author | mullan |
Thu, 31 May 2012 17:07:28 -0400 | |
changeset 12861 | 7aa4d0b3a8c7 |
parent 12860 | 9ffbd4e43413 |
child 13800 | 2fd4a82efe9c |
permissions | -rw-r--r-- |
2 | 1 |
/* |
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10785
diff
changeset
|
2 |
* Copyright (c) 2006, 2012, Oracle and/or its affiliates. All rights reserved. |
2 | 3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 |
* |
|
5 |
* This code is free software; you can redistribute it and/or modify it |
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
|
5506 | 7 |
* published by the Free Software Foundation. Oracle designates this |
2 | 8 |
* particular file as subject to the "Classpath" exception as provided |
5506 | 9 |
* by Oracle in the LICENSE file that accompanied this code. |
2 | 10 |
* |
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that |
|
15 |
* accompanied this code). |
|
16 |
* |
|
17 |
* You should have received a copy of the GNU General Public License version |
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation, |
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 |
* |
|
5506 | 21 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
22 |
* or visit www.oracle.com if you need additional information or have any |
|
23 |
* questions. |
|
2 | 24 |
*/ |
25 |
||
26 |
package sun.security.provider.certpath; |
|
27 |
||
28 |
import java.io.InputStream; |
|
29 |
import java.io.IOException; |
|
30 |
import java.net.HttpURLConnection; |
|
31 |
import java.net.URI; |
|
32 |
import java.net.URLConnection; |
|
33 |
import java.security.InvalidAlgorithmParameterException; |
|
34 |
import java.security.NoSuchAlgorithmException; |
|
35 |
import java.security.Provider; |
|
36 |
import java.security.cert.CertificateException; |
|
37 |
import java.security.cert.CertificateFactory; |
|
38 |
import java.security.cert.CertSelector; |
|
39 |
import java.security.cert.CertStore; |
|
40 |
import java.security.cert.CertStoreException; |
|
41 |
import java.security.cert.CertStoreParameters; |
|
42 |
import java.security.cert.CertStoreSpi; |
|
43 |
import java.security.cert.CRLException; |
|
44 |
import java.security.cert.CRLSelector; |
|
45 |
import java.security.cert.X509Certificate; |
|
46 |
import java.security.cert.X509CertSelector; |
|
47 |
import java.security.cert.X509CRL; |
|
48 |
import java.security.cert.X509CRLSelector; |
|
49 |
import java.util.ArrayList; |
|
50 |
import java.util.Collection; |
|
51 |
import java.util.Collections; |
|
52 |
import java.util.List; |
|
6122
16fa7ed7ff1b
6867345: Turkish regional options cause NPE in sun.security.x509.AlgorithmId.algOID
xuelei
parents:
5506
diff
changeset
|
53 |
import java.util.Locale; |
2 | 54 |
import sun.security.x509.AccessDescription; |
55 |
import sun.security.x509.GeneralNameInterface; |
|
56 |
import sun.security.x509.URIName; |
|
57 |
import sun.security.util.Cache; |
|
58 |
import sun.security.util.Debug; |
|
59 |
||
60 |
/** |
|
61 |
* A <code>CertStore</code> that retrieves <code>Certificates</code> or |
|
62 |
* <code>CRL</code>s from a URI, for example, as specified in an X.509 |
|
63 |
* AuthorityInformationAccess or CRLDistributionPoint extension. |
|
64 |
* <p> |
|
65 |
* For CRLs, this implementation retrieves a single DER encoded CRL per URI. |
|
66 |
* For Certificates, this implementation retrieves a single DER encoded CRL or |
|
67 |
* a collection of Certificates encoded as a PKCS#7 "certs-only" CMS message. |
|
68 |
* <p> |
|
69 |
* This <code>CertStore</code> also implements Certificate/CRL caching. |
|
