8297955: LDAP CertStore should use LdapName and not String for DNs
Reviewed-by: weijun, rhalade
This commit is contained in:
parent
d23a8bfb14
commit
df9aad018a
@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* Copyright (c) 2015, 2021, Oracle and/or its affiliates. All rights reserved.
|
* Copyright (c) 2015, 2023, Oracle and/or its affiliates. All rights reserved.
|
||||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||||
*
|
*
|
||||||
* This code is free software; you can redistribute it and/or modify it
|
* This code is free software; you can redistribute it and/or modify it
|
||||||
@ -44,6 +44,7 @@ import java.security.cert.*;
|
|||||||
import javax.naming.CommunicationException;
|
import javax.naming.CommunicationException;
|
||||||
import javax.naming.ldap.InitialLdapContext;
|
import javax.naming.ldap.InitialLdapContext;
|
||||||
import javax.naming.ldap.LdapContext;
|
import javax.naming.ldap.LdapContext;
|
||||||
|
import javax.naming.ldap.LdapName;
|
||||||
import javax.security.auth.x500.X500Principal;
|
import javax.security.auth.x500.X500Principal;
|
||||||
|
|
||||||
import com.sun.jndi.ldap.LdapReferralException;
|
import com.sun.jndi.ldap.LdapReferralException;
|
||||||
@ -218,16 +219,23 @@ final class LDAPCertStoreImpl {
|
|||||||
*/
|
*/
|
||||||
private class LDAPRequest {
|
private class LDAPRequest {
|
||||||
|
|
||||||
private final String name;
|
private final LdapName name;
|
||||||
private Map<String, byte[][]> valueMap;
|
private Map<String, byte[][]> valueMap;
|
||||||
private final List<String> requestedAttributes;
|
private final List<String> requestedAttributes;
|
||||||
|
|
||||||
LDAPRequest(String name) throws CertStoreException {
|
LDAPRequest(String name) throws CertStoreException {
|
||||||
this.name = checkName(name);
|
try {
|
||||||
|
// Convert DN to an LdapName so that it is not treated as a
|
||||||
|
// composite name by JNDI. In JNDI, using a string name is
|
||||||
|
// equivalent to calling new CompositeName(stringName).
|
||||||
|
this.name = new LdapName(name);
|
||||||
|
} catch (InvalidNameException ine) {
|
||||||
|
throw new CertStoreException("Invalid name: " + name, ine);
|
||||||
|
}
|
||||||
requestedAttributes = new ArrayList<>(5);
|
requestedAttributes = new ArrayList<>(5);
|
||||||
}
|
}
|
||||||
|
|
||||||
private String checkName(String name) throws CertStoreException {
|
private static String checkName(String name) throws CertStoreException {
|
||||||
if (name == null) {
|
if (name == null) {
|
||||||
throw new CertStoreException("Name absent");
|
throw new CertStoreException("Name absent");
|
||||||
}
|
}
|
||||||
@ -321,6 +329,9 @@ final class LDAPCertStoreImpl {
|
|||||||
if (newDn != null && newDn.charAt(0) == '/') {
|
if (newDn != null && newDn.charAt(0) == '/') {
|
||||||
newDn = newDn.substring(1);
|
newDn = newDn.substring(1);
|
||||||
}
|
}
|
||||||
|
// In JNDI, it is not possible to use an LdapName for
|
||||||
|
// the referral DN, so we must validate the syntax of
|
||||||
|
// the string DN.
|
||||||
checkName(newDn);
|
checkName(newDn);
|
||||||
} catch (Exception e) {
|
} catch (Exception e) {
|
||||||
throw new NamingException("Cannot follow referral to "
|
throw new NamingException("Cannot follow referral to "
|
||||||
@ -371,7 +382,7 @@ final class LDAPCertStoreImpl {
|
|||||||
* or does not contain any values, a zero length byte array is
|
* or does not contain any values, a zero length byte array is
|
||||||
* returned. NOTE that it is assumed that all values are byte arrays.
