--- a/jdk/src/java.base/share/classes/sun/security/ssl/X509KeyManagerImpl.java Wed Feb 08 12:27:45 2017 -0700
+++ b/jdk/src/java.base/share/classes/sun/security/ssl/X509KeyManagerImpl.java Wed Feb 08 12:08:28 2017 -0800
@@ -39,6 +39,7 @@
import javax.net.ssl.*;
import sun.security.provider.certpath.AlgorithmChecker;
+import sun.security.validator.Validator;
/**
* The new X509 key manager implementation. The main differences to the
@@ -661,6 +662,15 @@
return CheckResult.OK;
}
+
+ public String getValidator() {
+ if (this == CLIENT) {
+ return Validator.VAR_TLS_CLIENT;
+ } else if (this == SERVER) {
+ return Validator.VAR_TLS_SERVER;
+ }
+ return Validator.VAR_GENERIC;
+ }
}
// enum for the result of the extension check
@@ -774,7 +784,8 @@
// check the algorithm constraints
if (constraints != null &&
- !conformsToAlgorithmConstraints(constraints, chain)) {
+ !conformsToAlgorithmConstraints(constraints, chain,
+ checkType.getValidator())) {
if (useDebug) {
debug.println("Ignoring alias " + alias +
@@ -811,9 +822,10 @@
}
private static boolean conformsToAlgorithmConstraints(
- AlgorithmConstraints constraints, Certificate[] chain) {
+ AlgorithmConstraints constraints, Certificate[] chain,
+ String variant) {
- AlgorithmChecker checker = new AlgorithmChecker(constraints);
+ AlgorithmChecker checker = new AlgorithmChecker(constraints, null, variant);
try {
checker.init(false);
} catch (CertPathValidatorException cpve) {