70 |
* Currently, the cache is shared between all applications in the VM and uses a |
|
71 |
* hardcoded policy. The cache has a maximum size of 185 entries, which are held |
|
72 |
* by SoftReferences. A request will be satisfied from the cache if we last |
|
73 |
* checked for an update within CHECK_INTERVAL (last 30 seconds). Otherwise, |
|
74 |
* we open an URLConnection to download the Certificate(s)/CRL using an |
|
75 |
* If-Modified-Since request (HTTP) if possible. Note that both positive and |
|
76 |
* negative responses are cached, i.e. if we are unable to open the connection |
|
77 |
* or the Certificate(s)/CRL cannot be parsed, we remember this result and |
|
78 |
* additional calls during the CHECK_INTERVAL period do not try to open another |
|
79 |
* connection. |
|
80 |
* <p> |
|
81 |
* The URICertStore is not currently a standard CertStore type. We should |
|
82 |
* consider adding a standard "URI" CertStore type. |
|
83 |
* |
|
84 |
* @author Andreas Sterbenz |
|
85 |
* @author Sean Mullan |
|
86 |
* @since 7.0 |
|
87 |
*/ |
|
88 |
class URICertStore extends CertStoreSpi { |
|
89 |
||
90 |
private static final Debug debug = Debug.getInstance("certpath"); |
|
91 |
||
92 |
// interval between checks for update of cached Certificates/CRLs |
|
93 |
// (30 seconds) |
|
94 |
private final static int CHECK_INTERVAL = 30 * 1000; |
|
95 |
||
96 |
// size of the cache (see Cache class for sizing recommendations) |
|
97 |
private final static int CACHE_SIZE = 185; |
|
98 |
||
99 |
// X.509 certificate factory instance |
|
100 |
private final CertificateFactory factory; |
|
101 |
||
102 |
// cached Collection of X509Certificates (may be empty, never null) |
|
10785
1d42311b6355
7092897: sun.security.util.Cache should be generified
mullan
parents:
10782
diff
changeset
|
103 |
private Collection<X509Certificate> certs = Collections.emptySet(); |
2 | 104 |
|
105 |
// cached X509CRL (may be null) |
|
106 |
private X509CRL crl; |
|
107 |
||
108 |
// time we last checked for an update |
|
109 |
private long lastChecked; |
|
110 |
||
111 |
// time server returned as last modified time stamp |
|
112 |
// or 0 if not available |
|
113 |
private long lastModified; |
|
114 |
||
115 |
// the URI of this CertStore |
|
116 |
private URI uri; |
|
117 |
||
118 |
// true if URI is ldap |
|
119 |
private boolean ldap = false; |
|
10782
01689c7b34ac
6953295: Move few sun.security.{util, x509, pkcs} classes used by keytool/jarsigner to another package
mullan
parents:
10419
diff
changeset
|
120 |
private CertStoreHelper ldapHelper; |
2 | 121 |
private CertStore ldapCertStore; |
122 |
private String ldapPath; |
|
123 |
||
124 |
/** |
|
125 |
* Creates a URICertStore. |
|
126 |
* |
|
127 |
* @param parameters specifying the URI |
|
128 |
*/ |
|
129 |
URICertStore(CertStoreParameters params) |
|
130 |
throws InvalidAlgorithmParameterException, NoSuchAlgorithmException { |
|
131 |
super(params); |
|
132 |
if (!(params instanceof URICertStoreParameters)) { |
|
133 |
throw new InvalidAlgorithmParameterException |
|
134 |
("params must be instanceof URICertStoreParameters"); |
|
135 |
} |
|
136 |
this.uri = ((URICertStoreParameters) params).uri; |
|
137 |
// if ldap URI, use an LDAPCertStore to fetch certs and CRLs |
|
6122
16fa7ed7ff1b
6867345: Turkish regional options cause NPE in sun.security.x509.AlgorithmId.algOID
xuelei
parents:
5506
diff
changeset
|
138 |
if (uri.getScheme().toLowerCase(Locale.ENGLISH).equals("ldap")) { |
2 | 139 |
ldap = true; |
10782
01689c7b34ac
