stan/jdk-24
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

8241003: Deprecate "denigrated" java.security.cert APIs that represent DNs as Principal or String objects

Browse Source 
Reviewed-by: xuelei, valeriep, weijun
This commit is contained in:
Sean Mullan 2020-08-26 13:31:10 -04:00
parent 0df797de94
commit f879698c63
16 changed files with 115 additions and 105 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/java.base/share/classes/java/security/UnresolvedPermission.java
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 1997, 2019, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1997, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -187,8 +187,8 @@ implements java.io.Serializable
while (i < certs.length) {
count++;
while (((i+1) < certs.length) &&
((X509Certificate)certs[i]).getIssuerDN().equals(
((X509Certificate)certs[i+1]).getSubjectDN())) {
((X509Certificate)certs[i]).getIssuerX500Principal().equals(
((X509Certificate)certs[i+1]).getSubjectX500Principal())) {
i++;
}
i++;
@ -207,8 +207,8 @@ implements java.io.Serializable
while (i < certs.length) {
signerCerts.add(certs[i]);
while (((i+1) < certs.length) &&
((X509Certificate)certs[i]).getIssuerDN().equals(
((X509Certificate)certs[i+1]).getSubjectDN())) {
((X509Certificate)certs[i]).getIssuerX500Principal().equals(
((X509Certificate)certs[i+1]).getSubjectX500Principal())) {
i++;
}
i++;

14
src/java.base/share/classes/java/security/cert/X509CRL.java
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 1997, 2019, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1997, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -279,12 +279,6 @@ public abstract class X509CRL extends CRL implements X509Extension {
public abstract int getVersion();
/**
* <strong>Denigrated</strong>, replaced by {@linkplain
* #getIssuerX500Principal()}. This method returns the {@code issuer}
* as an implementation specific Principal object, which should not be
* relied upon by portable code.
*
* <p>
* Gets the {@code issuer} (issuer distinguished name) value from
* the CRL. The issuer name identifies the entity that signed (and
* issued) the CRL.
@ -316,7 +310,13 @@ public abstract class X509CRL extends CRL implements X509Extension {
* {@code TeletexString} or {@code UniversalString}.
*
* @return a Principal whose name is the issuer distinguished name.
*
* @deprecated Use {@link #getIssuerX500Principal} instead. This method
* returns the {@code issuer} as an implementation specific
* {@code Principal} object, which should not be relied upon by portable
* code.
*/
@Deprecated(since="16")
public abstract Principal getIssuerDN();
/**

20
src/java.base/share/classes/java/security/cert/X509CRLSelector.java
View File

@ -225,13 +225,6 @@ public class X509CRLSelector implements CRLSelector {
}
/**
* <strong>Denigrated</strong>, use
* {@linkplain #addIssuer(X500Principal)} or
* {@linkplain #addIssuerName(byte[])} instead. This method should not be
* relied on as it can fail to match some CRLs because of a loss of
* encoding information in the RFC 2253 String form of some distinguished
* names.
* <p>
* Adds a name to the issuerNames criterion. The issuer distinguished
* name in the {@code X509CRL} must match at least one of the specified
* distinguished names.
@ -241,9 +234,17 @@ public class X509CRLSelector implements CRLSelector {
* any previous value for the issuerNames criterion.
* If the specified name is a duplicate, it may be ignored.
*
* @param name the name in RFC 2253 form
* @param name the name in
* <a href="http://www.ietf.org/rfc/rfc2253.txt">RFC 2253</a> form
* @throws IOException if a parsing error occurs
*
* @deprecated Use {@link #addIssuer(X500Principal)} or
* {@link #addIssuerName(byte[])} instead. This method should not be
* relied on as it can fail to match some CRLs because of a loss of
* encoding information in the RFC 2253 String form of some distinguished
* names.
*/
@Deprecated(since="16")
public void addIssuerName(String name) throws IOException {
addIssuerNameInternal(name, new X500Name(name).asX500Principal());
}
@ -481,7 +482,8 @@ public class X509CRLSelector implements CRLSelector {
* <p>
* If the value returned is not {@code null}, it is a
* {@code Collection} of names. Each name is a {@code String}
* or a byte array representing a distinguished name (in RFC 2253 or
* or a byte array representing a distinguished name (in
* <a href="http://www.ietf.org/rfc/rfc2253.txt">RFC 2253</a> or
* ASN.1 DER encoded form, respectively). Note that the
* {@code Collection} returned may contain duplicate names.
* <p>

