--- a/jdk/src/java.base/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java Wed Feb 08 12:27:45 2017 -0700
+++ b/jdk/src/java.base/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java Wed Feb 08 12:08:28 2017 -0800
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -33,6 +33,7 @@
import java.util.*;
import sun.security.util.Debug;
+import sun.security.validator.Validator;
import static sun.security.x509.PKIXExtensions.*;
import sun.security.x509.*;
@@ -66,6 +67,20 @@
* an X509CRLSelector with certificateChecking set.
*/
public static Collection<X509CRL> getCRLs(X509CRLSelector selector,
+ boolean signFlag, PublicKey prevKey, String provider,
+ List<CertStore> certStores, boolean[] reasonsMask,
+ Set<TrustAnchor> trustAnchors, Date validity, String variant)
+ throws CertStoreException
+ {
+ return getCRLs(selector, signFlag, prevKey, null, provider, certStores,
+ reasonsMask, trustAnchors, validity, variant);
+ }
+ /**
+ * Return the X509CRLs matching this selector. The selector must be
+ * an X509CRLSelector with certificateChecking set.
+ */
+ // Called by com.sun.deploy.security.RevocationChecker
+ public static Collection<X509CRL> getCRLs(X509CRLSelector selector,
boolean signFlag,
PublicKey prevKey,
String provider,
@@ -76,7 +91,7 @@
throws CertStoreException
{
return getCRLs(selector, signFlag, prevKey, null, provider, certStores,
- reasonsMask, trustAnchors, validity);
+ reasonsMask, trustAnchors, validity, Validator.VAR_GENERIC);
}
/**
@@ -91,7 +106,8 @@
List<CertStore> certStores,
boolean[] reasonsMask,
Set<TrustAnchor> trustAnchors,
- Date validity)
+ Date validity,
+ String variant)
throws CertStoreException
{
X509Certificate cert = selector.getCertificateChecking();
@@ -120,7 +136,7 @@
DistributionPoint point = t.next();
Collection<X509CRL> crls = getCRLs(selector, certImpl,
point, reasonsMask, signFlag, prevKey, prevCert, provider,
- certStores, trustAnchors, validity);
+ certStores, trustAnchors, validity, variant);
results.addAll(crls);
}
if (debug != null) {
@@ -145,7 +161,7 @@
X509CertImpl certImpl, DistributionPoint point, boolean[] reasonsMask,
boolean signFlag, PublicKey prevKey, X509Certificate prevCert,
String provider, List<CertStore> certStores,
- Set<TrustAnchor> trustAnchors, Date validity)
+ Set<TrustAnchor> trustAnchors, Date validity, String variant)
throws CertStoreException {
// check for full name
@@ -208,7 +224,7 @@
selector.setIssuerNames(null);
if (selector.match(crl) && verifyCRL(certImpl, point, crl,
reasonsMask, signFlag, prevKey, prevCert, provider,
- trustAnchors, certStores, validity)) {
+ trustAnchors, certStores, validity, variant)) {
crls.add(crl);
}
} catch (IOException | CRLException e) {
@@ -316,7 +332,7 @@
X509CRL crl, boolean[] reasonsMask, boolean signFlag,
PublicKey prevKey, X509Certificate prevCert, String provider,
Set<TrustAnchor> trustAnchors, List<CertStore> certStores,
- Date validity) throws CRLException, IOException {
+ Date validity, String variant) throws CRLException, IOException {
if (debug != null) {
debug.println("DistributionPointFetcher.verifyCRL: " +
@@ -663,7 +679,7 @@
// check the crl signature algorithm
try {
- AlgorithmChecker.check(prevKey, crl);
+ AlgorithmChecker.check(prevKey, crl, variant);
} catch (CertPathValidatorException cpve) {
if (debug != null) {
debug.println("CRL signature algorithm check failed: " + cpve);