--- a/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java Thu Feb 07 08:47:10 2019 -0500
+++ b/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java Wed Feb 27 13:58:04 2019 -0800
@@ -1480,8 +1480,9 @@
checkAdditionalTrust(chain, authType, engine, false);
}
- private void checkAdditionalTrust(X509Certificate[] chain, String authType,
- Socket socket, boolean isClient) throws CertificateException {
+ private void checkAdditionalTrust(X509Certificate[] chain,
+ String authType, Socket socket,
+ boolean checkClientTrusted) throws CertificateException {
if (socket != null && socket.isConnected() &&
socket instanceof SSLSocket) {
@@ -1495,9 +1496,8 @@
String identityAlg = sslSocket.getSSLParameters().
getEndpointIdentificationAlgorithm();
if (identityAlg != null && !identityAlg.isEmpty()) {
- String hostname = session.getPeerHost();
- X509TrustManagerImpl.checkIdentity(
- hostname, chain[0], identityAlg);
+ X509TrustManagerImpl.checkIdentity(session, chain,
+ identityAlg, checkClientTrusted);
}
// try the best to check the algorithm constraints
@@ -1519,12 +1519,13 @@
constraints = new SSLAlgorithmConstraints(sslSocket, true);
}
- checkAlgorithmConstraints(chain, constraints, isClient);
+ checkAlgorithmConstraints(chain, constraints, checkClientTrusted);
}
}
- private void checkAdditionalTrust(X509Certificate[] chain, String authType,
- SSLEngine engine, boolean isClient) throws CertificateException {
+ private void checkAdditionalTrust(X509Certificate[] chain,
+ String authType, SSLEngine engine,
+ boolean checkClientTrusted) throws CertificateException {
if (engine != null) {
SSLSession session = engine.getHandshakeSession();
if (session == null) {
@@ -1535,9 +1536,8 @@
String identityAlg = engine.getSSLParameters().
getEndpointIdentificationAlgorithm();
if (identityAlg != null && !identityAlg.isEmpty()) {
- String hostname = session.getPeerHost();
- X509TrustManagerImpl.checkIdentity(
- hostname, chain[0], identityAlg);
+ X509TrustManagerImpl.checkIdentity(session, chain,
+ identityAlg, checkClientTrusted);
}
// try the best to check the algorithm constraints
@@ -1559,13 +1559,13 @@
constraints = new SSLAlgorithmConstraints(engine, true);
}
- checkAlgorithmConstraints(chain, constraints, isClient);
+ checkAlgorithmConstraints(chain, constraints, checkClientTrusted);
}
}
private void checkAlgorithmConstraints(X509Certificate[] chain,
AlgorithmConstraints constraints,
- boolean isClient) throws CertificateException {
+ boolean checkClientTrusted) throws CertificateException {
try {
// Does the certificate chain end with a trusted certificate?
int checkedLength = chain.length - 1;
@@ -1584,7 +1584,7 @@
if (checkedLength >= 0) {
AlgorithmChecker checker =
new AlgorithmChecker(constraints, null,
- (isClient ? Validator.VAR_TLS_CLIENT :
+ (checkClientTrusted ? Validator.VAR_TLS_CLIENT :
Validator.VAR_TLS_SERVER));
checker.init(false);
for (int i = checkedLength; i >= 0; i--) {