|
* returned. NOTE that it is assumed that all values are byte arrays.
|
||||||
*/
|
*/
|
||||||
private byte[][] getAttributeValues(Attribute attr)
|
private static byte[][] getAttributeValues(Attribute attr)
|
||||||
throws NamingException {
|
throws NamingException {
|
||||||
byte[][] values;
|
byte[][] values;
|
||||||
if (attr == null) {
|
if (attr == null) {
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* Copyright (c) 2017, 2022, Oracle and/or its affiliates. All rights reserved.
|
* Copyright (c) 2017, 2023, Oracle and/or its affiliates. All rights reserved.
|
||||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||||
*
|
*
|
||||||
* This code is free software; you can redistribute it and/or modify it
|
* This code is free software; you can redistribute it and/or modify it
|
||||||
@ -144,27 +144,26 @@ public class ActalisCA {
|
|||||||
"rjhpn3C/NptVyZgT8bL4XT5ITrAjwPciBj0yxYzUkrLZO1wKQSQ=\n" +
|
"rjhpn3C/NptVyZgT8bL4XT5ITrAjwPciBj0yxYzUkrLZO1wKQSQ=\n" +
|
||||||
"-----END CERTIFICATE-----";
|
"-----END CERTIFICATE-----";
|
||||||
|
|
||||||
// Owner: CN=ssltest-revoked.actalis.it, O=Actalis S.p.A., L=Ponte San Pietro,
|
// Owner: CN=ssltest-revoked.actalis.it, O=Actalis S.p.A., L=Ponte San Pietro, ST=Bergamo, C=IT
|
||||||
// ST=Bergamo, C=IT
|
// Issuer: CN=Actalis Organization Validated Server CA G3, O=Actalis S.p.A.,
|
||||||
// Issuer: CN=Actalis Organization Validated Server CA G3, O=Actalis S.p .A.,
|
// L=Ponte San Pietro, ST=Bergamo, C=IT
|
||||||
// L=Ponte San Pietro, ST=Bergamo, C=IT
|
// Serial number: 320955171b78d49507508910da2c5bc4
|
||||||
// Serial number: 3dbdba0fefe7c6bd978220de52ffe3b2
|
// Valid from: Tue Sep 27 03:40:43 PDT 2022 until: Wed Sep 27 03:40:43 PDT 2023
|
||||||
// Valid from: Fri Oct 08 02:23:49 PDT 2021 until: Sat Oct 08 02:23:49 PDT 2022
|
|
||||||
private static final String REVOKED = "-----BEGIN CERTIFICATE-----\n" +
|
private static final String REVOKED = "-----BEGIN CERTIFICATE-----\n" +
|
||||||
"MIIH1zCCBb+gAwIBAgIQPb26D+/nxr2XgiDeUv/jsjANBgkqhkiG9w0BAQsFADCB\n" +
