8241003: Deprecate "denigrated" java.security.cert APIs that represent DNs as Principal or String objects
Reviewed-by: xuelei, valeriep, weijun
This commit is contained in:
parent
0df797de94
commit
f879698c63
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 1997, 2019, Oracle and/or its affiliates. All rights reserved.
|
||||
* Copyright (c) 1997, 2020, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@ -187,8 +187,8 @@ implements java.io.Serializable
|
||||
while (i < certs.length) {
|
||||
count++;
|
||||
while (((i+1) < certs.length) &&
|
||||
((X509Certificate)certs[i]).getIssuerDN().equals(
|
||||
((X509Certificate)certs[i+1]).getSubjectDN())) {
|
||||
((X509Certificate)certs[i]).getIssuerX500Principal().equals(
|
||||
((X509Certificate)certs[i+1]).getSubjectX500Principal())) {
|
||||
i++;
|
||||
}
|
||||
i++;
|
||||
@ -207,8 +207,8 @@ implements java.io.Serializable
|
||||
while (i < certs.length) {
|
||||
signerCerts.add(certs[i]);
|
||||
while (((i+1) < certs.length) &&
|
||||
((X509Certificate)certs[i]).getIssuerDN().equals(
|
||||
((X509Certificate)certs[i+1]).getSubjectDN())) {
|
||||
((X509Certificate)certs[i]).getIssuerX500Principal().equals(
|
||||
((X509Certificate)certs[i+1]).getSubjectX500Principal())) {
|
||||
i++;
|
||||
}
|
||||
i++;
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 1997, 2019, Oracle and/or its affiliates. All rights reserved.
|
||||
* Copyright (c) 1997, 2020, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@ -279,12 +279,6 @@ public abstract class X509CRL extends CRL implements X509Extension {
|
||||
public abstract int getVersion();
|
||||
|
||||
/**
|
||||
* <strong>Denigrated</strong>, replaced by {@linkplain
|
||||
* #getIssuerX500Principal()}. This method returns the {@code issuer}
|
||||
* as an implementation specific Principal object, which should not be
|
||||
* relied upon by portable code.
|
||||
*
|
||||
* <p>
|
||||
* Gets the {@code issuer} (issuer distinguished name) value from
|
||||
* the CRL. The issuer name identifies the entity that signed (and
|
||||
* issued) the CRL.
|
||||
@ -316,7 +310,13 @@ public abstract class X509CRL extends CRL implements X509Extension {
|
||||
* {@code TeletexString} or {@code UniversalString}.
|
||||
*
|
||||
* @return a Principal whose name is the issuer distinguished name.
|
||||
*
|
||||
* @deprecated Use {@link #getIssuerX500Principal} instead. This method
|
||||
* returns the {@code issuer} as an implementation specific
|
||||
* {@code Principal} object, which should not be relied upon by portable
|
||||
* code.
|
||||
*/
|
||||
@Deprecated(since="16")
|
||||
public abstract Principal getIssuerDN();
|
||||
|
||||
/**
|
||||
|
@ -225,13 +225,6 @@ public class X509CRLSelector implements CRLSelector {
|
||||
}
|
||||
|
||||
/**
|
||||
* <strong>Denigrated</strong>, use
|
||||
* {@linkplain #addIssuer(X500Principal)} or
|
||||
* {@linkplain #addIssuerName(byte[])} instead. This method should not be
|
||||
* relied on as it can fail to match some CRLs because of a loss of
|
||||
* encoding information in the RFC 2253 String form of some distinguished
|
||||
* names.
|
||||
* <p>
|
||||
* Adds a name to the issuerNames criterion. The issuer distinguished
|
||||
* name in the {@code X509CRL} must match at least one of the specified
|
||||
* distinguished names.
|
||||
@ -241,9 +234,17 @@ public class X509CRLSelector implements CRLSelector {
|
||||
* any previous value for the issuerNames criterion.
