diff --git a/src/share/classes/sun/security/pkcs/SignerInfo.java b/src/share/classes/sun/security/pkcs/SignerInfo.java index 5e69438c8d0bb8ff97cfe107ae6b2c6d98447d30..628d6d0c82eda046a4f0468d889a33fb3ec24c5b 100644 --- a/src/share/classes/sun/security/pkcs/SignerInfo.java +++ b/src/share/classes/sun/security/pkcs/SignerInfo.java @@ -323,6 +323,12 @@ public class SignerInfo implements DerEncoder { data = content.getContentBytes(); } + Timestamp timestamp = null; + try { + timestamp = getTimestamp(); + } catch (Exception ignore) { + } + ConstraintsParameters cparams = new ConstraintsParameters(timestamp); String digestAlgname = getDigestAlgorithmId().getName(); diff --git a/src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java b/src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java index 11d8a0673296a03d8e8f13f03e49d3979a660a89..5f825ff44bf79993314a985c8519cceed085fc47 100644 --- a/src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java +++ b/src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java @@ -344,7 +344,7 @@ public final class SunCertPathBuilder extends CertPathBuilderSpi { // add the algorithm checker checkers.add(new AlgorithmChecker(builder.trustAnchor, - buildParams.date(), null)); + buildParams.date(), buildParams.variant())); BasicChecker basicChecker = null; if (nextState.keyParamsNeeded()) { diff --git a/src/share/lib/security/java.security-aix b/src/share/lib/security/java.security-aix index d44a6f34ebb5694e66bffd198ac878c7dd1d720e..18cc34d15e724fff1de2ea27de4200eb58e0ce94 100644 --- a/src/share/lib/security/java.security-aix +++ b/src/share/lib/security/java.security-aix @@ -488,21 +488,21 @@ krb5.kdc.bad.policy = tryLast # jdkCA # This constraint prohibits the specified algorithm only if the # algorithm is used in a certificate chain that terminates at a marked -# trust anchor in the lib/security/cacerts keystore. If the jdkCA -# constraint is not set, then all chains using the specified algorithm +# trust anchor in the lib/security/cacerts keystore. If the jdkCA +# constraint is not set, then all chains using the specified algorithm # are restricted. jdkCA may only be used once in a DisabledAlgorithm # expression. -# Example:  To apply this constraint to SHA-1 certificates, include -# the following:  "SHA1 jdkCA" +# Example: To apply this constraint to SHA-1 certificates, include +# the following: "SHA1 jdkCA" # # DenyAfterConstraint: # denyAfter YYYY-MM-DD # This constraint prohibits a certificate with the specified algorithm # from being used after the date regardless of the certificate's -# validity.  JAR files that are signed and timestamped before the +# validity. JAR files that are signed and timestamped before the # constraint date with certificates containing the disabled algorithm -# will not be restricted.  The date is processed in the UTC timezone. -# This constraint can only be used once in a DisabledAlgorithm +# will not be restricted. The date is processed in the UTC timezone. +# This constraint can only be used once in a DisabledAlgorithm # expression. # Example: To deny usage of RSA 2048 bit certificates after Feb 3 2020, # use the following: "RSA keySize == 2048 & denyAfter 2020-02-03" diff --git a/src/share/lib/security/java.security-linux b/src/share/lib/security/java.security-linux index d44a6f34ebb5694e66bffd198ac878c7dd1d720e..18cc34d15e724fff1de2ea27de4200eb58e0ce94 100644 --- a/src/share/lib/security/java.security-linux +++ b/src/share/lib/security/java.security-linux @@ -488,21 +488,21 @@ krb5.kdc.bad.policy = tryLast # jdkCA # This constraint prohibits the specified algorithm only if the # algorithm is used in a certificate chain that terminates at a marked -# trust anchor in the lib/security/cacerts keystore. If the jdkCA -# constraint is not set, then all chains using the specified algorithm +# trust anchor in the lib/security/cacerts keystore. If the jdkCA +# constraint is not set, then all chains using the specified algorithm # are restricted. jdkCA may only be used once in a DisabledAlgorithm # expression. -# Example:  To apply this constraint to SHA-1 certificates, include -# the following:  "SHA1 jdkCA" +# Example: To apply this constraint to SHA-1 certificates, include +# the following: "SHA1 jdkCA" # # DenyAfterConstraint: # denyAfter YYYY-MM-DD # This constraint prohibits a certificate with the specified algorithm # from being used after the date regardless of the certificate's -# validity.  JAR files that are signed and timestamped before the +# validity. JAR files that are signed and timestamped before the # constraint date with certificates containing the disabled algorithm -# will not be restricted.  