6953295: Move few sun.security.{util, x509, pkcs} classes used by keytool/jarsigner to another package
mullan
parents:
10419
diff
changeset
|
140 |
ldapHelper = CertStoreHelper.getInstance("LDAP"); |
01689c7b34ac
6953295: Move few sun.security.{util, x509, pkcs} classes used by keytool/jarsigner to another package
mullan
parents:
10419
diff
changeset
|
141 |
ldapCertStore = ldapHelper.getCertStore(uri); |
2 | 142 |
ldapPath = uri.getPath(); |
143 |
// strip off leading '/' |
|
144 |
if (ldapPath.charAt(0) == '/') { |
|
145 |
ldapPath = ldapPath.substring(1); |
|
146 |
} |
|
147 |
} |
|
148 |
try { |
|
149 |
factory = CertificateFactory.getInstance("X.509"); |
|
150 |
} catch (CertificateException e) { |
|
151 |
throw new RuntimeException(); |
|
152 |
} |
|
153 |
} |
|
154 |
||
155 |
/** |
|
156 |
* Returns a URI CertStore. This method consults a cache of |
|
157 |
* CertStores (shared per JVM) using the URI as a key. |
|
158 |
*/ |
|
10785
1d42311b6355
7092897: sun.security.util.Cache should be generified
mullan
parents:
10782
diff
changeset
|
159 |
private static final Cache<URICertStoreParameters, CertStore> |
1d42311b6355
7092897: sun.security.util.Cache should be generified
mullan
parents:
10782
diff
changeset
|
160 |
certStoreCache = Cache.newSoftMemoryCache(CACHE_SIZE); |
2 | 161 |
static synchronized CertStore getInstance(URICertStoreParameters params) |
162 |
throws NoSuchAlgorithmException, InvalidAlgorithmParameterException { |
|
163 |
if (debug != null) { |
|
164 |
debug.println("CertStore URI:" + params.uri); |
|
165 |
} |
|
10785
1d42311b6355
7092897: sun.security.util.Cache should be generified
mullan
parents:
10782
diff
changeset
|
166 |
CertStore ucs = certStoreCache.get(params); |
2 | 167 |
if (ucs == null) { |
168 |
ucs = new UCS(new URICertStore(params), null, "URI", params); |
|
169 |
certStoreCache.put(params, ucs); |
|
170 |
} else { |
|
171 |
if (debug != null) { |
|
172 |
debug.println("URICertStore.getInstance: cache hit"); |
|
173 |
} |
|
174 |
} |
|
175 |
return ucs; |
|
176 |
} |
|
177 |
||
178 |
/** |
|
179 |
* Creates a CertStore from information included in the AccessDescription |
|
180 |
* object of a certificate's Authority Information Access Extension. |
|
181 |
*/ |
|
182 |
static CertStore getInstance(AccessDescription ad) { |
|
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9734
diff
changeset
|
183 |
if (!ad.getAccessMethod().equals((Object) |
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9734
diff
changeset
|
184 |
AccessDescription.Ad_CAISSUERS_Id)) { |
2 | 185 |
return null; |
186 |
} |
|
187 |
GeneralNameInterface gn = ad.getAccessLocation().getName(); |
|
188 |
if (!(gn instanceof URIName)) { |
|
189 |
return null; |
|
190 |
} |
|
191 |
URI uri = ((URIName) gn).getURI(); |
|
192 |
try { |
|
193 |
return URICertStore.getInstance |
|
194 |
(new URICertStore.URICertStoreParameters(uri)); |
|
195 |
} catch (Exception ex) { |
|
196 |
if (debug != null) { |
|
197 |
debug.println("exception creating CertStore: " + ex); |
|
198 |
ex.printStackTrace(); |
|
199 |
} |
|
200 |
return null; |
|
201 |
} |
|
202 |
} |
|
203 |
||
204 |
/** |
|
205 |
* Returns a <code>Collection</code> of <code>X509Certificate</code>s that |
|
206 |
* match the specified selector. If no <code>X509Certificate</code>s |
|
207 |
* match the selector, an empty <code>Collection</code> will be returned. |
|
208 |
* |
|
209 |
* @param selector a <code>CertSelector</code> used to select which |
|
210 |
* <code>X509Certificate</code>s should be returned. Specify |
|
211 |