|
||||
* If the specified name is a duplicate, it may be ignored.
|
||||
*
|
||||
* @param name the name in RFC 2253 form
|
||||
* @param name the name in
|
||||
* <a href="http://www.ietf.org/rfc/rfc2253.txt">RFC 2253</a> form
|
||||
* @throws IOException if a parsing error occurs
|
||||
*
|
||||
* @deprecated Use {@link #addIssuer(X500Principal)} or
|
||||
* {@link #addIssuerName(byte[])} instead. This method should not be
|
||||
* relied on as it can fail to match some CRLs because of a loss of
|
||||
* encoding information in the RFC 2253 String form of some distinguished
|
||||
* names.
|
||||
*/
|
||||
@Deprecated(since="16")
|
||||
public void addIssuerName(String name) throws IOException {
|
||||
addIssuerNameInternal(name, new X500Name(name).asX500Principal());
|
||||
}
|
||||
@ -481,7 +482,8 @@ public class X509CRLSelector implements CRLSelector {
|
||||
* <p>
|
||||
* If the value returned is not {@code null}, it is a
|
||||
* {@code Collection} of names. Each name is a {@code String}
|
||||
* or a byte array representing a distinguished name (in RFC 2253 or
|
||||
* or a byte array representing a distinguished name (in
|
||||
* <a href="http://www.ietf.org/rfc/rfc2253.txt">RFC 2253</a> or
|
||||
* ASN.1 DER encoded form, respectively). Note that the
|
||||
* {@code Collection} returned may contain duplicate names.
|
||||
* <p>
|
||||
|
@ -46,13 +46,14 @@ import sun.security.x509.*;
|
||||
* getBasicConstraints} method). Therefore, the {@link #match match}
|
||||
* method would return {@code true} for any {@code X509Certificate}.
|
||||
* Typically, several criteria are enabled (by calling
|
||||
* {@link #setIssuer setIssuer} or
|
||||
* {@link #setIssuer(X500Principal)} or
|
||||
* {@link #setKeyUsage setKeyUsage}, for instance) and then the
|
||||
* {@code X509CertSelector} is passed to
|
||||
* {@link CertStore#getCertificates CertStore.getCertificates} or some similar
|
||||
* method.
|
||||
* <p>
|
||||
* Several criteria can be enabled (by calling {@link #setIssuer setIssuer}
|
||||
* Several criteria can be enabled (by calling
|
||||
* {@link #setIssuer(X500Principal)}
|
||||
* and {@link #setSerialNumber setSerialNumber},
|
||||
* for example) such that the {@code match} method
|
||||
* usually uniquely matches a single {@code X509Certificate}. We say
|
||||
@ -184,25 +185,25 @@ public class X509CertSelector implements CertSelector {
|
||||
}
|
||||
|
||||
/**
|
||||
* <strong>Denigrated</strong>, use {@linkplain #setIssuer(X500Principal)}
|
||||
* or {@linkplain #setIssuer(byte[])} instead. This method should not be
|
||||
* relied on as it can fail to match some certificates because of a loss of
|
||||
* encoding information in the
|
||||
* <a href="http://www.ietf.org/rfc/rfc2253.txt">RFC 2253</a> String form
|
||||
* of some distinguished names.
|
||||
* <p>
|
||||
* Sets the issuer criterion. The specified distinguished name
|
||||
* must match the issuer distinguished name in the
|
||||
* {@code X509Certificate}. If {@code null}, any issuer
|
||||
* distinguished name will do.
|
||||
* <p>
|
||||
* If {@code issuerDN} is not {@code null}, it should contain a
|
||||
* distinguished name, in RFC 2253 format.
|
||||
* distinguished name, in
|
||||
* <a href="http://www.ietf.org/rfc/rfc2253.txt">RFC 2253</a> format.
