equal
deleted
inserted
replaced
1 /* |
1 /* |
2 * Copyright (c) 1999, 2016, Oracle and/or its affiliates. All rights reserved. |
2 * Copyright (c) 1999, 2017, Oracle and/or its affiliates. All rights reserved. |
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 * |
4 * |
5 * This code is free software; you can redistribute it and/or modify it |
5 * This code is free software; you can redistribute it and/or modify it |
6 * under the terms of the GNU General Public License version 2 only, as |
6 * under the terms of the GNU General Public License version 2 only, as |
7 * published by the Free Software Foundation. Oracle designates this |
7 * published by the Free Software Foundation. Oracle designates this |
35 |
35 |
36 import javax.net.ssl.*; |
36 import javax.net.ssl.*; |
37 |
37 |
38 import sun.security.provider.certpath.AlgorithmChecker; |
38 import sun.security.provider.certpath.AlgorithmChecker; |
39 import sun.security.action.GetPropertyAction; |
39 import sun.security.action.GetPropertyAction; |
|
40 import sun.security.validator.Validator; |
40 |
41 |
41 public abstract class SSLContextImpl extends SSLContextSpi { |
42 public abstract class SSLContextImpl extends SSLContextSpi { |
42 |
43 |
43 private static final Debug debug = Debug.getInstance("ssl"); |
44 private static final Debug debug = Debug.getInstance("ssl"); |
44 |
45 |
1434 } |
1435 } |
1435 } else { |
1436 } else { |
1436 constraints = new SSLAlgorithmConstraints(sslSocket, true); |
1437 constraints = new SSLAlgorithmConstraints(sslSocket, true); |
1437 } |
1438 } |
1438 |
1439 |
1439 checkAlgorithmConstraints(chain, constraints); |
1440 checkAlgorithmConstraints(chain, constraints, isClient); |
1440 } |
1441 } |
1441 } |
1442 } |
1442 |
1443 |
1443 private void checkAdditionalTrust(X509Certificate[] chain, String authType, |
1444 private void checkAdditionalTrust(X509Certificate[] chain, String authType, |
1444 SSLEngine engine, boolean isClient) throws CertificateException { |
1445 SSLEngine engine, boolean isClient) throws CertificateException { |
1476 } |
1477 } |
1477 } else { |
1478 } else { |
1478 constraints = new SSLAlgorithmConstraints(engine, true); |
1479 constraints = new SSLAlgorithmConstraints(engine, true); |
1479 } |
1480 } |
1480 |
1481 |
1481 checkAlgorithmConstraints(chain, constraints); |
1482 checkAlgorithmConstraints(chain, constraints, isClient); |
1482 } |
1483 } |
1483 } |
1484 } |
1484 |
1485 |
1485 private void checkAlgorithmConstraints(X509Certificate[] chain, |
1486 private void checkAlgorithmConstraints(X509Certificate[] chain, |
1486 AlgorithmConstraints constraints) throws CertificateException { |
1487 AlgorithmConstraints constraints, boolean isClient) throws CertificateException { |
1487 |
1488 |
1488 try { |
1489 try { |
1489 // Does the certificate chain end with a trusted certificate? |
1490 // Does the certificate chain end with a trusted certificate? |
1490 int checkedLength = chain.length - 1; |
1491 int checkedLength = chain.length - 1; |
1491 |
1492 |
1499 checkedLength--; |
1500 checkedLength--; |
1500 } |
1501 } |
1501 |
1502 |
1502 // A forward checker, need to check from trust to target |
1503 // A forward checker, need to check from trust to target |
1503 if (checkedLength >= 0) { |
1504 if (checkedLength >= 0) { |
1504 AlgorithmChecker checker = new AlgorithmChecker(constraints); |
1505 AlgorithmChecker checker = |
|
1506 new AlgorithmChecker(constraints, null, |
|
1507 (isClient ? Validator.VAR_TLS_CLIENT : Validator.VAR_TLS_SERVER)); |
1505 checker.init(false); |
1508 checker.init(false); |
1506 for (int i = checkedLength; i >= 0; i--) { |
1509 for (int i = checkedLength; i >= 0; i--) { |
1507 Certificate cert = chain[i]; |
1510 Certificate cert = chain[i]; |
1508 // We don't care about the unresolved critical extensions. |
1511 // We don't care about the unresolved critical extensions. |
1509 checker.check(cert, Collections.<String>emptySet()); |
1512 checker.check(cert, Collections.<String>emptySet()); |