* <code>null</code> to return all <code>X509Certificate</code>s. |
|
212 |
* @return a <code>Collection</code> of <code>X509Certificate</code>s that |
|
213 |
* match the specified selector |
|
214 |
* @throws CertStoreException if an exception occurs |
|
215 |
*/ |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10785
diff
changeset
|
216 |
@Override |
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9734
diff
changeset
|
217 |
@SuppressWarnings("unchecked") |
2 | 218 |
public synchronized Collection<X509Certificate> engineGetCertificates |
219 |
(CertSelector selector) throws CertStoreException { |
|
220 |
||
221 |
// if ldap URI we wrap the CertSelector in an LDAPCertSelector to |
|
222 |
// avoid LDAP DN matching issues (see LDAPCertSelector for more info) |
|
223 |
if (ldap) { |
|
224 |
X509CertSelector xsel = (X509CertSelector) selector; |
|
225 |
try { |
|
10782
01689c7b34ac
6953295: Move few sun.security.{util, x509, pkcs} classes used by keytool/jarsigner to another package
mullan
parents:
10419
diff
changeset
|
226 |
xsel = ldapHelper.wrap(xsel, xsel.getSubject(), ldapPath); |
2 | 227 |
} catch (IOException ioe) { |
228 |
throw new CertStoreException(ioe); |
|
229 |
} |
|
230 |
// Fetch the certificates via LDAP. LDAPCertStore has its own |
|
231 |
// caching mechanism, see the class description for more info. |
|
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9734
diff
changeset
|
232 |
// Safe cast since xsel is an X509 certificate selector. |
2 | 233 |
return (Collection<X509Certificate>) |
234 |
ldapCertStore.getCertificates(xsel); |
|
235 |
} |
|
236 |
||
237 |
// Return the Certificates for this entry. It returns the cached value |
|
238 |
// if it is still current and fetches the Certificates otherwise. |
|
239 |
// For the caching details, see the top of this class. |
|
240 |
long time = System.currentTimeMillis(); |
|
241 |
if (time - lastChecked < CHECK_INTERVAL) { |
|
242 |
if (debug != null) { |
|
243 |
debug.println("Returning certificates from cache"); |
|
244 |
} |
|
245 |
return getMatchingCerts(certs, selector); |
|
246 |
} |
|
247 |
lastChecked = time; |
|
248 |
try { |
|
249 |
URLConnection connection = uri.toURL().openConnection(); |
|
250 |
if (lastModified != 0) { |
|
251 |
connection.setIfModifiedSince(lastModified); |
|
252 |
} |
|
253 |
long oldLastModified = lastModified; |
|
10782
01689c7b34ac
6953295: Move few sun.security.{util, x509, pkcs} classes used by keytool/jarsigner to another package
mullan
parents:
10419
diff
changeset
|
254 |
try (InputStream in = connection.getInputStream()) { |
01689c7b34ac
6953295: Move few sun.security.{util, x509, pkcs} classes used by keytool/jarsigner to another package
mullan
parents:
10419
diff
changeset
|
255 |
lastModified = connection.getLastModified(); |
01689c7b34ac
6953295: Move few sun.security.{util, x509, pkcs} classes used by keytool/jarsigner to another package
mullan
parents:
10419
diff
changeset
|
256 |
if (oldLastModified != 0) { |
01689c7b34ac
6953295: Move few sun.security.{util, x509, pkcs} classes used by keytool/jarsigner to another package
mullan
parents:
10419
diff
changeset
|
257 |
if (oldLastModified == lastModified) { |
2 | 258 |
if (debug != null) { |
259 |
debug.println("Not modified, using cached copy"); |
|
260 |
} |
|
261 |
return getMatchingCerts(certs, selector); |
|
10782
01689c7b34ac
6953295: Move few sun.security.{util, x509, pkcs} classes used by keytool/jarsigner to another package
mullan
parents:
10419
diff
changeset
|
262 |
} else if (connection instanceof HttpURLConnection) { |