|
||||
*
|
||||
* @param issuerDN a distinguished name in RFC 2253 format
|
||||
* (or {@code null})
|
||||
* @throws IOException if a parsing error occurs (incorrect form for DN)
|
||||
*
|
||||
* @deprecated Use {@link #setIssuer(X500Principal)} or
|
||||
* {@link #setIssuer(byte[])} instead. This method should not be relied on
|
||||
* as it can fail to match some certificates because of a loss of encoding
|
||||
* information in the RFC 2253 String form of some distinguished names.
|
||||
*/
|
||||
@Deprecated(since="16")
|
||||
public void setIssuer(String issuerDN) throws IOException {
|
||||
if (issuerDN == null) {
|
||||
issuer = null;
|
||||
@ -276,24 +277,26 @@ public class X509CertSelector implements CertSelector {
|
||||
}
|
||||
|
||||
/**
|
||||
* <strong>Denigrated</strong>, use {@linkplain #setSubject(X500Principal)}
|
||||
* or {@linkplain #setSubject(byte[])} instead. This method should not be
|
||||
* relied on as it can fail to match some certificates because of a loss of
|
||||
* encoding information in the RFC 2253 String form of some distinguished
|
||||
* names.
|
||||
* <p>
|
||||
* Sets the subject criterion. The specified distinguished name
|
||||
* must match the subject distinguished name in the
|
||||
* {@code X509Certificate}. If {@code null}, any subject
|
||||
* distinguished name will do.
|
||||
* <p>
|
||||
* If {@code subjectDN} is not {@code null}, it should contain a
|
||||
* distinguished name, in RFC 2253 format.
|
||||
* distinguished name, in
|
||||
* <a href="http://www.ietf.org/rfc/rfc2253.txt">RFC 2253</a> format.
|
||||
*
|
||||
* @param subjectDN a distinguished name in RFC 2253 format
|
||||
* (or {@code null})
|
||||
* @throws IOException if a parsing error occurs (incorrect form for DN)
|
||||
*
|
||||
* @deprecated Use {@link #setSubject(X500Principal)} or
|
||||
* {@link #setSubject(byte[])} instead. This method should not be relied
|
||||
* on as it can fail to match some certificates because of a loss of
|
||||
* encoding information in the RFC 2253 String form of some distinguished
|
||||
* names.
|
||||
*/
|
||||
@Deprecated(since="16")
|
||||
public void setSubject(String subjectDN) throws IOException {
|
||||
if (subjectDN == null) {
|
||||
subject = null;
|
||||
@ -310,8 +313,7 @@ public class X509CertSelector implements CertSelector {
|
||||
* <p>
|
||||
* If {@code subjectDN} is not {@code null}, it should contain a
|
||||
* single DER encoded distinguished name, as defined in X.501. For the ASN.1
|
||||
* notation for this structure, see
|
||||
* {@link #setIssuer(byte [] issuerDN) setIssuer(byte [] issuerDN)}.
|
||||
* notation for this structure, see {@link #setIssuer(byte[])}.
|
||||
*
|
||||
* @param subjectDN a byte array containing the distinguished name in
|
||||
* ASN.1 DER format (or {@code null})
|
||||
@ -711,7 +713,8 @@ public class X509CertSelector implements CertSelector {
|
||||
* the restrictions included in RFC 5280). IPv4 address names are
|
||||
* supplied using dotted quad notation. OID address names are represented
|
||||
* as a series of nonnegative integers separated by periods. And
|
||||
* directory names (distinguished names) are supplied in RFC 2253 format.
|
||||
* directory names (distinguished names) are supplied in
|
||||
* <a href="http://www.ietf.org/rfc/rfc2253.txt">RFC 2253</a> format.