81
src/java.base/share/classes/java/security/cert/X509CertSelector.java
View File

@ -46,13 +46,14 @@ import sun.security.x509.*;
* getBasicConstraints} method). Therefore, the {@link #match match}
* method would return {@code true} for any {@code X509Certificate}.
* Typically, several criteria are enabled (by calling
* {@link #setIssuer setIssuer} or
* {@link #setIssuer(X500Principal)} or
* {@link #setKeyUsage setKeyUsage}, for instance) and then the
* {@code X509CertSelector} is passed to
* {@link CertStore#getCertificates CertStore.getCertificates} or some similar
* method.
* <p>
* Several criteria can be enabled (by calling {@link #setIssuer setIssuer}
* Several criteria can be enabled (by calling
* {@link #setIssuer(X500Principal)}
* and {@link #setSerialNumber setSerialNumber},
* for example) such that the {@code match} method
* usually uniquely matches a single {@code X509Certificate}. We say
@ -184,25 +185,25 @@ public class X509CertSelector implements CertSelector {
}
/**
* <strong>Denigrated</strong>, use {@linkplain #setIssuer(X500Principal)}
* or {@linkplain #setIssuer(byte[])} instead. This method should not be
* relied on as it can fail to match some certificates because of a loss of
* encoding information in the
* <a href="http://www.ietf.org/rfc/rfc2253.txt">RFC 2253</a> String form
* of some distinguished names.
* <p>
* Sets the issuer criterion. The specified distinguished name
* must match the issuer distinguished name in the
* {@code X509Certificate}. If {@code null}, any issuer
* distinguished name will do.
* <p>
* If {@code issuerDN} is not {@code null}, it should contain a
* distinguished name, in RFC 2253 format.
* distinguished name, in
* <a href="http://www.ietf.org/rfc/rfc2253.txt">RFC 2253</a> format.
*
* @param issuerDN a distinguished name in RFC 2253 format
* (or {@code null})
* @throws IOException if a parsing error occurs (incorrect form for DN)
*
* @deprecated Use {@link #setIssuer(X500Principal)} or
* {@link #setIssuer(byte[])} instead. This method should not be relied on
* as it can fail to match some certificates because of a loss of encoding
* information in the RFC 2253 String form of some distinguished names.
*/
@Deprecated(since="16")
public void setIssuer(String issuerDN) throws IOException {
if (issuerDN == null) {
issuer = null;
@ -276,24 +277,26 @@ public class X509CertSelector implements CertSelector {
}
/**
* <strong>Denigrated</strong>, use {@linkplain #setSubject(X500Principal)}
* or {@linkplain #setSubject(byte[])} instead. This method should not be
* relied on as it can fail to match some certificates because of a loss of
* encoding information in the RFC 2253 String form of some distinguished
* names.
* <p>
* Sets the subject criterion. The specified distinguished name
* must match the subject distinguished name in the
* {@code X509Certificate}. If {@code null}, any subject
* distinguished name will do.
* <p>
* If {@code subjectDN} is not {@code null}, it should contain a
* distinguished name, in RFC 2253 format.
* distinguished name, in
* <a href="http://www.ietf.org/rfc/rfc2253.txt">RFC 2253</a> format.
*
* @param subjectDN a distinguished name in RFC 2253 format
* (or {@code null})
* @throws IOException if a parsing error occurs (incorrect form for DN)
*
* @deprecated Use {@link #setSubject(X500Principal)} or
* {@link #setSubject(byte[])} instead. This method should not be relied
* on as it can fail to match some certificates because of a loss of
* encoding information in the RFC 2253 String form of some distinguished
* names.
*/
@Deprecated(since="16")
public void setSubject(String subjectDN) throws IOException {
if (subjectDN == null) {
subject = null;
@ -310,8 +313,7 @@ public class X509CertSelector implements CertSelector {
* <p>
* If {@code subjectDN} is not {@code null}, it should contain a
* single DER encoded distinguished name, as defined in X.501. For the ASN.1
* notation for this structure, see
* {@link #setIssuer(byte [] issuerDN) setIssuer(byte [] issuerDN)}.
* notation for this structure, see {@link #setIssuer(byte[])}.
*
* @param subjectDN a byte array containing the distinguished name in
* ASN.1 DER format (or {@code null})
@ -711,7 +713,8 @@ public class X509CertSelector implements CertSelector {
* the restrictions included in RFC 5280). IPv4 address names are
* supplied using dotted quad notation. OID address names are represented
