jdk-sandbox: comparison src/java.base/share/classes/sun/security/x509/X509CertImpl.java

equal deleted inserted replaced

-:92cbbfc996f3
+:56aaa6cb3693
 import java.io.InputStream;
 import java.io.InputStreamReader;
 import java.io.OutputStream;
 import java.math.BigInteger;
 import java.security.*;
+import java.security.spec.AlgorithmParameterSpec;
 import java.security.cert.*;
 import java.security.cert.Certificate;
 import java.util.*;
 import java.util.concurrent.ConcurrentHashMap;
 import javax.security.auth.x500.X500Principal;
-import sun.security.util.HexDumpEncoder;
 import java.util.Base64;
 import sun.security.util.*;
 import sun.security.provider.X509Factory;
 /**
 * @exception CertificateException on encoding errors.
 */
 public void verify(PublicKey key)
 throws CertificateException, NoSuchAlgorithmException,
 InvalidKeyException, NoSuchProviderException, SignatureException {
 verify(key, "");
 }
 /**
 * Throws an exception if the certificate was not signed using the
 if (sigProvider.length() == 0) {
 sigVerf = Signature.getInstance(algId.getName());
 } else {
 sigVerf = Signature.getInstance(algId.getName(), sigProvider);
 }
 sigVerf.initVerify(key);
+// set parameters after Signature.initSign/initVerify call,
+// so the deferred provider selection happens when key is set
+try {
+SignatureUtil.specialSetParameter(sigVerf, getSigAlgParams());
+} catch (ProviderException e) {
+throw new CertificateException(e.getMessage(), e.getCause());
+} catch (InvalidAlgorithmParameterException e) {
+throw new CertificateException(e);
+}
 byte[] rawCert = info.getEncodedInfo();
 sigVerf.update(rawCert, 0, rawCert.length);
 // verify may throw SignatureException for invalid encodings, etc.
 if (sigProvider == null) {
 sigVerf = Signature.getInstance(algId.getName());
 } else {
 sigVerf = Signature.getInstance(algId.getName(), sigProvider);
 }
 sigVerf.initVerify(key);
+// set parameters after Signature.initSign/initVerify call,
+// so the deferred provider selection happens when key is set
+try {
+SignatureUtil.specialSetParameter(sigVerf, getSigAlgParams());
+} catch (ProviderException e) {
+throw new CertificateException(e.getMessage(), e.getCause());
+} catch (InvalidAlgorithmParameterException e) {
+throw new CertificateException(e);
+}
 byte[] rawCert = info.getEncodedInfo();
 sigVerf.update(rawCert, 0, rawCert.length);
 // verify may throw SignatureException for invalid encodings, etc.
 * @exception CertificateException on encoding errors.
 */
 public void sign(PrivateKey key, String algorithm, String provider)
 throws CertificateException, NoSuchAlgorithmException,
 InvalidKeyException, NoSuchProviderException, SignatureException {
+try {
+sign(key, null, algorithm, provider);
+} catch (InvalidAlgorithmParameterException e) {
+// should not happen; re-throw just in case
+throw new SignatureException(e);
+}
+}
+/**
+* Creates an X.509 certificate, and signs it using the given key
+* (associating a signature algorithm and an X.500 name), signature
+* parameters, and security provider. If the given provider name
+* is null or empty, the implementation look up will be based on
+* provider configurations.
+* This operation is used to implement the certificate generation
+* functionality of a certificate authority.
+*
+* @param key the private key used for signing
+* @param signingParams the parameters used for signing
+* @param algorithm the name of the signature algorithm used
+* @param provider the name of the provider, may be null
+*
+* @exception NoSuchAlgorithmException on unsupported signature
+*            algorithms
+* @exception InvalidKeyException on incorrect key
+* @exception InvalidAlgorithmParameterException on invalid signature
+*            parameters
+* @exception NoSuchProviderException on incorrect provider
+* @exception SignatureException on signature errors
+* @exception CertificateException on encoding errors
+*/
+public void sign(PrivateKey key, AlgorithmParameterSpec signingParams,
+String algorithm, String provider)
+throws CertificateException, NoSuchAlgorithmException,
+InvalidKeyException, InvalidAlgorithmParameterException,
+NoSuchProviderException, SignatureException {
 try {
 if (readOnly)
 throw new CertificateEncodingException(
 "cannot over-write existing certificate");
 Signature sigEngine = null;
 else
 sigEngine = Signature.getInstance(algorithm, provider);
 sigEngine.initSign(key);
-// in case the name is reset
+// set parameters after Signature.initSign/initVerify call, so
-algId = AlgorithmId.get(sigEngine.getAlgorithm());
+// the deferred provider selection happens when the key is set
+try {
+sigEngine.setParameter(signingParams);
+} catch (UnsupportedOperationException e) {
+// for backward compatibility, only re-throw when
+// parameters is not null
+if (signingParams != null) throw e;
+}
+// in case the name is reset
+if (signingParams != null) {
+algId = AlgorithmId.get(sigEngine.getParameters());
+} else {
+algId = AlgorithmId.get(algorithm);
+}
 DerOutputStream out = new DerOutputStream();
 DerOutputStream tmp = new DerOutputStream();
 // encode certificate info
 info.encode(tmp);

branch	JDK-8145252-TLS13-branch
changeset 56542	56aaa6cb3693
parent 47478	438e0c9f2f17
child 53018	8bf9268df0e2