|
"MIIH1TCCBb2gAwIBAgIQMglVFxt41JUHUIkQ2ixbxDANBgkqhkiG9w0BAQsFADCB\n" +
|
||||||
"iTELMAkGA1UEBhMCSVQxEDAOBgNVBAgMB0JlcmdhbW8xGTAXBgNVBAcMEFBvbnRl\n" +
|
"iTELMAkGA1UEBhMCSVQxEDAOBgNVBAgMB0JlcmdhbW8xGTAXBgNVBAcMEFBvbnRl\n" +
|
||||||
"IFNhbiBQaWV0cm8xFzAVBgNVBAoMDkFjdGFsaXMgUy5wLkEuMTQwMgYDVQQDDCtB\n" +
|
"IFNhbiBQaWV0cm8xFzAVBgNVBAoMDkFjdGFsaXMgUy5wLkEuMTQwMgYDVQQDDCtB\n" +
|
||||||
"Y3RhbGlzIE9yZ2FuaXphdGlvbiBWYWxpZGF0ZWQgU2VydmVyIENBIEczMB4XDTIx\n" +
|
"Y3RhbGlzIE9yZ2FuaXphdGlvbiBWYWxpZGF0ZWQgU2VydmVyIENBIEczMB4XDTIy\n" +
|
||||||
"MTAwODA5MjM0OVoXDTIyMTAwODA5MjM0OVoweDELMAkGA1UEBhMCSVQxEDAOBgNV\n" +
|
"MDkyNzEwNDA0M1oXDTIzMDkyNzEwNDA0M1oweDELMAkGA1UEBhMCSVQxEDAOBgNV\n" +
|
||||||
"BAgMB0JlcmdhbW8xGTAXBgNVBAcMEFBvbnRlIFNhbiBQaWV0cm8xFzAVBgNVBAoM\n" +
|
"BAgMB0JlcmdhbW8xGTAXBgNVBAcMEFBvbnRlIFNhbiBQaWV0cm8xFzAVBgNVBAoM\n" +
|
||||||
"DkFjdGFsaXMgUy5wLkEuMSMwIQYDVQQDDBpzc2x0ZXN0LXJldm9rZWQuYWN0YWxp\n" +
|
"DkFjdGFsaXMgUy5wLkEuMSMwIQYDVQQDDBpzc2x0ZXN0LXJldm9rZWQuYWN0YWxp\n" +
|
||||||
"cy5pdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPPgHusiIPuBvyPF\n" +
|
"cy5pdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKdBnbeFtw/Ejp1U\n" +
|
||||||
"5lvUnfRraGomDTTJ4FBHomWJgbyTcfjJ6WqP5p6dwcRTyXT1U/odp5bxSYGBpj31\n" +
|
"gr86BQ5rqgGXWWXb7fsOhPb5On9RXTojg6oaeIV4GxHsMZhEDKQdcZ6JWAo2dbtp\n" +
|
||||||
"1zi1tqtJGxuXauTytKUPL1pOXOD4V9JpOL9VetDZS5Lvo3bnAjGLJA/Bqr7VRmMY\n" +
|
"/7ereFEDWG/YJahLHFZ/ihXG4AmfObYEhoGbKitW75fOs/aWC7Veck/sXsw7cjLW\n" +
|
||||||
"l9LiGjIlJcSCQWCDxcHDkJA/4Vrmek6z1Pwzz/OjkBYRJ3T75qlWtTh/8ZhvnKxs\n" +
|
"GY623ybcF9DBExg3S4uLRaSkv5hXUDu/CzphUgwiEd5YNBZjcryOiS8+Y5EQ+2q+\n" +
|
||||||
"WAeHD/n0hLshMbqke2CuGHGC1+tAUlb8ZzIZjdVKoWL4VrQPN0NzgQF2jX6AS/ru\n" +
|
"g+tdRG9m5G5YxeHWgQz2HDDwLDsJhWkb8/RsUurU/I+avHPhYk13K5Ysf311gww8\n" +
|
||||||
"NNO3UrvwjD2Us9YUrDxxQLCw0LT/TkchhYWp675mY/e1EjoX+vnXpO3J3CMEfCv5\n" +
|
"bAsplfdJ2gdn8Is+EAEH4GJHqMybC95YDh1w5dY7dk/lIoNX4hYUIQimirIr3OW8\n" +
|
||||||
"aVtXzusCAwEAAaOCA0kwggNFMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUn4qx\n" +
