stan/jdk-24
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

8241039: Retire the deprecated SSLSession.getPeerCertificateChain() method

Browse Source 
Reviewed-by: mullan, alanb, dfuchs
This commit is contained in:
Xue-Lei Andrew Fan 2020-03-20 09:15:00 -07:00
parent 2288788e03
commit d243e40f7b
7 changed files with 26 additions and 408 deletions
src
java.base/share/classes
com/sun/security/cert/internal/x509
X509V1CertImpl.java
javax/net/ssl
HandshakeCompletedEvent.javaSSLSession.java
sun/security/ssl
SSLSessionImpl.java
java.net.http/share/classes/jdk/internal/net/http/common
ImmutableExtendedSSLSession.javaImmutableSSLSession.java
test/jdk/sun/security/ssl/GenSSLConfigs
main.java

335
src/java.base/share/classes/com/sun/security/cert/internal/x509/X509V1CertImpl.java

@ -1,335 +0,0 @@
/*
* Copyright (c) 1997, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package com.sun.security.cert.internal.x509;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.Serializable;
import java.io.InputStream;
import java.io.ObjectInputStream;
import java.io.OutputStream;
import java.io.ObjectOutputStream;
import java.math.BigInteger;
import java.security.Signature;
import javax.security.cert.*;
import java.security.*;
import java.util.Date;
import java.util.BitSet;
import java.util.Enumeration;
import java.util.Vector;
/**
* The X509V1CertImpl class is used as a conversion wrapper around
* sun.security.x509.X509Cert certificates when running under JDK1.1.x.
*
* @deprecated This is the implementation class for the deprecated
* {@code javax.security.cert.X509Certificate} class. The classes in the
* {@code java.security.cert} package should be used instead.
*
* @author Jeff Nisewanger
*/
@SuppressWarnings("removal")
@Deprecated(since="9", forRemoval=true)
public class X509V1CertImpl extends X509Certificate implements Serializable {
@java.io.Serial
static final long serialVersionUID = -2048442350420423405L;
private java.security.cert.X509Certificate wrappedCert;
private static synchronized java.security.cert.CertificateFactory
getFactory()
throws java.security.cert.CertificateException
{
return java.security.cert.CertificateFactory.getInstance("X.509");
}
/**
* Default constructor.
*/
public X509V1CertImpl() { }
/**
* Unmarshals a certificate from its encoded form, parsing the
* encoded bytes. This form of constructor is used by agents which
* need to examine and use certificate contents. That is, this is
* one of the more commonly used constructors. Note that the buffer
* must include only a certificate, and no "garbage" may be left at
* the end. If you need to ignore data at the end of a certificate,
* use another constructor.
*
* @param certData the encoded bytes, with no trailing padding.
* @exception CertificateException on parsing errors.
*/
public X509V1CertImpl(byte[] certData)
throws CertificateException {
try {
ByteArrayInputStream bs;
bs = new ByteArrayInputStream(certData);
wrappedCert = (java.security.cert.X509Certificate)
getFactory().generateCertificate(bs);
} catch (java.security.cert.CertificateException e) {
throw new CertificateException(e.getMessage());
}
}
/**
* unmarshals an X.509 certificate from an input stream.
*
* @param in an input stream holding at least one certificate
* @exception CertificateException on parsing errors.
*/
public X509V1CertImpl(InputStream in)
throws CertificateException {
try {
wrappedCert = (java.security.cert.X509Certificate)
getFactory().generateCertificate(in);
} catch (java.security.cert.CertificateException e) {
throw new CertificateException(e.getMessage());
}
}
/**
* Returns the encoded form of this certificate. It is
* assumed that each certificate type would have only a single
* form of encoding; for example, X.509 certificates would
* be encoded as ASN.1 DER.
*/
public byte[] getEncoded() throws CertificateEncodingException {
try {
return wrappedCert.getEncoded();
} catch (java.security.cert.CertificateEncodingException e) {
throw new CertificateEncodingException(e.getMessage());
}
}
/**
* Throws an exception if the certificate was not signed using the
* verification key provided. Successfully verifying a certificate
* does <em>not</em> indicate that one should trust the entity which
* it represents.
*
* @param key the public key used for verification.
*/
public void verify(PublicKey key)
throws CertificateException, NoSuchAlgorithmException,
InvalidKeyException, NoSuchProviderException,
SignatureException
{
try {
wrappedCert.verify(key);
} catch (java.security.cert.CertificateException e) {
throw new CertificateException(e.getMessage());
}
}
/**
* Throws an exception if the certificate was not signed using the
* verification key provided. Successfully verifying a certificate
