8163503: PKCS12 keystore cannot store non-X.509 certificates

Reviewed-by: weijun, xuelei, mullan
2016-08-15 14:25:51 +01:00 · 2016-08-15 14:25:51 +01:00 · 3cde7f3104
commit 3cde7f3104
parent abe8a9eae5
1 changed files with 28 additions and 0 deletions
--- a/jdk/src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java
+++ b/jdk/src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java
@ -580,6 +580,9 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
            Entry entry;

            if (key instanceof PrivateKey) {
+                // Check that all the certs are X.509 certs
+                checkX509Certs(chain);
+
                PrivateKeyEntry keyEntry = new PrivateKeyEntry();
                keyEntry.date = new Date();

@ -690,6 +693,9 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
                                  Certificate[] chain)
        throws KeyStoreException
    {
+        // Check that all the certs are X.509 certs
+        checkX509Certs(chain);
+
        // Private key must be encoded as EncryptedPrivateKeyInfo
        // as defined in PKCS#8
        try {
@ -960,6 +966,13 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
    private void setCertEntry(String alias, Certificate cert,
        Set<KeyStore.Entry.Attribute> attributes) throws KeyStoreException {

+        // Check that the cert is an X.509 cert
+        if (cert != null && (!(cert instanceof X509Certificate))) {
+            throw new KeyStoreException(
+                "Only X.509 certificates are supported - rejecting class: " +
+                cert.getClass().getName());
+        }
+
        Entry entry = entries.get(alias.toLowerCase(Locale.ENGLISH));
        if (entry != null && entry instanceof KeyEntry) {
            throw new KeyStoreException("Cannot overwrite own certificate");
@ -1505,6 +1518,21 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
        return set.size() == certChain.length;
    }

+    /*
+     * Check that all the certificates are X.509 certificates
+     */
+    private static void checkX509Certs(Certificate[] certs)
+            throws KeyStoreException {
+        if (certs != null) {
+            for (Certificate cert : certs) {
+                if (!(cert instanceof X509Certificate)) {
+                    throw new KeyStoreException(
+                        "Only X.509 certificates are supported - " +
+                        "rejecting class: " + cert.getClass().getName());
+                }
+            }
+        }
+    }

    /*
     * Create PKCS#12 Attributes, friendlyName, localKeyId and trustedKeyUsage.