# HG changeset patch # User igerasim # Date 1424426366 -10800 # Node ID 5edfc7a4ac68d5662e7bc6ad637a8a3e2e785e33 # Parent 14ad88b93ed7b1f412d33a892f05422a81a65bd0 8068720: Better certificate options checking Reviewed-by: mullan diff -r 14ad88b93ed7 -r 5edfc7a4ac68 jdk/src/java.base/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java --- a/jdk/src/java.base/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java Wed Feb 18 04:01:33 2015 +0000 +++ b/jdk/src/java.base/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java Fri Feb 20 12:59:26 2015 +0300 @@ -551,10 +551,10 @@ // set interim reasons mask to the intersection of // reasons in the DP and onlySomeReasons in the IDP boolean[] idpReasonFlags = reasons.getFlags(); - for (int i = 0; i < idpReasonFlags.length; i++) { - if (idpReasonFlags[i] && pointReasonFlags[i]) { - interimReasonsMask[i] = true; - } + for (int i = 0; i < interimReasonsMask.length; i++) { + interimReasonsMask[i] = + (i < idpReasonFlags.length && idpReasonFlags[i]) && + (i < pointReasonFlags.length && pointReasonFlags[i]); } } else { // set interim reasons mask to the value of @@ -568,7 +568,6 @@ interimReasonsMask = pointReasonFlags.clone(); } else { // set interim reasons mask to the special value all-reasons - interimReasonsMask = new boolean[9]; Arrays.fill(interimReasonsMask, true); } } @@ -577,7 +576,9 @@ // not included in the reasons mask boolean oneOrMore = false; for (int i = 0; i < interimReasonsMask.length && !oneOrMore; i++) { - if (!reasonsMask[i] && interimReasonsMask[i]) { + if (interimReasonsMask[i] && + !(i < reasonsMask.length && reasonsMask[i])) + { oneOrMore = true; } } @@ -703,11 +704,11 @@ } // update reasonsMask - for (int i = 0; i < interimReasonsMask.length; i++) { - if (!reasonsMask[i] && interimReasonsMask[i]) { - reasonsMask[i] = true; - } + for (int i = 0; i < reasonsMask.length; i++) { + reasonsMask[i] = reasonsMask[i] || + (i < interimReasonsMask.length && interimReasonsMask[i]); } + return true; } diff -r 14ad88b93ed7 -r 5edfc7a4ac68 jdk/src/java.base/share/classes/sun/security/x509/KeyUsageExtension.java --- a/jdk/src/java.base/share/classes/sun/security/x509/KeyUsageExtension.java Wed Feb 18 04:01:33 2015 +0000 +++ b/jdk/src/java.base/share/classes/sun/security/x509/KeyUsageExtension.java Fri Feb 20 12:59:26 2015 +0300 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2011, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -83,7 +83,8 @@ * @param position the position in the bit string to check. */ private boolean isSet(int position) { - return bitString[position]; + return (position < bitString.length) && + bitString[position]; } /** @@ -275,41 +276,40 @@ * Returns a printable representation of the KeyUsage. */ public String toString() { - String s = super.toString() + "KeyUsage [\n"; + StringBuilder sb = new StringBuilder(); + sb.append(super.toString()); + sb.append("KeyUsage [\n"); - try { - if (isSet(0)) { - s += " DigitalSignature\n"; - } - if (isSet(1)) { - s += " Non_repudiation\n"; - } - if (isSet(2)) { - s += " Key_Encipherment\n"; - } - if (isSet(3)) { - s += " Data_Encipherment\n"; - } - if (isSet(4)) { - s += " Key_Agreement\n"; - } - if (isSet(5)) { - s += " Key_CertSign\n"; - } - if (isSet(6)) { - s += " Crl_Sign\n"; - } - if (isSet(7)) { - s += " Encipher_Only\n"; - } - if (isSet(8)) { - s += " Decipher_Only\n"; - } - } catch (ArrayIndexOutOfBoundsException ex) {} + if (isSet(0)) { + sb.append(" DigitalSignature\n"); + } + if (isSet(1)) { + sb.append(" Non_repudiation\n"); + } + if (isSet(2)) { + sb.append(" Key_Encipherment\n"); + } + if (isSet(3)) { + sb.append(" Data_Encipherment\n"); + } + if (isSet(4)) { + sb.append(" Key_Agreement\n"); + } + if (isSet(5)) { + sb.append(" Key_CertSign\n"); + } + if (isSet(6)) { + sb.append(" Crl_Sign\n"); + } + if (isSet(7)) { + sb.append(" Encipher_Only\n"); + } + if (isSet(8)) { + sb.append(" Decipher_Only\n"); + } + sb.append("]\n"); - s += "]\n"; - - return (s); + return sb.toString(); } /** diff -r 14ad88b93ed7 -r 5edfc7a4ac68 jdk/src/java.base/share/classes/sun/security/x509/NetscapeCertTypeExtension.java --- a/jdk/src/java.base/share/classes/sun/security/x509/NetscapeCertTypeExtension.java Wed Feb 18 04:01:33 2015 +0000 +++ b/jdk/src/java.base/share/classes/sun/security/x509/NetscapeCertTypeExtension.java Fri Feb 20 12:59:26 2015 +0300 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1998, 2011, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1998, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -136,7 +136,8 @@ * @param position the position in the bit string to check. */ private boolean isSet(int position) { - return bitString[position]; + return (position < bitString.length) && + bitString[position]; } /** @@ -236,27 +237,34 @@ * Returns a printable representation of the NetscapeCertType. */ public String toString() { - String s = super.toString() + "NetscapeCertType [\n"; + StringBuilder sb = new StringBuilder(); + sb.append(super.toString()); + sb.append("NetscapeCertType [\n"); - try { - if (isSet(getPosition(SSL_CLIENT))) - s += " SSL client\n"; - if (isSet(getPosition(SSL_SERVER))) - s += " SSL server\n"; - if (isSet(getPosition(S_MIME))) - s += " S/MIME\n"; - if (isSet(getPosition(OBJECT_SIGNING))) - s += " Object Signing\n"; - if (isSet(getPosition(SSL_CA))) - s += " SSL CA\n"; - if (isSet(getPosition(S_MIME_CA))) - s += " S/MIME CA\n"; - if (isSet(getPosition(OBJECT_SIGNING_CA))) - s += " Object Signing CA" ; - } catch (Exception e) { } + if (isSet(0)) { + sb.append(" SSL client\n"); + } + if (isSet(1)) { + sb.append(" SSL server\n"); + } + if (isSet(2)) { + sb.append(" S/MIME\n"); + } + if (isSet(3)) { + sb.append(" Object Signing\n"); + } + if (isSet(5)) { + sb.append(" SSL CA\n"); + } + if (isSet(6)) { + sb.append(" S/MIME CA\n"); + } + if (isSet(7)) { + sb.append(" Object Signing CA"); + } - s += "]\n"; - return (s); + sb.append("]\n"); + return sb.toString(); } /** diff -r 14ad88b93ed7 -r 5edfc7a4ac68 jdk/src/java.base/share/classes/sun/security/x509/ReasonFlags.java --- a/jdk/src/java.base/share/classes/sun/security/x509/ReasonFlags.java Wed Feb 18 04:01:33 2015 +0000 +++ b/jdk/src/java.base/share/classes/sun/security/x509/ReasonFlags.java Fri Feb 20 12:59:26 2015 +0300 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2006, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -99,7 +99,8 @@ * @param position the position in the bit string to check. */ private boolean isSet(int position) { - return bitString[position]; + return (position < bitString.length) && + bitString[position]; } /** @@ -199,23 +200,38 @@ * Returns a printable representation of the ReasonFlags. */ public String toString() { - String s = "Reason Flags [\n"; + StringBuilder sb = new StringBuilder("Reason Flags [\n"); - try { - if (isSet(0)) s += " Unused\n"; - if (isSet(1)) s += " Key Compromise\n"; - if (isSet(2)) s += " CA Compromise\n"; - if (isSet(3)) s += " Affiliation_Changed\n"; - if (isSet(4)) s += " Superseded\n"; - if (isSet(5)) s += " Cessation Of Operation\n"; - if (isSet(6)) s += " Certificate Hold\n"; - if (isSet(7)) s += " Privilege Withdrawn\n"; - if (isSet(8)) s += " AA Compromise\n"; - } catch (ArrayIndexOutOfBoundsException ex) {} + if (isSet(0)) { + sb.append(" Unused\n"); + } + if (isSet(1)) { + sb.append(" Key Compromise\n"); + } + if (isSet(2)) { + sb.append(" CA Compromise\n"); + } + if (isSet(3)) { + sb.append(" Affiliation_Changed\n"); + } + if (isSet(4)) { + sb.append(" Superseded\n"); + } + if (isSet(5)) { + sb.append(" Cessation Of Operation\n"); + } + if (isSet(6)) { + sb.append(" Certificate Hold\n"); + } + if (isSet(7)) { + sb.append(" Privilege Withdrawn\n"); + } + if (isSet(8)) { + sb.append(" AA Compromise\n"); + } + sb.append("]\n"); - s += "]\n"; - - return (s); + return sb.toString(); } /**