01689c7b34ac
6953295: Move few sun.security.{util, x509, pkcs} classes used by keytool/jarsigner to another package
mullan
parents:
10419
diff
changeset
|
263 |
// some proxy servers omit last modified |
01689c7b34ac
6953295: Move few sun.security.{util, x509, pkcs} classes used by keytool/jarsigner to another package
mullan
parents:
10419
diff
changeset
|
264 |
HttpURLConnection hconn = (HttpURLConnection)connection; |
01689c7b34ac
6953295: Move few sun.security.{util, x509, pkcs} classes used by keytool/jarsigner to another package
mullan
parents:
10419
diff
changeset
|
265 |
if (hconn.getResponseCode() |
01689c7b34ac
6953295: Move few sun.security.{util, x509, pkcs} classes used by keytool/jarsigner to another package
mullan
parents:
10419
diff
changeset
|
266 |
== HttpURLConnection.HTTP_NOT_MODIFIED) { |
01689c7b34ac
6953295: Move few sun.security.{util, x509, pkcs} classes used by keytool/jarsigner to another package
mullan
parents:
10419
diff
changeset
|
267 |
if (debug != null) { |
01689c7b34ac
6953295: Move few sun.security.{util, x509, pkcs} classes used by keytool/jarsigner to another package
mullan
parents:
10419
diff
changeset
|
268 |
debug.println("Not modified, using cached copy"); |
01689c7b34ac
6953295: Move few sun.security.{util, x509, pkcs} classes used by keytool/jarsigner to another package
mullan
parents:
10419
diff
changeset
|
269 |
} |
01689c7b34ac
6953295: Move few sun.security.{util, x509, pkcs} classes used by keytool/jarsigner to another package
mullan
parents:
10419
diff
changeset
|
270 |
return getMatchingCerts(certs, selector); |
01689c7b34ac
6953295: Move few sun.security.{util, x509, pkcs} classes used by keytool/jarsigner to another package
mullan
parents:
10419
diff
changeset
|
271 |
} |
2 | 272 |
} |
273 |
} |
|
10782
01689c7b34ac
6953295: Move few sun.security.{util, x509, pkcs} classes used by keytool/jarsigner to another package
mullan
parents:
10419
diff
changeset
|
274 |
if (debug != null) { |
01689c7b34ac
6953295: Move few sun.security.{util, x509, pkcs} classes used by keytool/jarsigner to another package
mullan
parents:
10419
diff
changeset
|
275 |
debug.println("Downloading new certificates..."); |
01689c7b34ac
6953295: Move few sun.security.{util, x509, pkcs} classes used by keytool/jarsigner to another package
mullan
parents:
10419
diff
changeset
|
276 |
} |
01689c7b34ac
6953295: Move few sun.security.{util, x509, pkcs} classes used by keytool/jarsigner to another package
mullan
parents:
10419
diff
changeset
|
277 |
// Safe cast since factory is an X.509 certificate factory |
01689c7b34ac
6953295: Move few sun.security.{util, x509, pkcs} classes used by keytool/jarsigner to another package
mullan
parents:
10419
diff
changeset
|
278 |
certs = (Collection<X509Certificate>) |
01689c7b34ac
6953295: Move few sun.security.{util, x509, pkcs} classes used by keytool/jarsigner to another package
mullan
parents:
10419
diff
changeset
|
279 |
factory.generateCertificates(in); |
2 | 280 |
} |
281 |
return getMatchingCerts(certs, selector); |
|
10782
01689c7b34ac
6953295: Move few sun.security.{util, x509, pkcs} classes used by keytool/jarsigner to another package
mullan
parents:
10419
diff
changeset
|
282 |
} catch (IOException | CertificateException e) { |
2 | 283 |
if (debug != null) { |
284 |
debug.println("Exception fetching certificates:"); |
|
285 |
e.printStackTrace(); |
|
286 |
} |
|
287 |
} |
|
288 |
// exception, forget previous values |
|
289 |
lastModified = 0; |
|
10785
1d42311b6355
7092897: sun.security.util.Cache should be generified