* as a series of nonnegative integers separated by periods. And
* directory names (distinguished names) are supplied in RFC 2253 format.
* directory names (distinguished names) are supplied in
* <a href="http://www.ietf.org/rfc/rfc2253.txt">RFC 2253</a> format.
* No standard string format is defined for otherNames, X.400 names,
* EDI party names, IPv6 address names, or any other type of names. They
* should be specified using the
@ -1299,23 +1302,24 @@ public class X509CertSelector implements CertSelector {
}
/**
* <strong>Denigrated</strong>, use {@linkplain #getIssuer()} or
* {@linkplain #getIssuerAsBytes()} instead. This method should not be
* relied on as it can fail to match some certificates because of a loss of
* encoding information in the RFC 2253 String form of some distinguished
* names.
* <p>
* Returns the issuer criterion as a {@code String}. This
* distinguished name must match the issuer distinguished name in the
* {@code X509Certificate}. If {@code null}, the issuer criterion
* is disabled and any issuer distinguished name will do.
* <p>
* If the value returned is not {@code null}, it is a
* distinguished name, in RFC 2253 format.
* distinguished name, in
* <a href="http://www.ietf.org/rfc/rfc2253.txt">RFC 2253</a> format.
*
* @return the required issuer distinguished name in RFC 2253 format
* (or {@code null})
*
* @deprecated Use {@link #getIssuer()} or {@link #getIssuerAsBytes()}
* instead. This method should not be relied on as it can fail to match
* some certificates because of a loss of encoding information in the
* RFC 2253 String form of some distinguished names.
*/
@Deprecated(since="16")
public String getIssuerAsString() {
return (issuer == null ? null : issuer.getName());
}
@ -1329,8 +1333,7 @@ public class X509CertSelector implements CertSelector {
* If the value returned is not {@code null}, it is a byte
* array containing a single DER encoded distinguished name, as defined in
* X.501. The ASN.1 notation for this structure is supplied in the
* documentation for
* {@link #setIssuer(byte [] issuerDN) setIssuer(byte [] issuerDN)}.
* documentation for {@link #setIssuer(byte[])}.
* <p>
* Note that the byte array returned is cloned to protect against
* subsequent modifications.
@ -1358,23 +1361,24 @@ public class X509CertSelector implements CertSelector {
}
/**
* <strong>Denigrated</strong>, use {@linkplain #getSubject()} or
* {@linkplain #getSubjectAsBytes()} instead. This method should not be
* relied on as it can fail to match some certificates because of a loss of
* encoding information in the RFC 2253 String form of some distinguished
* names.
* <p>
* Returns the subject criterion as a {@code String}. This
* distinguished name must match the subject distinguished name in the
* {@code X509Certificate}. If {@code null}, the subject criterion
* is disabled and any subject distinguished name will do.
* <p>
* If the value returned is not {@code null}, it is a
* distinguished name, in RFC 2253 format.
* distinguished name, in
* <a href="http://www.ietf.org/rfc/rfc2253.txt">RFC 2253</a> format.
*
* @return the required subject distinguished name in RFC 2253 format
* (or {@code null})
*
* @deprecated Use {@link #getSubject()} or {@link #getSubjectAsBytes()}
* instead. This method should not be relied on as it can fail to match
* some certificates because of a loss of encoding information in the
* RFC 2253 String form of some distinguished names.
*/
@Deprecated(since="16")
public String getSubjectAsString() {
return (subject == null ? null : subject.getName());
}
@ -1388,8 +1392,7 @@ public class X509CertSelector implements CertSelector {
* If the value returned is not {@code null}, it is a byte
* array containing a single DER encoded distinguished name, as defined in
* X.501. The ASN.1 notation for this structure is supplied in the
* documentation for
* {@link #setSubject(byte [] subjectDN) setSubject(byte [] subjectDN)}.
* documentation for {@link #setSubject(byte[])}.
* <p>
* Note that the byte array returned is cloned to protect against
* subsequent modifications.
@ -1985,7 +1988,7 @@ public class X509CertSelector implements CertSelector {
if (debug != null) {
debug.println("X509CertSelector.match(SN: "
+ (xcert.getSerialNumber()).toString(16) + "\n Issuer: "
+ xcert.getIssuerDN() + "\n Subject: " + xcert.getSubjectDN()
+ xcert.getIssuerX500Principal() + "\n Subject: " + xcert.getSubjectX500Principal()
+ ")");
}

