--- a/jdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java Wed Feb 08 12:27:45 2017 -0700
+++ b/jdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java Wed Feb 08 12:08:28 2017 -0800
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1999, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -37,6 +37,7 @@
import sun.security.provider.certpath.AlgorithmChecker;
import sun.security.action.GetPropertyAction;
+import sun.security.validator.Validator;
public abstract class SSLContextImpl extends SSLContextSpi {
@@ -1436,7 +1437,7 @@
constraints = new SSLAlgorithmConstraints(sslSocket, true);
}
- checkAlgorithmConstraints(chain, constraints);
+ checkAlgorithmConstraints(chain, constraints, isClient);
}
}
@@ -1478,12 +1479,12 @@
constraints = new SSLAlgorithmConstraints(engine, true);
}
- checkAlgorithmConstraints(chain, constraints);
+ checkAlgorithmConstraints(chain, constraints, isClient);
}
}
private void checkAlgorithmConstraints(X509Certificate[] chain,
- AlgorithmConstraints constraints) throws CertificateException {
+ AlgorithmConstraints constraints, boolean isClient) throws CertificateException {
try {
// Does the certificate chain end with a trusted certificate?
@@ -1501,7 +1502,9 @@
// A forward checker, need to check from trust to target
if (checkedLength >= 0) {
- AlgorithmChecker checker = new AlgorithmChecker(constraints);
+ AlgorithmChecker checker =
+ new AlgorithmChecker(constraints, null,
+ (isClient ? Validator.VAR_TLS_CLIENT : Validator.VAR_TLS_SERVER));
checker.init(false);
for (int i = checkedLength; i >= 0; i--) {
Certificate cert = chain[i];