|
"Svkj1G8CAwEAAaOCA0cwggNDMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUn4qx\n" +
|
||||||
"tfGx3oL0J3y+iM3eqUOBo0swfgYIKwYBBQUHAQEEcjBwMDsGCCsGAQUFBzAChi9o\n" +
|
"tfGx3oL0J3y+iM3eqUOBo0swfgYIKwYBBQUHAQEEcjBwMDsGCCsGAQUFBzAChi9o\n" +
|
||||||
"dHRwOi8vY2FjZXJ0LmFjdGFsaXMuaXQvY2VydHMvYWN0YWxpcy1hdXRob3ZnMzAx\n" +
|
"dHRwOi8vY2FjZXJ0LmFjdGFsaXMuaXQvY2VydHMvYWN0YWxpcy1hdXRob3ZnMzAx\n" +
|
||||||
"BggrBgEFBQcwAYYlaHR0cDovL29jc3AwOS5hY3RhbGlzLml0L1ZBL0FVVEhPVi1H\n" +
|
"BggrBgEFBQcwAYYlaHR0cDovL29jc3AwOS5hY3RhbGlzLml0L1ZBL0FVVEhPVi1H\n" +
|
||||||
@ -172,54 +171,47 @@ public class ActalisCA {
|
|||||||
"SjBIMDwGBiuBHwEUATAyMDAGCCsGAQUFBwIBFiRodHRwczovL3d3dy5hY3RhbGlz\n" +
|
"SjBIMDwGBiuBHwEUATAyMDAGCCsGAQUFBwIBFiRodHRwczovL3d3dy5hY3RhbGlz\n" +
|
||||||
"Lml0L2FyZWEtZG93bmxvYWQwCAYGZ4EMAQICMB0GA1UdJQQWMBQGCCsGAQUFBwMC\n" +
|
"Lml0L2FyZWEtZG93bmxvYWQwCAYGZ4EMAQICMB0GA1UdJQQWMBQGCCsGAQUFBwMC\n" +
|
||||||
"BggrBgEFBQcDATBIBgNVHR8EQTA/MD2gO6A5hjdodHRwOi8vY3JsMDkuYWN0YWxp\n" +
|
"BggrBgEFBQcDATBIBgNVHR8EQTA/MD2gO6A5hjdodHRwOi8vY3JsMDkuYWN0YWxp\n" +
|
||||||
"cy5pdC9SZXBvc2l0b3J5L0FVVEhPVi1HMy9nZXRMYXN0Q1JMMB0GA1UdDgQWBBTe\n" +
|
"cy5pdC9SZXBvc2l0b3J5L0FVVEhPVi1HMy9nZXRMYXN0Q1JMMB0GA1UdDgQWBBS6\n" +
|
||||||
"jnmMDJmWf46bs3abftL18WTLPzAOBgNVHQ8BAf8EBAMCBaAwggGABgorBgEEAdZ5\n" +
|
"o8qJpg3ixoyA2QBayptaTfc+5DAOBgNVHQ8BAf8EBAMCBaAwggF+BgorBgEEAdZ5\n" +
|
||||||
"AgQCBIIBcASCAWwBagB2AFWB1MIWkDYBSuoLm1c8U/DA5Dh4cCUIFy+jqh0HE9MM\n" +
|
"AgQCBIIBbgSCAWoBaAB2AK33vvp8/xDIi509nB4+GGq0Zyldz7EMJMqFhjTr3IKK\n" +
|
||||||
"AAABfF9AbyoAAAQDAEcwRQIgb4G8Pbdfmo9KKxA1AXSB6MGNWb5SzDbKK12xR6/d\n" +
|
"AAABg36SGRYAAAQDAEcwRQIgDXxSCQGfcIYroxNiDJg08IX38Y9+r5CC6T4NeW14\n" +
|
||||||
"gvQCIQDlIsOyHxCDIPGFIRgKrsKH1nHj2DQ++7J1V5g9r/JNwwB3AFGjsPX9AXmc\n" +
|
"FzgCIQDdEhEYsGIWpwyrnTLr4RFB5CMEq+84dByNT07UYkiVwwB2AHoyjFTYty22\n" +
|
||||||
"Vm24N3iPDKR6zBsny/eeiEKaDf7UiwXlAAABfF9Aby0AAAQDAEgwRgIhAO7xBWad\n" +
|
"IOo44FIe6YQWcDIThU070ivBOlejUutSAAABg36SGTUAAAQDAEcwRQIgL2ig9RrM\n" +
|
||||||