|
||||
* No standard string format is defined for otherNames, X.400 names,
|
||||
* EDI party names, IPv6 address names, or any other type of names. They
|
||||
* should be specified using the
|
||||
@ -1299,23 +1302,24 @@ public class X509CertSelector implements CertSelector {
|
||||
}
|
||||
|
||||
/**
|
||||
* <strong>Denigrated</strong>, use {@linkplain #getIssuer()} or
|
||||
* {@linkplain #getIssuerAsBytes()} instead. This method should not be
|
||||
* relied on as it can fail to match some certificates because of a loss of
|
||||
* encoding information in the RFC 2253 String form of some distinguished
|
||||
* names.
|
||||
* <p>
|
||||
* Returns the issuer criterion as a {@code String}. This
|
||||
* distinguished name must match the issuer distinguished name in the
|
||||
* {@code X509Certificate}. If {@code null}, the issuer criterion
|
||||
* is disabled and any issuer distinguished name will do.
|
||||
* <p>
|
||||
* If the value returned is not {@code null}, it is a
|
||||
* distinguished name, in RFC 2253 format.
|
||||
* distinguished name, in
|
||||
* <a href="http://www.ietf.org/rfc/rfc2253.txt">RFC 2253</a> format.
|
||||
*
|
||||
* @return the required issuer distinguished name in RFC 2253 format
|
||||
* (or {@code null})
|
||||
*
|
||||
* @deprecated Use {@link #getIssuer()} or {@link #getIssuerAsBytes()}
|
||||
* instead. This method should not be relied on as it can fail to match
|
||||
* some certificates because of a loss of encoding information in the
|
||||
* RFC 2253 String form of some distinguished names.
|
||||
*/
|
||||
@Deprecated(since="16")
|
||||
public String getIssuerAsString() {
|
||||
return (issuer == null ? null : issuer.getName());
|
||||
}
|
||||
@ -1329,8 +1333,7 @@ public class X509CertSelector implements CertSelector {
|
||||
* If the value returned is not {@code null}, it is a byte
|
||||
* array containing a single DER encoded distinguished name, as defined in
|
||||
* X.501. The ASN.1 notation for this structure is supplied in the
|
||||
* documentation for
|
||||
* {@link #setIssuer(byte [] issuerDN) setIssuer(byte [] issuerDN)}.
|
||||
* documentation for {@link #setIssuer(byte[])}.
|
||||
* <p>
|
||||
* Note that the byte array returned is cloned to protect against
|
||||
* subsequent modifications.
|
||||
@ -1358,23 +1361,24 @@ public class X509CertSelector implements CertSelector {
|
||||
}
|
||||
|
||||
/**
|
||||
* <strong>Denigrated</strong>, use {@linkplain #getSubject()} or
|
||||
* {@linkplain #getSubjectAsBytes()} instead. This method should not be
|
||||
* relied on as it can fail to match some certificates because of a loss of
|
||||
* encoding information in the RFC 2253 String form of some distinguished
|
||||
* names.
|
||||
* <p>
|
||||
* Returns the subject criterion as a {@code String}. This
|
||||
* distinguished name must match the subject distinguished name in the
|
||||
* {@code X509Certificate}. If {@code null}, the subject criterion
|
||||
* is disabled and any subject distinguished name will do.
|
||||
* <p>
|
||||
* If the value returned is not {@code null}, it is a
|
||||
* distinguished name, in RFC 2253 format.
|
||||
* distinguished name, in
|
||||
* <a href="http://www.ietf.org/rfc/rfc2253.txt">RFC 2253</a> format.
|
||||
*
|
||||
* @return the required subject distinguished name in RFC 2253 format
|
||||
* (or {@code null})
|
||||
*
|
||||
* @deprecated Use {@link #getSubject()} or {@link #getSubjectAsBytes()}
|
||||
* instead. This method should not be relied on as it can fail to match
|
||||
* some certificates because of a loss of encoding information in the
|
||||
* RFC 2253 String form of some distinguished names.