26
src/java.base/share/classes/java/security/cert/X509Certificate.java
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 1997, 2019, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1997, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -197,12 +197,6 @@ implements X509Extension {
public abstract BigInteger getSerialNumber();
/**
* <strong>Denigrated</strong>, replaced by {@linkplain
* #getIssuerX500Principal()}. This method returns the {@code issuer}
* as an implementation specific Principal object, which should not be
* relied upon by portable code.
*
* <p>
* Gets the {@code issuer} (issuer distinguished name) value from
* the certificate. The issuer name identifies the entity that signed (and
* issued) the certificate.
@ -234,7 +228,13 @@ implements X509Extension {
* {@code TeletexString} or {@code UniversalString}.
*
* @return a Principal whose name is the issuer distinguished name.
*
* @deprecated Use {@link #getIssuerX500Principal} instead. This method
* returns the {@code issuer} as an implementation specific
* {@code Principal} object, which should not be relied upon by portable
* code.
*/
@Deprecated(since="16")
public abstract Principal getIssuerDN();
/**
@ -255,12 +255,6 @@ implements X509Extension {
}
/**
* <strong>Denigrated</strong>, replaced by {@linkplain
* #getSubjectX500Principal()}. This method returns the {@code subject}
* as an implementation specific Principal object, which should not be
* relied upon by portable code.
*
* <p>
* Gets the {@code subject} (subject distinguished name) value
* from the certificate. If the {@code subject} value is empty,
* then the {@code getName()} method of the returned
@ -275,7 +269,13 @@ implements X509Extension {
* and other relevant definitions.
*
* @return a Principal whose name is the subject name.
*
* @deprecated Use {@link #getSubjectX500Principal} instead. This method
* returns the {@code subject} as an implementation specific
* {@code Principal} object, which should not be relied upon by portable
* code.
*/
@Deprecated(since="16")
public abstract Principal getSubjectDN();
/**

1
src/java.base/share/classes/sun/security/pkcs/PKCS7.java
View File

@ -704,6 +704,7 @@ public class PKCS7 {
* Populate array of Issuer DNs from certificates and convert
* each Principal to type X500Name if necessary.
*/
@SuppressWarnings("deprecation")
private void populateCertIssuerNames() {
if (certificates == null)
return;

12
src/java.base/share/classes/sun/security/pkcs/SignerInfo.java
View File

@ -269,26 +269,26 @@ public class SignerInfo implements DerEncoder {
X509Certificate[] pkcsCerts = block.getCertificates();
if (pkcsCerts == null
|| userCert.getSubjectDN().equals(userCert.getIssuerDN())) {
|| userCert.getSubjectX500Principal().equals(userCert.getIssuerX500Principal())) {
return certList;
}
Principal issuer = userCert.getIssuerDN();
Principal issuer = userCert.getIssuerX500Principal();
int start = 0;
while (true) {
boolean match = false;
int i = start;
while (i < pkcsCerts.length) {
if (issuer.equals(pkcsCerts[i].getSubjectDN())) {
if (issuer.equals(pkcsCerts[i].getSubjectX500Principal())) {
// next cert in chain found
certList.add(pkcsCerts[i]);
// if selected cert is self-signed, we're done
// constructing the chain
if (pkcsCerts[i].getSubjectDN().equals(
pkcsCerts[i].getIssuerDN())) {
if (pkcsCerts[i].getSubjectX500Principal().equals(
pkcsCerts[i].getIssuerX500Principal())) {
start = pkcsCerts.length;
} else {
issuer = pkcsCerts[i].getIssuerDN();
issuer = pkcsCerts[i].getIssuerX500Principal();
X509Certificate tmpCert = pkcsCerts[start];
pkcsCerts[start] = pkcsCerts[i];
pkcsCerts[i] = tmpCert;