mullan
parents:
10782
diff
changeset
|
290 |
certs = Collections.emptySet(); |
2 | 291 |
return certs; |
292 |
} |
|
293 |
||
294 |
/** |
|
295 |
* Iterates over the specified Collection of X509Certificates and |
|
296 |
* returns only those that match the criteria specified in the |
|
297 |
* CertSelector. |
|
298 |
*/ |
|
299 |
private static Collection<X509Certificate> getMatchingCerts |
|
300 |
(Collection<X509Certificate> certs, CertSelector selector) { |
|
301 |
// if selector not specified, all certs match |
|
302 |
if (selector == null) { |
|
303 |
return certs; |
|
304 |
} |
|
10782
01689c7b34ac
6953295: Move few sun.security.{util, x509, pkcs} classes used by keytool/jarsigner to another package
mullan
parents:
10419
diff
changeset
|
305 |
List<X509Certificate> matchedCerts = new ArrayList<>(certs.size()); |
2 | 306 |
for (X509Certificate cert : certs) { |
307 |
if (selector.match(cert)) { |
|
308 |
matchedCerts.add(cert); |
|
309 |
} |
|
310 |
} |
|
311 |
return matchedCerts; |
|
312 |
} |
|
313 |
||
314 |
/** |
|
315 |
* Returns a <code>Collection</code> of <code>X509CRL</code>s that |
|
316 |
* match the specified selector. If no <code>X509CRL</code>s |
|
317 |
* match the selector, an empty <code>Collection</code> will be returned. |
|
318 |
* |
|
319 |
* @param selector A <code>CRLSelector</code> used to select which |
|
320 |
* <code>X509CRL</code>s should be returned. Specify <code>null</code> |
|
321 |
* to return all <code>X509CRL</code>s. |
|
322 |
* @return A <code>Collection</code> of <code>X509CRL</code>s that |
|
323 |
* match the specified selector |
|
324 |
* @throws CertStoreException if an exception occurs |
|
325 |
*/ |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10785
diff
changeset
|
326 |
@Override |
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9734
diff
changeset
|
327 |
@SuppressWarnings("unchecked") |
2 | 328 |
public synchronized Collection<X509CRL> engineGetCRLs(CRLSelector selector) |
329 |
throws CertStoreException { |
|
330 |
||
331 |
// if ldap URI we wrap the CRLSelector in an LDAPCRLSelector to |
|
332 |
// avoid LDAP DN matching issues (see LDAPCRLSelector for more info) |
|
333 |
if (ldap) { |
|
334 |
X509CRLSelector xsel = (X509CRLSelector) selector; |
|
335 |
try { |
|
10782
01689c7b34ac
6953295: Move few sun.security.{util, x509, pkcs} classes used by keytool/jarsigner to another package
mullan
parents:
10419
diff
changeset
|
336 |
xsel = ldapHelper.wrap(xsel, null, ldapPath); |
2 | 337 |
} catch (IOException ioe) { |
338 |
throw new CertStoreException(ioe); |
|
339 |
} |
|
340 |
// Fetch the CRLs via LDAP. LDAPCertStore has its own |
|
341 |
// caching mechanism, see the class description for more info. |
|
10336
0bb1999251f8
7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror
jjg
parents:
9734
diff
changeset
|
342 |
// Safe cast since xsel is an X509 certificate selector. |
2 | 343 |
return (Collection<X509CRL>) ldapCertStore.getCRLs(xsel); |
344 |
} |
|
345 |
||
346 |
// Return the CRLs for this entry. It returns the cached value |
|
347 |
// if it is still current and fetches the CRLs otherwise. |
|
348 |
// For the caching details, see the top of this class. |
|
349 |
long time = System.currentTimeMillis(); |
|
350 |
if (time - lastChecked < CHECK_INTERVAL) { |
|
351 |
if (debug != null) { |
|
352 |
debug.println("Returning CRL from cache"); |
|
353 |
} |
|
354 |
return getMatchingCRLs(crl, selector); |
|
355 |
} |
|
356 |
lastChecked = time; |
|
357 |
try { |
|
358 |
URLConnection connection = uri.toURL().openConnection(); |