|
||||
*/
|
||||
@Deprecated(since="16")
|
||||
public String getSubjectAsString() {
|
||||
return (subject == null ? null : subject.getName());
|
||||
}
|
||||
@ -1388,8 +1392,7 @@ public class X509CertSelector implements CertSelector {
|
||||
* If the value returned is not {@code null}, it is a byte
|
||||
* array containing a single DER encoded distinguished name, as defined in
|
||||
* X.501. The ASN.1 notation for this structure is supplied in the
|
||||
* documentation for
|
||||
* {@link #setSubject(byte [] subjectDN) setSubject(byte [] subjectDN)}.
|
||||
* documentation for {@link #setSubject(byte[])}.
|
||||
* <p>
|
||||
* Note that the byte array returned is cloned to protect against
|
||||
* subsequent modifications.
|
||||
@ -1985,7 +1988,7 @@ public class X509CertSelector implements CertSelector {
|
||||
if (debug != null) {
|
||||
debug.println("X509CertSelector.match(SN: "
|
||||
+ (xcert.getSerialNumber()).toString(16) + "\n Issuer: "
|
||||
+ xcert.getIssuerDN() + "\n Subject: " + xcert.getSubjectDN()
|
||||
+ xcert.getIssuerX500Principal() + "\n Subject: " + xcert.getSubjectX500Principal()
|
||||
+ ")");
|
||||
}
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 1997, 2019, Oracle and/or its affiliates. All rights reserved.
|
||||
* Copyright (c) 1997, 2020, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@ -197,12 +197,6 @@ implements X509Extension {
|
||||
public abstract BigInteger getSerialNumber();
|
||||
|
||||
/**
|
||||
* <strong>Denigrated</strong>, replaced by {@linkplain
|
||||
* #getIssuerX500Principal()}. This method returns the {@code issuer}
|
||||
* as an implementation specific Principal object, which should not be
|
||||
* relied upon by portable code.
|
||||
*
|
||||
* <p>
|
||||
* Gets the {@code issuer} (issuer distinguished name) value from
|
||||
* the certificate. The issuer name identifies the entity that signed (and
|
||||
* issued) the certificate.
|
||||
@ -234,7 +228,13 @@ implements X509Extension {
|
||||
* {@code TeletexString} or {@code UniversalString}.
|
||||
*
|
||||
* @return a Principal whose name is the issuer distinguished name.
|
||||
*
|
||||
* @deprecated Use {@link #getIssuerX500Principal} instead. This method
|
||||
* returns the {@code issuer} as an implementation specific
|
||||
* {@code Principal} object, which should not be relied upon by portable
|
||||
* code.
|
||||
*/
|
||||
@Deprecated(since="16")
|
||||
public abstract Principal getIssuerDN();
|
||||
|
||||
/**
|
||||
@ -255,12 +255,6 @@ implements X509Extension {
|
||||
}
|
||||
|
||||
/**
|
||||
* <strong>Denigrated</strong>, replaced by {@linkplain
|
||||
* #getSubjectX500Principal()}. This method returns the {@code subject}
|
||||
* as an implementation specific Principal object, which should not be
|
||||
* relied upon by portable code.
|
||||
*
|
||||
* <p>
|
||||
* Gets the {@code subject} (subject distinguished name) value
|
||||
* from the certificate. If the {@code subject} value is empty,
|
||||
* then the {@code getName()} method of the returned
|
||||
@ -275,7 +269,13 @@ implements X509Extension {
|
||||
* and other relevant definitions.
|
||||
*
|
||||
* @return a Principal whose name is the subject name.
|
||||
*
|
||||
* @deprecated Use {@link #getSubjectX500Principal} instead. This method
|
||||
* returns the {@code subject} as an implementation specific
|
||||
* {@code Principal} object, which should not be relied upon by portable
|
||||
* code.
|
||||
*/
|
||||
@Deprecated(since="16")
|
||||
public abstract Principal getSubjectDN();
|
||||
|
||||
/**
|
||||
|
@ -704,6 +704,7 @@ public class PKCS7 {
|
||||
* Populate array of Issuer DNs from certificates and convert
|
||||
* each Principal to type X500Name if necessary.