* does <em>not</em> indicate that one should trust the entity which
* it represents.
*
* @param key the public key used for verification.
* @param sigProvider the name of the provider.
*/
public void verify(PublicKey key, String sigProvider)
throws CertificateException, NoSuchAlgorithmException,
InvalidKeyException, NoSuchProviderException,
SignatureException
{
try {
wrappedCert.verify(key, sigProvider);
} catch (java.security.cert.CertificateException e) {
throw new CertificateException(e.getMessage());
}
}
/**
* Checks that the certificate is currently valid, i.e. the current
* time is within the specified validity period.
*/
public void checkValidity() throws
CertificateExpiredException, CertificateNotYetValidException {
checkValidity(new Date());
}
/**
* Checks that the specified date is within the certificate's
* validity period, or basically if the certificate would be
* valid at the specified date/time.
*
* @param date the Date to check against to see if this certificate
* is valid at that date/time.
*/
public void checkValidity(Date date) throws
CertificateExpiredException, CertificateNotYetValidException {
try {
wrappedCert.checkValidity(date);
} catch (java.security.cert.CertificateNotYetValidException e) {
throw new CertificateNotYetValidException(e.getMessage());
} catch (java.security.cert.CertificateExpiredException e) {
throw new CertificateExpiredException(e.getMessage());
}
}
/**
* Returns a printable representation of the certificate. This does not
* contain all the information available to distinguish this from any
* other certificate. The certificate must be fully constructed
* before this function may be called.
*/
public String toString() {
return wrappedCert.toString();
}
/**
* Gets the publickey from this certificate.
*
* @return the publickey.
*/
public PublicKey getPublicKey() {
PublicKey key = wrappedCert.getPublicKey();
return key;
}
/*
* Gets the version number from the certificate.
*
* @return the version number.
*/
public int getVersion() {
return wrappedCert.getVersion() - 1;
}
/**
* Gets the serial number from the certificate.
*
* @return the serial number.
*/
public BigInteger getSerialNumber() {
return wrappedCert.getSerialNumber();
}
/**
* Gets the subject distinguished name from the certificate.
*
* @return the subject name.
* @exception CertificateException if a parsing error occurs.
*/
public Principal getSubjectDN() {
return wrappedCert.getSubjectDN();
}
/**
* Gets the issuer distinguished name from the certificate.
*
* @return the issuer name.
* @exception CertificateException if a parsing error occurs.
*/
public Principal getIssuerDN() {
return wrappedCert.getIssuerDN();
}
/**
* Gets the notBefore date from the validity period of the certificate.
*
* @return the start date of the validity period.
* @exception CertificateException if a parsing error occurs.
*/
public Date getNotBefore() {
return wrappedCert.getNotBefore();
}
/**
* Gets the notAfter date from the validity period of the certificate.
*
* @return the end date of the validity period.
* @exception CertificateException if a parsing error occurs.
*/
public Date getNotAfter() {
return wrappedCert.getNotAfter();
}
/**
* Gets the signature algorithm name for the certificate
* signature algorithm.
* For example, the string "SHA1/DSA".
*
* @return the signature algorithm name.
* @exception CertificateException if a parsing error occurs.
*/
public String getSigAlgName() {
return wrappedCert.getSigAlgName();
}
/**
* Gets the signature algorithm OID string from the certificate.
* For example, the string "1.2.840.10040.4.3"
*
* @return the signature algorithm oid string.
* @exception CertificateException if a parsing error occurs.
*/
public String getSigAlgOID() {
return wrappedCert.getSigAlgOID();
}
/**
* Gets the DER encoded signature algorithm parameters from this
* certificate's signature algorithm.
*
* @return the DER encoded signature algorithm parameters, or
* null if no parameters are present.
* @exception CertificateException if a parsing error occurs.
*/
public byte[] getSigAlgParams() {
return wrappedCert.getSigAlgParams();
}
@java.io.Serial
private synchronized void writeObject(ObjectOutputStream stream)
throws IOException {
try {
stream.write(getEncoded());
} catch (CertificateEncodingException e) {
throw new IOException("getEncoded failed: " + e.getMessage());
}
}
@java.io.Serial
private synchronized void readObject(ObjectInputStream stream)
throws IOException {
try {
wrappedCert = (java.security.cert.X509Certificate)
getFactory().generateCertificate(stream);
} catch (java.security.cert.CertificateException e) {
throw new IOException("generateCertificate failed: " + e.getMessage());
}
}
public java.security.cert.X509Certificate getX509Certificate() {
return wrappedCert;
}
}

