Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
openanolis
dragonwell8_jdk
提交
a8cf9e67
D
dragonwell8_jdk
项目概览
openanolis
/
dragonwell8_jdk
通知
4
Star
2
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
D
dragonwell8_jdk
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
提交
a8cf9e67
编写于
6月 07, 2017
作者:
I
igerasim
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
8178714: PKIX validator nameConstraints check failing after change 8175940
Reviewed-by: mullan, ahgross
上级
bfb894e1
变更
2
显示空白变更内容
内联
并排
Showing
2 changed file
with
81 addition
and
76 deletion
+81
-76
src/share/classes/sun/security/x509/DNSName.java
src/share/classes/sun/security/x509/DNSName.java
+25
-39
src/share/classes/sun/security/x509/NameConstraintsExtension.java
...e/classes/sun/security/x509/NameConstraintsExtension.java
+56
-37
未找到文件。
src/share/classes/sun/security/x509/DNSName.java
浏览文件 @
a8cf9e67
/*
* Copyright (c) 1997, 201
7
, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1997, 201
1
, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
...
...
@@ -194,28 +194,13 @@ public class DNSName implements GeneralNameInterface {
*/
public
int
constrains
(
GeneralNameInterface
inputName
)
throws
UnsupportedOperationException
{
int
constraintType
;
if
(
inputName
==
null
)
{
return
NAME_DIFF_TYPE
;
}
String
inName
;
switch
(
inputName
.
getType
())
{
case
NAME_DNS:
inName
=
((
DNSName
)
inputName
).
getName
();
break
;
case
NAME_DIRECTORY:
try
{
inName
=
((
X500Name
)
inputName
).
getCommonName
();
if
(
inName
==
null
)
{
return
NAME_DIFF_TYPE
;
}
}
catch
(
IOException
ioe
)
{
return
NAME_DIFF_TYPE
;
}
break
;
default
:
return
NAME_DIFF_TYPE
;
}
inName
=
inName
.
toLowerCase
(
Locale
.
ENGLISH
);
if
(
inputName
==
null
)
constraintType
=
NAME_DIFF_TYPE
;
else
if
(
inputName
.
getType
()
!=
NAME_DNS
)
constraintType
=
NAME_DIFF_TYPE
;
else
{
String
inName
=
(((
DNSName
)
inputName
).
getName
()).
toLowerCase
(
Locale
.
ENGLISH
);
String
thisName
=
name
.
toLowerCase
(
Locale
.
ENGLISH
);
if
(
inName
.
equals
(
thisName
))
constraintType
=
NAME_MATCH
;
...
...
@@ -234,6 +219,7 @@ public class DNSName implements GeneralNameInterface {
}
else
{
constraintType
=
NAME_SAME_TYPE
;
}
}
return
constraintType
;
}
...
...
src/share/classes/sun/security/x509/NameConstraintsExtension.java
浏览文件 @
a8cf9e67
/*
* Copyright (c) 1997, 201
1
, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1997, 201
7
, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
...
...
@@ -33,6 +33,7 @@ import java.util.*;
import
javax.security.auth.x500.X500Principal
;
import
sun.net.util.IPAddressUtil
;
import
sun.security.util.*
;
import
sun.security.pkcs.PKCS9Attribute
;
...
...
@@ -433,6 +434,7 @@ implements CertAttrSet<String>, Cloneable {
X500Principal
subjectPrincipal
=
cert
.
getSubjectX500Principal
();
X500Name
subject
=
X500Name
.
asX500Name
(
subjectPrincipal
);
// Check subject as an X500Name
if
(
subject
.
isEmpty
()
==
false
)
{
if
(
verify
(
subject
)
==
false
)
{
return
false
;
...
...
@@ -458,12 +460,51 @@ implements CertAttrSet<String>, Cloneable {
"certificate: "
+
ce
.
getMessage
());
}
// If there are no subjectAlternativeNames, perform the special-case
// check where if the subjectName contains any EMAILADDRESS
// attributes, they must be checked against RFC822 constraints.