|
359 |
if (lastModified != 0) { |
|
360 |
connection.setIfModifiedSince(lastModified); |
|
361 |
} |
|
362 |
long oldLastModified = lastModified; |
|
10782
01689c7b34ac
6953295: Move few sun.security.{util, x509, pkcs} classes used by keytool/jarsigner to another package
mullan
parents:
10419
diff
changeset
|
363 |
try (InputStream in = connection.getInputStream()) { |
01689c7b34ac
6953295: Move few sun.security.{util, x509, pkcs} classes used by keytool/jarsigner to another package
mullan
parents:
10419
diff
changeset
|
364 |
lastModified = connection.getLastModified(); |
01689c7b34ac
6953295: Move few sun.security.{util, x509, pkcs} classes used by keytool/jarsigner to another package
mullan
parents:
10419
diff
changeset
|
365 |
if (oldLastModified != 0) { |
01689c7b34ac
6953295: Move few sun.security.{util, x509, pkcs} classes used by keytool/jarsigner to another package
mullan
parents:
10419
diff
changeset
|
366 |
if (oldLastModified == lastModified) { |
2 | 367 |
if (debug != null) { |
368 |
debug.println("Not modified, using cached copy"); |
|
369 |
} |
|
370 |
return getMatchingCRLs(crl, selector); |
|
10782
01689c7b34ac
6953295: Move few sun.security.{util, x509, pkcs} classes used by keytool/jarsigner to another package
mullan
parents:
10419
diff
changeset
|
371 |
} else if (connection instanceof HttpURLConnection) { |
01689c7b34ac
6953295: Move few sun.security.{util, x509, pkcs} classes used by keytool/jarsigner to another package
mullan
parents:
10419
diff
changeset
|
372 |
// some proxy servers omit last modified |
01689c7b34ac
6953295: Move few sun.security.{util, x509, pkcs} classes used by keytool/jarsigner to another package
mullan
parents:
10419
diff
changeset
|
373 |
HttpURLConnection hconn = (HttpURLConnection)connection; |
01689c7b34ac
6953295: Move few sun.security.{util, x509, pkcs} classes used by keytool/jarsigner to another package
mullan
parents:
10419
diff
changeset
|
374 |
if (hconn.getResponseCode() |
01689c7b34ac
6953295: Move few sun.security.{util, x509, pkcs} classes used by keytool/jarsigner to another package
mullan
parents:
10419
diff
changeset
|
375 |
== HttpURLConnection.HTTP_NOT_MODIFIED) { |
01689c7b34ac
6953295: Move few sun.security.{util, x509, pkcs} classes used by keytool/jarsigner to another package
mullan
parents:
10419
diff
changeset
|
376 |
if (debug != null) { |
01689c7b34ac
6953295: Move few sun.security.{util, x509, pkcs} classes used by keytool/jarsigner to another package
mullan
parents:
10419
diff
changeset
|
377 |
debug.println("Not modified, using cached copy"); |
01689c7b34ac
6953295: Move few sun.security.{util, x509, pkcs} classes used by keytool/jarsigner to another package
mullan
parents:
10419
diff
changeset
|
378 |
} |
01689c7b34ac
6953295: Move few sun.security.{util, x509, pkcs} classes used by keytool/jarsigner to another package
mullan
parents:
10419
diff
changeset
|
379 |
return getMatchingCRLs(crl, selector); |
01689c7b34ac
6953295: Move few sun.security.{util, x509, pkcs} classes used by keytool/jarsigner to another package
mullan
parents:
10419
diff
changeset
|
380 |
} |
2 | 381 |
} |
382 |
} |
|
10782
01689c7b34ac
6953295: Move few sun.security.{util, x509, pkcs} classes used by keytool/jarsigner to another package
mullan
parents:
10419
diff
changeset
|
383 |
if (debug != null) { |
01689c7b34ac
6953295: Move few sun.security.{util, x509, pkcs} classes used by keytool/jarsigner to another package
mullan
parents:
10419
diff
changeset
|
384 |
debug.println("Downloading new CRL..."); |