12
src/java.base/share/classes/javax/net/ssl/HandshakeCompletedEvent.java

@ -1,5 +1,5 @@
/*
* Copyright (c) 1997, 2019, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1997, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -157,7 +157,10 @@ public class HandshakeCompletedEvent extends EventObject
* certificate authorities. (The certificates are in
* the original JSSE
* {@link javax.security.cert.X509Certificate} format).
* @exception SSLPeerUnverifiedException if the peer is not verified.
* @throws SSLPeerUnverifiedException if the peer is not verified.
* @throws UnsupportedOperationException if the underlying provider
* does not implement the
* {@link SSLSession#getPeerCertificateChain} operation.
* @see #getPeerPrincipal()
* @deprecated The {@link #getPeerCertificates()} method that returns an
* array of {@code java.security.cert.Certificate} should
@ -166,8 +169,7 @@ public class HandshakeCompletedEvent extends EventObject
@SuppressWarnings("removal")
@Deprecated(since="9", forRemoval=true)
public javax.security.cert.X509Certificate [] getPeerCertificateChain()
throws SSLPeerUnverifiedException
{
throws SSLPeerUnverifiedException {
return session.getPeerCertificateChain();
}
@ -176,7 +178,7 @@ public class HandshakeCompletedEvent extends EventObject
* defining the session.
*
* @return the peer's principal. Returns an X500Principal of the
* end-entity certiticate for X509-based cipher suites, and
* end-entity certificate for X509-based cipher suites, and
* KerberosPrincipal for Kerberos cipher suites.
*
* @throws SSLPeerUnverifiedException if the peer's identity has not

22
src/java.base/share/classes/javax/net/ssl/SSLSession.java

@ -1,5 +1,5 @@
/*
* Copyright (c) 1997, 2019, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1997, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -270,13 +270,19 @@ public interface SSLSession {
* releases. New applications should use
* {@link #getPeerCertificates} instead.</em></p>
*
* @implSpec
* This default implementation throws UnsupportedOperationException.
*
* @return an ordered array of peer X.509 certificates,
* with the peer's own certificate first followed by any
* certificate authorities. (The certificates are in
* the original JSSE certificate
* {@link javax.security.cert.X509Certificate} format.)
* @exception SSLPeerUnverifiedException if the peer's identity
* has not been verified
* @throws SSLPeerUnverifiedException if the peer's identity
* has not been verified.
* @throws UnsupportedOperationException if the underlying provider
* does not implement the operation.
*
* @see #getPeerPrincipal()
* @deprecated The {@link #getPeerCertificates()} method that returns an
* array of {@code java.security.cert.Certificate} should
@ -284,15 +290,19 @@ public interface SSLSession {
*/
@SuppressWarnings("removal")
@Deprecated(since="9", forRemoval=true)
public javax.security.cert.X509Certificate [] getPeerCertificateChain()
throws SSLPeerUnverifiedException;
public default javax.security.cert.X509Certificate[]
getPeerCertificateChain() throws SSLPeerUnverifiedException {
throw new UnsupportedOperationException(
"This method is deprecated and marked for removal. Use the " +
"getPeerCertificates() method instead.");
}
/**
* Returns the identity of the peer which was established as part of
* defining the session.
*
* @return the peer's principal. Returns an X500Principal of the
* end-entity certiticate for X509-based cipher suites, and
* end-entity certificate for X509-based cipher suites, and
* KerberosPrincipal for Kerberos cipher suites.
*
* @throws SSLPeerUnverifiedException if the peer's identity has not