"yewERj1dP5Uebb4K4AFI/1CDhVljDDJ/hejTAiEAzQH3I6FyCBfT92HeMB3AonNC\n" +
|
"FPWESGRYGJJJYRHdcayHev66jawrf98saN8CIQD/CInlI3Vo7SBzzN/4uykjYsFZ\n" +
|
||||||
"HaNEXSzmwksP6umHAzYAdwBGpVXrdfqRIDC1oolp9PN9ESxBdL79SbiFq/L8cP5t\n" +
|
"u9RypT6AYv6AHPlNdQB2AG9Tdqwx8DEZ2JkApFEV/3cVHBHZAsEAKQaNsgiaN9kT\n" +
|
||||||
"RwAAAXxfQG70AAAEAwBIMEYCIQCCkh1gHDflb+PNRy3T7AEBvHf/ZlFKpZcMMz2N\n" +
|
"AAABg36SGU0AAAQDAEcwRQIhAOCD/dOs4HjyC+GQaQRh4U+/mUwWyu+CnlHdebmD\n" +
|
||||||
"4RV04QIhAJHrg7WiSAOW0qN3Xx5FCqm+GBomtByHlY8qg9F4VTEmMA0GCSqGSIb3\n" +
|
"hAvFAiAvBE0rbxgm8TpZLG2TaMk3dqZj7Q6FFdLlqTsvwhKa3jANBgkqhkiG9w0B\n" +
|
||||||
"DQEBCwUAA4ICAQBfsH+q/ZIUIrIz4JsN8Ac8Rfbr0p1jqWc7WNyPKgDzxiI92T5O\n" +
|
"AQsFAAOCAgEAEnPALMVp1pySJgHhugLWAUgiD6stpDWCKfaBxPr+jf34A5wS+m5r\n" +
|
||||||
"IjJty1sshsoWct4hLmCk0nqTt2/Pvk76RUSvpneVh9lrmmnxOUeu/PxykYzOQoYq\n" +
|
"2VhYyNQpOwIQB76K2RSJQrdpg7Dg2L6EiUnbbClSTrOkZ4XX5ggBIjldDEx4ZxhI\n" +
|
||||||
"gGvXQrDPc0R1Q/gt2Q8Orcow/TTNpbWjZYhlOmT8JHUCpUgfKm00xCWayWRVMyZH\n" +
|
"zwSw4KB6+DDAVMwsCL0q0E7AAPOMaZ0RDLteusqQYIYm08TXfJPWD8LjQPt/8Uie\n" +
|
||||||
"lFFOHcM7+1cngXC7rkGESB0pmdkJ3Zh0fhYYdhjltZJOScO3wGCH5UtlvgbcZkYh\n" +
|
"LOqm1eLUuwJc+eHFWV+Xr8Uea6SFwqNEj7qPHb2MElctET/MhSIIUKI1ObmrFwyB\n" +
|
||||||
"h1NMdp/yveucVwNajHGIzJ56KyFcxHrXlqIhV8HslyrSvFHQklETLyAJBt8uLoVi\n" +
|
"ElKEPaUh9L0HXpnuD8IWc7tw2mdvnWJhuGG8G6JkasTGvtZ4gKIDBdTrJcuj7MCS\n" +
|
||||||
"W4ytCS11qHFcSv9D5btlGqqpub6XicRwM1jGRvD/odrTuRetT8Wi4qB0XeDGmaG8\n" +
|
"amz3ZBCY47tP1ohgImjqwg4ITYjX6UQXgj/nBVDdu+nXkEhx16uPJkTYWaun9Nio\n" +
|
||||||
"al9Z6HEZoxTQ5+Pb0xIu5FOF7rC5p/BjqDxGlKBCFWyhEwR7T17javCLMNQGCQMc\n" +
|
"8RjYIOxXmDD39QbGUElP0Epsr2wcVT9tIFYMGzUpIO51mCk3Aq1AmiQZwZZhqOIN\n" +
|
||||||
"LsLG8iUjPSQB/wiJ8RtruU7kEQrEoxRJjJLIfkLt9ti8C3yK7T7SCPBdoeM6CyI/\n" +
|
"RDx7lGESPj3IgdVfJi9Ing/OUNtS46Ug9DSuDcGqdY7KnTYEUdWGsUJNtnpjd4lS\n" +
|
||||||
"V5p7FDcvBXtDPukWTnPQ2DtUUGw8244QLWavFoHbvFekzlm2GWZYTPEwlaNAcwmg\n" +
|
"U6oIAeW1aKuOve6iNg1vsFAN57aJNh1ih3BOup58J9ve42bNlAYWN8wiNxM+Aeba\n" +
|
||||||
"0ZpxphiuMoouwud1Oaa1xzToPn+iyIjun8+wkB+rbaenIMSpqwWk8s3jtmconGKP\n" +