01689c7b34ac
6953295: Move few sun.security.{util, x509, pkcs} classes used by keytool/jarsigner to another package
mullan
parents:
10419
diff
changeset
|
385 |
} |
01689c7b34ac
6953295: Move few sun.security.{util, x509, pkcs} classes used by keytool/jarsigner to another package
mullan
parents:
10419
diff
changeset
|
386 |
crl = (X509CRL) factory.generateCRL(in); |
2 | 387 |
} |
388 |
return getMatchingCRLs(crl, selector); |
|
10782
01689c7b34ac
6953295: Move few sun.security.{util, x509, pkcs} classes used by keytool/jarsigner to another package
mullan
parents:
10419
diff
changeset
|
389 |
} catch (IOException | CRLException e) { |
2 | 390 |
if (debug != null) { |
391 |
debug.println("Exception fetching CRL:"); |
|
392 |
e.printStackTrace(); |
|
393 |
} |
|
394 |
} |
|
395 |
// exception, forget previous values |
|
396 |
lastModified = 0; |
|
397 |
crl = null; |
|
10785
1d42311b6355
7092897: sun.security.util.Cache should be generified
mullan
parents:
10782
diff
changeset
|
398 |
return Collections.emptyList(); |
2 | 399 |
} |
400 |
||
401 |
/** |
|
402 |
* Checks if the specified X509CRL matches the criteria specified in the |
|
403 |
* CRLSelector. |
|
404 |
*/ |
|
405 |
private static Collection<X509CRL> getMatchingCRLs |
|
406 |
(X509CRL crl, CRLSelector selector) { |
|
407 |
if (selector == null || (crl != null && selector.match(crl))) { |
|
10785
1d42311b6355
7092897: sun.security.util.Cache should be generified
mullan
parents:
10782
diff
changeset
|
408 |
return Collections.singletonList(crl); |
2 | 409 |
} else { |
10785
1d42311b6355
7092897: sun.security.util.Cache should be generified
mullan
parents:
10782
diff
changeset
|
410 |
return Collections.emptyList(); |
2 | 411 |
} |
412 |
} |
|
413 |
||
414 |
/** |
|
415 |
* CertStoreParameters for the URICertStore. |
|
416 |
*/ |
|
417 |
static class URICertStoreParameters implements CertStoreParameters { |
|
418 |
private final URI uri; |
|
419 |
private volatile int hashCode = 0; |
|
420 |
URICertStoreParameters(URI uri) { |
|
421 |
this.uri = uri; |
|
422 |
} |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10785
diff
changeset
|
423 |
@Override public boolean equals(Object obj) { |
2 | 424 |
if (!(obj instanceof URICertStoreParameters)) { |
425 |
return false; |
|
426 |
} |
|
427 |
URICertStoreParameters params = (URICertStoreParameters) obj; |
|
428 |
return uri.equals(params.uri); |
|
429 |
} |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10785
diff
changeset
|
430 |
@Override public int hashCode() { |
2 | 431 |
if (hashCode == 0) { |
432 |
int result = 17; |
|
433 |
result = 37*result + uri.hashCode(); |
|
434 |
hashCode = result; |
|
435 |
} |
|
436 |
return hashCode; |
|
437 |
} |
|
12860
9ffbd4e43413
6854712: Revocation checking enhancements (JEP-124)
mullan
parents:
10785
diff
changeset
|
438 |
@Override public Object clone() { |
2 | 439 |
try { |
440 |
return super.clone(); |
|
441 |
} catch (CloneNotSupportedException e) { |
|
442 |
/* Cannot happen */ |
|
10419
12c063b39232
7084245: Update usages of InternalError to use exception chaining
sherman
parents:
10336
diff
changeset
|
443 |
throw new InternalError(e.toString(), e); |
2 | 444 |
} |
445 |
} |
|
446 |
} |
|
447 |
||
448 |
/** |
|
449 |
* This class allows the URICertStore to be accessed as a CertStore. |
|
450 |
*/ |
|
451 |
private static class UCS extends CertStore { |
|
452 |
protected UCS(CertStoreSpi spi, Provider p, String type, |
|
453 |
CertStoreParameters params) { |
|
454 |
super(spi, p, type, params); |
|
455 |
} |
|
456 |
} |
|
457 |
} |