1berry/openjdk
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

8163503: PKCS12 keystore cannot store non-X.509 certificates

Browse Source 
Reviewed-by: weijun, xuelei, mullan
This commit is contained in:
Vinnie Ryan 2016-08-15 14:25:51 +01:00
parent abe8a9eae5
commit 3cde7f3104
1 changed files with 28 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
jdk/src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java
View File

@ -580,6 +580,9 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
Entry entry; Entry entry;
if (key instanceof PrivateKey) { if (key instanceof PrivateKey) {
// Check that all the certs are X.509 certs
checkX509Certs(chain);
PrivateKeyEntry keyEntry = new PrivateKeyEntry(); PrivateKeyEntry keyEntry = new PrivateKeyEntry();
keyEntry.date = new Date(); keyEntry.date = new Date();
@ -690,6 +693,9 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
Certificate[] chain) Certificate[] chain)
throws KeyStoreException throws KeyStoreException
{ {
// Check that all the certs are X.509 certs
checkX509Certs(chain);
// Private key must be encoded as EncryptedPrivateKeyInfo // Private key must be encoded as EncryptedPrivateKeyInfo
// as defined in PKCS#8 // as defined in PKCS#8
try { try {
@ -960,6 +966,13 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
private void setCertEntry(String alias, Certificate cert, private void setCertEntry(String alias, Certificate cert,
Set<KeyStore.Entry.Attribute> attributes) throws KeyStoreException { Set<KeyStore.Entry.Attribute> attributes) throws KeyStoreException {
// Check that the cert is an X.509 cert
if (cert != null && (!(cert instanceof X509Certificate))) {
throw new KeyStoreException(
"Only X.509 certificates are supported - rejecting class: " +
cert.getClass().getName());
}
Entry entry = entries.get(alias.toLowerCase(Locale.ENGLISH)); Entry entry = entries.get(alias.toLowerCase(Locale.ENGLISH));
if (entry != null && entry instanceof KeyEntry) { if (entry != null && entry instanceof KeyEntry) {
throw new KeyStoreException("Cannot overwrite own certificate"); throw new KeyStoreException("Cannot overwrite own certificate");
@ -1505,6 +1518,21 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
return set.size() == certChain.length; return set.size() == certChain.length;
} }
/*
* Check that all the certificates are X.509 certificates
*/
private static void checkX509Certs(Certificate[] certs)
throws KeyStoreException {
if (certs != null) {
for (Certificate cert : certs) {
if (!(cert instanceof X509Certificate)) {
throw new KeyStoreException(
"Only X.509 certificates are supported - " +
"rejecting class: " + cert.getClass().getName());
}
}
}
}
/* /*
* Create PKCS#12 Attributes, friendlyName, localKeyId and trustedKeyUsage. * Create PKCS#12 Attributes, friendlyName, localKeyId and trustedKeyUsage.