// If that passes, we're fine.
if
(
altNames
==
null
)
{
return
verifyRFC822SpecialCase
(
subject
);
altNames
=
new
GeneralNames
();
// RFC 5280 4.2.1.10:
// When constraints are imposed on the rfc822Name name form,
// but the certificate does not include a subject alternative name,
// the rfc822Name constraint MUST be applied to the attribute of
// type emailAddress in the subject distinguished name.
for
(
AVA
ava
:
subject
.
allAvas
())
{
ObjectIdentifier
attrOID
=
ava
.
getObjectIdentifier
();
if
(
attrOID
.
equals
(
PKCS9Attribute
.
EMAIL_ADDRESS_OID
))
{
String
attrValue
=
ava
.
getValueString
();
if
(
attrValue
!=
null
)
{
try
{
altNames
.
add
(
new
GeneralName
(
new
RFC822Name
(
attrValue
)));
}
catch
(
IOException
ioe
)
{
continue
;
}
}
}
}
}
// If there is no IPAddressName or DNSName in subjectAlternativeNames,
// see if the last CN inside subjectName can be used instead.
DerValue
derValue
=
subject
.
findMostSpecificAttribute
(
X500Name
.
commonName_oid
);
String
cn
=
derValue
==
null
?
null
:
derValue
.
getAsString
();
if
(
cn
!=
null
)
{
try
{
if
(
IPAddressUtil
.
isIPv4LiteralAddress
(
cn
)
||
IPAddressUtil
.
isIPv6LiteralAddress
(
cn
))
{
if
(!
hasNameType
(
altNames
,
GeneralNameInterface
.
NAME_IP
))
{
altNames
.
add
(
new
GeneralName
(
new
IPAddressName
(
cn
)));
}
}
else
{
if
(!
hasNameType
(
altNames
,
GeneralNameInterface
.
NAME_DNS
))
{
altNames
.
add
(
new
GeneralName
(
new
DNSName
(
cn
)));
}
}
}
catch
(
IOException
ioe
)
{
// OK, cn is neither IP nor DNS
}
}
// verify each subjectAltName
...
...
@@ -478,6 +519,15 @@ implements CertAttrSet<String>, Cloneable {
return
true
;
}
private
static
boolean
hasNameType
(
GeneralNames
names
,
int
type
)
{
for
(
GeneralName
name
:
names
.
names
())
{
if
(
name
.
getType
()
==
type
)
{
return
true
;
}
}
return
false
;
}
/**
* check whether a name conforms to these NameConstraints.
* This involves verifying that the name is consistent with the
...
...
@@ -559,37 +609,6 @@ implements CertAttrSet<String>, Cloneable {
return
true
;
}
/**
* Perform the RFC 822 special case check. We have a certificate
* that does not contain any subject alternative names. Check that
* any EMAILADDRESS attributes in its subject name conform to these
* NameConstraints.
*
* @param subject the certificate's subject name
* @returns true if certificate verifies successfully
* @throws IOException on error
*/
public
boolean
verifyRFC822SpecialCase
(
X500Name
subject
)
throws
IOException
{
for
(
AVA
ava
:
subject
.
allAvas
())
{
ObjectIdentifier
attrOID
=
ava
.
getObjectIdentifier
();
if
(
attrOID
.
equals
((
Object
)
PKCS9Attribute
.
EMAIL_ADDRESS_OID
))
{
String
attrValue
=
ava
.
getValueString
();
if
(
attrValue
!=
null
)
{
RFC822Name
emailName
;
try
{
emailName
=
new
RFC822Name
(
attrValue
);
}
catch
(
IOException
ioe
)
{
continue
;
}
if
(!
verify
(
emailName
))
{
return
(
false
);
}
}
}
}
return
true
;
}
/**
* Clone all objects that may be modified during certificate validation.
*/
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录