46
src/java.base/share/classes/sun/security/ssl/SSLSessionImpl.java

@ -1,5 +1,5 @@
/*
* Copyright (c) 1996, 2019, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1996, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -1071,50 +1071,6 @@ final class SSLSessionImpl extends ExtendedSSLSession {
(java.security.cert.Certificate[])localCerts.clone());
}
/**
* Return the cert chain presented by the peer in the
* javax.security.cert format.
* Note: This method can be used only when using certificate-based
* cipher suites; using it with non-certificate-based cipher suites
* will throw an SSLPeerUnverifiedException.
*
* @return array of peer X.509 certs, with the peer's own cert
* first in the chain, and with the "root" CA last.
*
* @deprecated This method returns the deprecated
* {@code javax.security.cert.X509Certificate} type.
* Use {@code getPeerCertificates()} instead.
*/
@Override
@SuppressWarnings("removal")
@Deprecated(since="9", forRemoval=true)
public javax.security.cert.X509Certificate[] getPeerCertificateChain()
throws SSLPeerUnverifiedException {
//
// clone to preserve integrity of session ... caller can't
// change record of peer identity even by accident, much
// less do it intentionally.
//
if (peerCerts == null) {
throw new SSLPeerUnverifiedException("peer not authenticated");
}
javax.security.cert.X509Certificate[] certs;
certs = new javax.security.cert.X509Certificate[peerCerts.length];
for (int i = 0; i < peerCerts.length; i++) {
byte[] der = null;
try {
der = peerCerts[i].getEncoded();
certs[i] = javax.security.cert.X509Certificate.getInstance(der);
} catch (CertificateEncodingException e) {
throw new SSLPeerUnverifiedException(e.getMessage());
} catch (javax.security.cert.CertificateException e) {
throw new SSLPeerUnverifiedException(e.getMessage());
}
}
return certs;
}
/**
* Return the cert chain presented by the peer.
* Note: This method can be used only when using certificate-based

9
src/java.net.http/share/classes/jdk/internal/net/http/common/ImmutableExtendedSSLSession.java

@ -1,5 +1,5 @@
/*
* Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2018, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -92,13 +92,6 @@ public class ImmutableExtendedSSLSession extends ExtendedSSLSession {
return delegate.getLocalCertificates();
}
@SuppressWarnings("removal")
@Deprecated(since="11", forRemoval=true)
public javax.security.cert.X509Certificate [] getPeerCertificateChain()
throws SSLPeerUnverifiedException {
return delegate.getPeerCertificateChain();
}
public Principal getPeerPrincipal()
throws SSLPeerUnverifiedException {
return delegate.getPeerPrincipal();

9
src/java.net.http/share/classes/jdk/internal/net/http/common/ImmutableSSLSession.java

@ -1,5 +1,5 @@
/*
* Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2018, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -91,13 +91,6 @@ public class ImmutableSSLSession implements SSLSession {
return delegate.getLocalCertificates();
}
@SuppressWarnings("removal")
@Deprecated(since="11", forRemoval=true)
public javax.security.cert.X509Certificate [] getPeerCertificateChain()
throws SSLPeerUnverifiedException {
return delegate.getPeerCertificateChain();
}
public Principal getPeerPrincipal()
throws SSLPeerUnverifiedException {
return delegate.getPeerPrincipal();

1
test/jdk/sun/security/ssl/GenSSLConfigs/main.java

@ -32,7 +32,6 @@
import java.io.*;
import java.security.SecureRandom;
import java.security.KeyStore;
import javax.security.cert.*;
import java.util.Date;
import java.util.Vector;
import java.util.ArrayList;