The date is processed in the UTC timezone. -# This constraint can only be used once in a DisabledAlgorithm +# will not be restricted. The date is processed in the UTC timezone. +# This constraint can only be used once in a DisabledAlgorithm # expression. # Example: To deny usage of RSA 2048 bit certificates after Feb 3 2020, # use the following: "RSA keySize == 2048 & denyAfter 2020-02-03" diff --git a/src/share/lib/security/java.security-macosx b/src/share/lib/security/java.security-macosx index 80d175f1aeb6626fd458113757cf4346e289a8b6..388031a17c10b3c0ebe61868fbeaba3b3dea83e3 100644 --- a/src/share/lib/security/java.security-macosx +++ b/src/share/lib/security/java.security-macosx @@ -491,21 +491,21 @@ krb5.kdc.bad.policy = tryLast # jdkCA # This constraint prohibits the specified algorithm only if the # algorithm is used in a certificate chain that terminates at a marked -# trust anchor in the lib/security/cacerts keystore. If the jdkCA -# constraint is not set, then all chains using the specified algorithm +# trust anchor in the lib/security/cacerts keystore. If the jdkCA +# constraint is not set, then all chains using the specified algorithm # are restricted. jdkCA may only be used once in a DisabledAlgorithm # expression. -# Example:  To apply this constraint to SHA-1 certificates, include -# the following:  "SHA1 jdkCA" +# Example: To apply this constraint to SHA-1 certificates, include +# the following: "SHA1 jdkCA" # # DenyAfterConstraint: # denyAfter YYYY-MM-DD # This constraint prohibits a certificate with the specified algorithm # from being used after the date regardless of the certificate's -# validity.  JAR files that are signed and timestamped before the +# validity. JAR files that are signed and timestamped before the # constraint date with certificates containing the disabled algorithm -# will not be restricted.  The date is processed in the UTC timezone. -# This constraint can only be used once in a DisabledAlgorithm +# will not be restricted. The date is processed in the UTC timezone. +# This constraint can only be used once in a DisabledAlgorithm # expression. # Example: To deny usage of RSA 2048 bit certificates after Feb 3 2020, # use the following: "RSA keySize == 2048 & denyAfter 2020-02-03" diff --git a/src/share/lib/security/java.security-solaris b/src/share/lib/security/java.security-solaris index 4acc54775eccfff4e4d7c0f42d45e4a06b7d7a17..818b6199d5d6cb6e3e4f2dd6bf8b408814e180db 100644 --- a/src/share/lib/security/java.security-solaris +++ b/src/share/lib/security/java.security-solaris @@ -490,21 +490,21 @@ krb5.kdc.bad.policy = tryLast # jdkCA # This constraint prohibits the specified algorithm only if the # algorithm is used in a certificate chain that terminates at a marked -# trust anchor in the lib/security/cacerts keystore. If the jdkCA -# constraint is not set, then all chains using the specified algorithm +# trust anchor in the lib/security/cacerts keystore. If the jdkCA +# constraint is not set, then all chains using the specified algorithm # are restricted. jdkCA may only be used once in a DisabledAlgorithm # expression. -# Example:  To apply this constraint to SHA-1 certificates, include -# the following:  "SHA1 jdkCA" +# Example: To apply this constraint to SHA-1 certificates, include +# the following: "SHA1 jdkCA" # # DenyAfterConstraint: # denyAfter YYYY-MM-DD # This constraint prohibits a certificate with the specified algorithm # from being used after the date regardless of the certificate's -# validity.  JAR files that are signed and timestamped before the +# validity. JAR files that are signed and timestamped before the # constraint date with certificates containing the disabled algorithm -# will not be restricted.  The date is processed in the UTC timezone. -# This constraint can only be used once in a DisabledAlgorithm +# will not be restricted. The date is processed in the UTC timezone. +# This constraint can only be used once in a DisabledAlgorithm # expression. # Example: To deny usage of RSA 2048 bit certificates after Feb 3 2020, # use the following: "RSA keySize == 2048 & denyAfter 2020-02-03" diff --git a/src/share/lib/security/java.security-windows b/src/share/lib/security/java.security-windows index 3760cadc898e1c61fe4597b66517b62e662e3317..5dc77e660ba56e45a187e2eb23fd086fcba3fe11 100644 --- a/src/share/lib/security/java.security-windows +++ b/src/share/lib/security/java.security-windows @@ -491,21 +491,21 @@ krb5.kdc.bad.policy = tryLast # jdkCA # This constraint prohibits the specified algorithm only if the # algorithm is used in a certificate chain that terminates at a marked -# trust anchor in the lib/security/cacerts keystore. If the jdkCA -# constraint is not set, then all chains using the specified algorithm +# trust anchor in the lib/security/cacerts keystore. If the jdkCA +# constraint is not set, then all chains using the specified algorithm # are restricted. jdkCA may only be used once in a DisabledAlgorithm # expression. -# Example:  To apply this constraint to SHA-1 certificates, include -# the following:  "SHA1 jdkCA" +# Example: To apply this constraint to SHA-1 certificates, include +# the following: "SHA1 jdkCA" # # DenyAfterConstraint: # denyAfter YYYY-MM-DD # This constraint prohibits a certificate with the specified algorithm # from being used after the date regardless of the certificate's -# validity.  JAR files that are signed and timestamped before the +# validity. JAR files that are signed and timestamped before the # constraint date with certificates containing the disabled algorithm -# will not be restricted.  The date is processed in the UTC timezone. -# This constraint can only be used once in a DisabledAlgorithm +# will not be restricted. The date is processed in the UTC timezone. +# This constraint can only be used once in a DisabledAlgorithm # expression. # Example: To deny usage of RSA 2048 bit certificates after Feb 3 2020, # use the following: "RSA keySize == 2048 & denyAfter 2020-02-03"