|
||||
*/
|
||||
@SuppressWarnings("deprecation")
|
||||
private void populateCertIssuerNames() {
|
||||
if (certificates == null)
|
||||
return;
|
||||
|
@ -269,26 +269,26 @@ public class SignerInfo implements DerEncoder {
|
||||
|
||||
X509Certificate[] pkcsCerts = block.getCertificates();
|
||||
if (pkcsCerts == null
|
||||
|| userCert.getSubjectDN().equals(userCert.getIssuerDN())) {
|
||||
|| userCert.getSubjectX500Principal().equals(userCert.getIssuerX500Principal())) {
|
||||
return certList;
|
||||
}
|
||||
|
||||
Principal issuer = userCert.getIssuerDN();
|
||||
Principal issuer = userCert.getIssuerX500Principal();
|
||||
int start = 0;
|
||||
while (true) {
|
||||
boolean match = false;
|
||||
int i = start;
|
||||
while (i < pkcsCerts.length) {
|
||||
if (issuer.equals(pkcsCerts[i].getSubjectDN())) {
|
||||
if (issuer.equals(pkcsCerts[i].getSubjectX500Principal())) {
|
||||
// next cert in chain found
|
||||
certList.add(pkcsCerts[i]);
|
||||
// if selected cert is self-signed, we're done
|
||||
// constructing the chain
|
||||
if (pkcsCerts[i].getSubjectDN().equals(
|
||||
pkcsCerts[i].getIssuerDN())) {
|
||||
if (pkcsCerts[i].getSubjectX500Principal().equals(
|
||||
pkcsCerts[i].getIssuerX500Principal())) {
|
||||
start = pkcsCerts.length;
|
||||
} else {
|
||||
issuer = pkcsCerts[i].getIssuerDN();
|
||||
issuer = pkcsCerts[i].getIssuerX500Principal();
|
||||
X509Certificate tmpCert = pkcsCerts[start];
|
||||
pkcsCerts[start] = pkcsCerts[i];
|
||||
pkcsCerts[i] = tmpCert;
|
||||
|
@ -1555,8 +1555,8 @@ public class PolicyFile extends java.security.Policy {
|
||||
while (i < certs.length) {
|
||||
count++;
|
||||
while (((i+1) < certs.length)
|
||||
&& ((X509Certificate)certs[i]).getIssuerDN().equals(
|
||||
((X509Certificate)certs[i+1]).getSubjectDN())) {
|
||||
&& ((X509Certificate)certs[i]).getIssuerX500Principal().equals(
|
||||
((X509Certificate)certs[i+1]).getSubjectX500Principal())) {
|
||||
i++;
|
||||
}
|
||||
i++;
|
||||
@ -1570,8 +1570,8 @@ public class PolicyFile extends java.security.Policy {
|
||||
while (i < certs.length) {
|
||||
userCertList.add(certs[i]);
|
||||
while (((i+1) < certs.length)
|
||||
&& ((X509Certificate)certs[i]).getIssuerDN().equals(
|
||||
((X509Certificate)certs[i+1]).getSubjectDN())) {
|
||||
&& ((X509Certificate)certs[i]).getIssuerX500Principal().equals(
|
||||
((X509Certificate)certs[i+1]).getSubjectX500Principal())) {
|
||||
i++;
|
||||
}
|
||||
i++;
|
||||
@ -2017,8 +2017,8 @@ public class PolicyFile extends java.security.Policy {
|
||||
while (i < certs.length) {
|
||||
count++;
|
||||
while (((i+1) < certs.length) &&
|
||||
((X509Certificate)certs[i]).getIssuerDN().equals(
|
||||
((X509Certificate)certs[i+1]).getSubjectDN())) {
|
||||
((X509Certificate)certs[i]).getIssuerX500Principal().equals(
|
||||
((X509Certificate)certs[i+1]).getSubjectX500Principal())) {
|
||||
i++;
|
||||
}
|
||||
i++;
|
||||
@ -2036,8 +2036,8 @@ public class PolicyFile extends java.security.Policy {
|
||||
while (i < certs.length) {
|
||||
signerCerts.add(certs[i]);
|
||||
while (((i+1) < certs.length) &&
|
||||
((X509Certificate)certs[i]).getIssuerDN().equals(
|
||||
((X509Certificate)certs[i+1]).getSubjectDN())) {
|
||||
((X509Certificate)certs[i]).getIssuerX500Principal().equals(
|
||||
((X509Certificate)certs[i+1]).getSubjectX500Principal())) {
|
||||
i++;
|
||||
}
|
||||
i++;
|
||||
|
@ -1614,7 +1614,7 @@ public final class Main {
|
||||
SignatureUtil.initSignWithParam(signature, privKey, params, null);
|
||||
|
||||
X500Name subject = dname == null?