16
src/java.base/share/classes/sun/security/provider/PolicyFile.java
View File

@ -1555,8 +1555,8 @@ public class PolicyFile extends java.security.Policy {
while (i < certs.length) {
count++;
while (((i+1) < certs.length)
&& ((X509Certificate)certs[i]).getIssuerDN().equals(
((X509Certificate)certs[i+1]).getSubjectDN())) {
&& ((X509Certificate)certs[i]).getIssuerX500Principal().equals(
((X509Certificate)certs[i+1]).getSubjectX500Principal())) {
i++;
}
i++;
@ -1570,8 +1570,8 @@ public class PolicyFile extends java.security.Policy {
while (i < certs.length) {
userCertList.add(certs[i]);
while (((i+1) < certs.length)
&& ((X509Certificate)certs[i]).getIssuerDN().equals(
((X509Certificate)certs[i+1]).getSubjectDN())) {
&& ((X509Certificate)certs[i]).getIssuerX500Principal().equals(
((X509Certificate)certs[i+1]).getSubjectX500Principal())) {
i++;
}
i++;
@ -2017,8 +2017,8 @@ public class PolicyFile extends java.security.Policy {
while (i < certs.length) {
count++;
while (((i+1) < certs.length) &&
((X509Certificate)certs[i]).getIssuerDN().equals(
((X509Certificate)certs[i+1]).getSubjectDN())) {
((X509Certificate)certs[i]).getIssuerX500Principal().equals(
((X509Certificate)certs[i+1]).getSubjectX500Principal())) {
i++;
}
i++;
@ -2036,8 +2036,8 @@ public class PolicyFile extends java.security.Policy {
while (i < certs.length) {
signerCerts.add(certs[i]);
while (((i+1) < certs.length) &&
((X509Certificate)certs[i]).getIssuerDN().equals(
((X509Certificate)certs[i+1]).getSubjectDN())) {
((X509Certificate)certs[i]).getIssuerX500Principal().equals(
((X509Certificate)certs[i+1]).getSubjectX500Principal())) {
i++;
}
i++;

14
src/java.base/share/classes/sun/security/tools/keytool/Main.java
View File

@ -1614,7 +1614,7 @@ public final class Main {
SignatureUtil.initSignWithParam(signature, privKey, params, null);
X500Name subject = dname == null?
new X500Name(((X509Certificate)cert).getSubjectDN().toString()):
new X500Name(((X509Certificate)cert).getSubjectX500Principal().getEncoded()):
new X500Name(dname);
// Sign the request and base-64 encode it
@ -2806,7 +2806,7 @@ public final class Main {
for (Certificate cert: certs) {
X509Certificate x = (X509Certificate)cert;
if (rfc) {
out.println(rb.getString("Certificate.owner.") + x.getSubjectDN() + "\n");
out.println(rb.getString("Certificate.owner.") + x.getSubjectX500Principal() + "\n");
dumpCert(x, out);
} else {
printX509Cert(x, out);
@ -2823,7 +2823,7 @@ public final class Main {
for (Certificate cert: certs) {
X509Certificate x = (X509Certificate)cert;
if (rfc) {
out.println(rb.getString("Certificate.owner.") + x.getSubjectDN() + "\n");
out.println(rb.getString("Certificate.owner.") + x.getSubjectX500Principal() + "\n");
dumpCert(x, out);
} else {
printX509Cert(x, out);
@ -3373,8 +3373,8 @@ public final class Main {
if (!isTrustedCert(cert)) {
sigName = withWeak(sigName);
}
Object[] source = {cert.getSubjectDN().toString(),
cert.getIssuerDN().toString(),
Object[] source = {cert.getSubjectX500Principal().toString(),
cert.getIssuerX500Principal().toString(),
cert.getSerialNumber().toString(16),
cert.getNotBefore().toString(),
cert.getNotAfter().toString(),
@ -3931,7 +3931,7 @@ public final class Main {
return true;
}
Principal issuer = certToVerify.snd.getIssuerDN();
Principal issuer = certToVerify.snd.getIssuerX500Principal();
// Get the issuer's certificate(s)
Vector<Pair<String,X509Certificate>> vec = certs.get(issuer);
@ -4009,7 +4009,7 @@ public final class Main {
String alias = aliases.nextElement();
Certificate cert = ks.getCertificate(alias);
if (cert != null) {
Principal subjectDN = ((X509Certificate)cert).getSubjectDN();
Principal subjectDN = ((X509Certificate)cert).getSubjectX500Principal();
Pair<String,X509Certificate> pair = new Pair<>(
String.format(
rb.getString(ks == caks ?

