From 3cde7f31044a2b9a3ae95ec353b23016ab60da89 Mon Sep 17 00:00:00 2001
From: Vinnie Ryan <vinnie@openjdk.org>
Date: Mon, 15 Aug 2016 14:25:51 +0100
Subject: [PATCH] 8163503: PKCS12 keystore cannot store non-X.509 certificates

Reviewed-by: weijun, xuelei, mullan
---
 .../sun/security/pkcs12/PKCS12KeyStore.java   | 28 +++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/jdk/src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java b/jdk/src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java
index 1c176f9fa24..4e7d546583f 100644
--- a/jdk/src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java
+++ b/jdk/src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java
@@ -580,6 +580,9 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
             Entry entry;
 
             if (key instanceof PrivateKey) {
+                // Check that all the certs are X.509 certs
+                checkX509Certs(chain);
+
                 PrivateKeyEntry keyEntry = new PrivateKeyEntry();
                 keyEntry.date = new Date();
 
@@ -690,6 +693,9 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
                                   Certificate[] chain)
         throws KeyStoreException
     {
+        // Check that all the certs are X.509 certs
+        checkX509Certs(chain);
+
         // Private key must be encoded as EncryptedPrivateKeyInfo
         // as defined in PKCS#8
         try {
@@ -960,6 +966,13 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
     private void setCertEntry(String alias, Certificate cert,
         Set<KeyStore.Entry.Attribute> attributes) throws KeyStoreException {
 
+        // Check that the cert is an X.509 cert
+        if (cert != null && (!(cert instanceof X509Certificate))) {
+            throw new KeyStoreException(
+                "Only X.509 certificates are supported - rejecting class: " +
+                cert.getClass().getName());
+        }
+
         Entry entry = entries.get(alias.toLowerCase(Locale.ENGLISH));
         if (entry != null && entry instanceof KeyEntry) {
             throw new KeyStoreException("Cannot overwrite own certificate");
@@ -1505,6 +1518,21 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
         return set.size() == certChain.length;
     }
 
+    /*
+     * Check that all the certificates are X.509 certificates
+     */
+    private static void checkX509Certs(Certificate[] certs)
+            throws KeyStoreException {
+        if (certs != null) {
+            for (Certificate cert : certs) {
+                if (!(cert instanceof X509Certificate)) {
+                    throw new KeyStoreException(
+                        "Only X.509 certificates are supported - " +
+                        "rejecting class: " + cert.getClass().getName());
+                }
+            }
+        }
+    }
 
     /*
      * Create PKCS#12 Attributes, friendlyName, localKeyId and trustedKeyUsage.