|
||||
new X500Name(((X509Certificate)cert).getSubjectDN().toString()):
|
||||
new X500Name(((X509Certificate)cert).getSubjectX500Principal().getEncoded()):
|
||||
new X500Name(dname);
|
||||
|
||||
// Sign the request and base-64 encode it
|
||||
@ -2806,7 +2806,7 @@ public final class Main {
|
||||
for (Certificate cert: certs) {
|
||||
X509Certificate x = (X509Certificate)cert;
|
||||
if (rfc) {
|
||||
out.println(rb.getString("Certificate.owner.") + x.getSubjectDN() + "\n");
|
||||
out.println(rb.getString("Certificate.owner.") + x.getSubjectX500Principal() + "\n");
|
||||
dumpCert(x, out);
|
||||
} else {
|
||||
printX509Cert(x, out);
|
||||
@ -2823,7 +2823,7 @@ public final class Main {
|
||||
for (Certificate cert: certs) {
|
||||
X509Certificate x = (X509Certificate)cert;
|
||||
if (rfc) {
|
||||
out.println(rb.getString("Certificate.owner.") + x.getSubjectDN() + "\n");
|
||||
out.println(rb.getString("Certificate.owner.") + x.getSubjectX500Principal() + "\n");
|
||||
dumpCert(x, out);
|
||||
} else {
|
||||
printX509Cert(x, out);
|
||||
@ -3373,8 +3373,8 @@ public final class Main {
|
||||
if (!isTrustedCert(cert)) {
|
||||
sigName = withWeak(sigName);
|
||||
}
|
||||
Object[] source = {cert.getSubjectDN().toString(),
|
||||
cert.getIssuerDN().toString(),
|
||||
Object[] source = {cert.getSubjectX500Principal().toString(),
|
||||
cert.getIssuerX500Principal().toString(),
|
||||
cert.getSerialNumber().toString(16),
|
||||
cert.getNotBefore().toString(),
|
||||
cert.getNotAfter().toString(),
|
||||
@ -3931,7 +3931,7 @@ public final class Main {
|
||||
return true;
|
||||
}
|
||||
|
||||
Principal issuer = certToVerify.snd.getIssuerDN();
|
||||
Principal issuer = certToVerify.snd.getIssuerX500Principal();
|
||||
|
||||
// Get the issuer's certificate(s)
|
||||
Vector<Pair<String,X509Certificate>> vec = certs.get(issuer);
|
||||
@ -4009,7 +4009,7 @@ public final class Main {
|
||||
String alias = aliases.nextElement();
|
||||
Certificate cert = ks.getCertificate(alias);
|
||||
if (cert != null) {
|
||||
Principal subjectDN = ((X509Certificate)cert).getSubjectDN();
|
||||
Principal subjectDN = ((X509Certificate)cert).getSubjectX500Principal();
|
||||
Pair<String,X509Certificate> pair = new Pair<>(
|
||||
String.format(
|
||||
rb.getString(ks == caks ?