|
"ArUSTnH/QEYCyMRD0XqIREVR9VhNODgSZbL3XedYBAW9wImi1whp+u+8aReXd7lC\n" +
|
||||||
"JCJvmsfAxAXrAy4Iizums4Z1kPN1ApfNIoPprTfu5cSza3xeOMq0txkERQ==\n" +
|
"Q3kD9KRyfZ9Kk05Glf3DsZMWvp1N2ZZWaU2Ms5U3ijUheCiBrqrs8a8=\n" +
|
||||||
"-----END CERTIFICATE-----";
|
"-----END CERTIFICATE-----";
|
||||||
|
|
||||||
public static void main(String[] args) throws Exception {
|
public static void main(String[] args) throws Exception {
|
||||||
|
|
||||||
ValidatePathWithParams pathValidator = new ValidatePathWithParams(null);
|
ValidatePathWithParams pathValidator = new ValidatePathWithParams(null);
|
||||||
boolean ocspEnabled = false;
|
|
||||||
|
|
||||||
if (args.length >= 1 && "CRL".equalsIgnoreCase(args[0])) {
|
if (args.length >= 1 && "CRL".equalsIgnoreCase(args[0])) {
|
||||||
pathValidator.enableCRLCheck();
|
pathValidator.enableCRLCheck();
|
||||||
} else {
|
} else {
|
||||||
// OCSP check by default
|
// OCSP check by default
|
||||||
pathValidator.enableOCSPCheck();
|
pathValidator.enableOCSPCheck();
|
||||||
ocspEnabled = true;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// Validate valid
|
// Validate valid
|
||||||
pathValidator.validate(new String[]{VALID, INT},
|
pathValidator.validate(new String[]{VALID, INT},
|
||||||
ValidatePathWithParams.Status.GOOD, null, System.out);
|
ValidatePathWithParams.Status.GOOD, null, System.out);
|
||||||
|
|
||||||
if (ocspEnabled) {
|
|
||||||
// Revoked test certificate will expire in Oct 2022
|
|
||||||
pathValidator.setValidationDate("June 01, 2022");
|
|
||||||
}
|
|
||||||
|
|
||||||
// Validate Revoked
|
// Validate Revoked
|
||||||
pathValidator.validate(new String[]{REVOKED, INT},
|
pathValidator.validate(new String[]{REVOKED, INT},
|
||||||
ValidatePathWithParams.Status.REVOKED,
|
ValidatePathWithParams.Status.REVOKED,
|
||||||
"Mon Mar 07 06:11:11 PST 2022", System.out);
|
"Tue Sep 27 03:52:40 PDT 2022", System.out);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
Loading…
x
Reference in New Issue
Block a user