2
src/java.base/share/classes/sun/security/util/AnchorCertificates.java
View File

@ -93,7 +93,7 @@ public class AnchorCertificates {
boolean result = certs.contains(key);
if (result && debug != null) {
debug.println("AnchorCertificate.contains: matched " +
cert.getSubjectDN());
cert.getSubjectX500Principal());
}
return result;
}

1
src/java.base/share/classes/sun/security/util/HostnameChecker.java
View File

@ -242,6 +242,7 @@ public class HostnameChecker {
*
* This method is currently used from within JSSE, do not remove.
*/
@SuppressWarnings("deprecation")
public static X500Name getSubjectX500Name(X509Certificate cert)
throws CertificateParsingException {
try {

3
src/java.base/share/classes/sun/security/x509/X509CRLImpl.java
View File

@ -682,8 +682,9 @@ public class X509CRLImpl extends X509CRL implements DerEncoder {
* TeletexString or UniversalString.
* @return the issuer name.
*/
@SuppressWarnings("deprecation")
public Principal getIssuerDN() {
return (Principal)issuer;
return issuer;
}
/**

4
src/java.base/share/classes/sun/security/x509/X509CertImpl.java
View File

@ -901,7 +901,7 @@ public class X509CertImpl extends X509Certificate implements DerEncoder {
SerialNumber ser = (SerialNumber)info.get(
CertificateSerialNumber.NAME + DOT +
CertificateSerialNumber.NUMBER);
return ser;
return ser;
} catch (Exception e) {
return null;
}
@ -913,6 +913,7 @@ public class X509CertImpl extends X509Certificate implements DerEncoder {
*
* @return the subject name.
*/
@SuppressWarnings("deprecation")
public Principal getSubjectDN() {
if (info == null)
return null;
@ -949,6 +950,7 @@ public class X509CertImpl extends X509Certificate implements DerEncoder {
*
* @return the issuer name.
*/
@SuppressWarnings("deprecation")
public Principal getIssuerDN() {
if (info == null)
return null;

9
src/java.naming/share/classes/sun/security/provider/certpath/ldap/LDAPCertStoreImpl.java
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2015, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -562,10 +562,11 @@ final class LDAPCertStoreImpl {
(X509CertSelector xsel, String ldapDN) throws CertStoreException {
if (ldapDN == null) {
ldapDN = xsel.getSubjectAsString();
X500Principal subject = xsel.getSubject();
ldapDN = subject == null ? null : subject.getName();
}
int basicConstraints = xsel.getBasicConstraints();
String issuer = xsel.getIssuerAsString();
X500Principal issuer = xsel.getIssuer();
HashSet<X509Certificate> certs = new HashSet<>();
if (debug != null) {
debug.println("LDAPCertStore.engineGetCertificates() basicConstraints: "
@ -634,7 +635,7 @@ final class LDAPCertStoreImpl {
+ "getMatchingCrossCerts...");
}
if ((issuer != null) && (basicConstraints > -2)) {
LDAPRequest request = new LDAPRequest(issuer);
LDAPRequest request = new LDAPRequest(issuer.getName());
request.addRequestedAttribute(CROSS_CERT);
request.addRequestedAttribute(CA_CERT);
request.addRequestedAttribute(ARL);

4
src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java
View File

@ -1431,7 +1431,7 @@ public class Main {
x509Cert = (X509Certificate) c;
certStr.append(tab).append(x509Cert.getType())
.append(rb.getString("COMMA"))
.append(x509Cert.getSubjectDN().getName());
.append(x509Cert.getSubjectX500Principal().toString());
} else {
certStr.append(tab).append(c.getType());
}
@ -2055,7 +2055,7 @@ public class Main {
// Only add TrustedCertificateEntry and self-signed
// PrivateKeyEntry
if (store.isCertificateEntry(a) ||
c.getSubjectDN().equals(c.getIssuerDN())) {
c.getSubjectX500Principal().equals(c.getIssuerX500Principal())) {
trustedCerts.add(c);
}
} catch (Exception e2) {

3
src/jdk.security.auth/share/classes/com/sun/security/auth/module/KeyStoreLoginModule.java
View File

@ -664,8 +664,7 @@ public class KeyStoreLoginModule implements LoginModule {
/* Get principal and keys */
try {
X509Certificate certificate = (X509Certificate)fromKeyStore[0];
principal = new javax.security.auth.x500.X500Principal
(certificate.getSubjectDN().getName());
principal = certificate.getSubjectX500Principal();
// if token, privateKeyPassword will be null
Key privateKey = keyStore.getKey(keyStoreAlias, privateKeyPassword);