s += "]\n";
-        return (s);
+        return sb.toString();
    }
    /**

--- a/src/share/classes/sun/security/x509/NetscapeCertTypeExtension.java
+++ b/src/share/classes/sun/security/x509/NetscapeCertTypeExtension.java
 /*
- * Copyright (c) 1998, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1998, 2015, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -136,7 +136,8 @@ implements CertAttrSet<String> {
     * @param position the position in the bit string to check.
     */
    private boolean isSet(int position) {
-        return bitString[position];
+        return (position < bitString.length) &&
+                bitString[position];
    }
    /**
@@ -236,27 +237,34 @@ implements CertAttrSet<String> {
     * Returns a printable representation of the NetscapeCertType.
     */
    public String toString() {
-        String s = super.toString() + "NetscapeCertType [\n";
+        StringBuilder sb = new StringBuilder();
+        sb.append(super.toString());
+        sb.append("NetscapeCertType [\n");
-        try {
+        if (isSet(0)) {
-           if (isSet(getPosition(SSL_CLIENT)))
+            sb.append("   SSL client\n");
-               s += "   SSL client\n";
+        }
-           if (isSet(getPosition(SSL_SERVER)))
+        if (isSet(1)) {
-               s += "   SSL server\n";
+            sb.append("   SSL server\n");
-           if (isSet(getPosition(S_MIME)))
+        }
-               s += "   S/MIME\n";
+        if (isSet(2)) {
-           if (isSet(getPosition(OBJECT_SIGNING)))
+            sb.append("   S/MIME\n");
-               s += "   Object Signing\n";
+        }
-           if (isSet(getPosition(SSL_CA)))
+        if (isSet(3)) {
-               s += "   SSL CA\n";
+            sb.append("   Object Signing\n");
-           if (isSet(getPosition(S_MIME_CA)))
+        }
-               s += "   S/MIME CA\n";
+        if (isSet(5)) {
-           if (isSet(getPosition(OBJECT_SIGNING_CA)))
+            sb.append("   SSL CA\n");
-               s += "   Object Signing CA" ;
+        }
-        } catch (Exception e) { }
+        if (isSet(6)) {
+            sb.append("   S/MIME CA\n");
-        s += "]\n";
+        }
-        return (s);
+        if (isSet(7)) {
+            sb.append("   Object Signing CA");
+        }
+        sb.append("]\n");
+        return sb.toString();
    }
    /**

--- a/src/share/classes/sun/security/x509/ReasonFlags.java
+++ b/src/share/classes/sun/security/x509/ReasonFlags.java
 /*
- * Copyright (c) 1997, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -99,7 +99,8 @@ public class ReasonFlags {
     * @param position the position in the bit string to check.
     */
    private boolean isSet(int position) {
-        return bitString[position];
+        return (position < bitString.length) &&
+                bitString[position];
    }
    /**
@@ -199,23 +200,38 @@ public class ReasonFlags {
     * Returns a printable representation of the ReasonFlags.
     */
    public String toString() {
-        String s = "Reason Flags [\n";
+        StringBuilder sb = new StringBuilder("Reason Flags [\n");
-        try {
+        if (isSet(0)) {
-            if (isSet(0)) s += "  Unused\n";
+            sb.append("  Unused\n");
-            if (isSet(1)) s += "  Key Compromise\n";
+        }
-            if (isSet(2)) s += "  CA Compromise\n";
+        if (isSet(1)) {
-            if (isSet(3)) s += "  Affiliation_Changed\n";
+            sb.append("  Key Compromise\n");
-            if (isSet(4)) s += "  Superseded\n";
+        }
-            if (isSet(5)) s += "  Cessation Of Operation\n";
+        if (isSet(2)) {
-            if (isSet(6)) s += "  Certificate Hold\n";
+            sb.append("  CA Compromise\n");
-            if (isSet(7)) s += "  Privilege Withdrawn\n";
+        }
-            if (isSet(8)) s += "  AA Compromise\n";
+        if (isSet(3)) {
-        } catch (ArrayIndexOutOfBoundsException ex) {}
+            sb.append("  Affiliation_Changed\n");
+        }
-        s += "]\n";
+        if (isSet(4)) {
+            sb.append("  Superseded\n");
-        return (s);
+        }
+        if (isSet(5)) {
+            sb.append("  Cessation Of Operation\n");
+        }
+        if (isSet(6)) {
+            sb.append("  Certificate Hold\n");
+        }
+        if (isSet(7)) {
+            sb.append("  Privilege Withdrawn\n");
+        }
+        if (isSet(8)) {
+            sb.append("  AA Compromise\n");
+        }
+        sb.append("]\n");
+        return sb.toString();
    }
    /**