|
||||
|
@ -93,7 +93,7 @@ public class AnchorCertificates {
|
||||
boolean result = certs.contains(key);
|
||||
if (result && debug != null) {
|
||||
debug.println("AnchorCertificate.contains: matched " +
|
||||
cert.getSubjectDN());
|
||||
cert.getSubjectX500Principal());
|
||||
}
|
||||
return result;
|
||||
}
|
||||
|
@ -242,6 +242,7 @@ public class HostnameChecker {
|
||||
*
|
||||
* This method is currently used from within JSSE, do not remove.
|
||||
*/
|
||||
@SuppressWarnings("deprecation")
|
||||
public static X500Name getSubjectX500Name(X509Certificate cert)
|
||||
throws CertificateParsingException {
|
||||
try {
|
||||
|
@ -682,8 +682,9 @@ public class X509CRLImpl extends X509CRL implements DerEncoder {
|
||||
* TeletexString or UniversalString.
|
||||
* @return the issuer name.
|
||||
*/
|
||||
@SuppressWarnings("deprecation")
|
||||
public Principal getIssuerDN() {
|
||||
return (Principal)issuer;
|
||||
return issuer;
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -913,6 +913,7 @@ public class X509CertImpl extends X509Certificate implements DerEncoder {
|
||||
*
|
||||
* @return the subject name.
|
||||
*/
|
||||
@SuppressWarnings("deprecation")
|
||||
public Principal getSubjectDN() {
|
||||
if (info == null)
|
||||
return null;
|
||||
@ -949,6 +950,7 @@ public class X509CertImpl extends X509Certificate implements DerEncoder {
|
||||
*
|
||||
* @return the issuer name.
|
||||
*/
|
||||
@SuppressWarnings("deprecation")
|
||||
public Principal getIssuerDN() {
|
||||
if (info == null)
|
||||
return null;
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved.
|
||||
* Copyright (c) 2015, 2020, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@ -562,10 +562,11 @@ final class LDAPCertStoreImpl {
|
||||
(X509CertSelector xsel, String ldapDN) throws CertStoreException {
|
||||
|
||||
if (ldapDN == null) {
|
||||
ldapDN = xsel.getSubjectAsString();
|
||||
X500Principal subject = xsel.getSubject();
|
||||
ldapDN = subject == null ? null : subject.getName();
|
||||
}
|
||||
int basicConstraints = xsel.getBasicConstraints();
|
||||
String issuer = xsel.getIssuerAsString();
|
||||
X500Principal issuer = xsel.getIssuer();
|
||||
HashSet<X509Certificate> certs = new HashSet<>();
|
||||
if (debug != null) {
|
||||
debug.println("LDAPCertStore.engineGetCertificates() basicConstraints: "
|
||||
@ -634,7 +635,7 @@ final class LDAPCertStoreImpl {
|
||||
+ "getMatchingCrossCerts...");
|
||||
}
|
||||
if ((issuer != null) && (basicConstraints > -2)) {
|
||||
LDAPRequest request = new LDAPRequest(issuer);
|
||||
LDAPRequest request = new LDAPRequest(issuer.getName());
|
||||
request.addRequestedAttribute(CROSS_CERT);
|
||||
request.addRequestedAttribute(CA_CERT);
|
||||
request.addRequestedAttribute(ARL);
|
||||
|
@ -1431,7 +1431,7 @@ public class Main {
|
||||
x509Cert = (X509Certificate) c;
|
||||
certStr.append(tab).append(x509Cert.getType())
|
||||
.append(rb.getString("COMMA"))
|
||||
.append(x509Cert.getSubjectDN().getName());
|
||||
.append(x509Cert.getSubjectX500Principal().toString());
|
||||
} else {
|
||||
certStr.append(tab).append(c.getType());
|
||||
}
|
||||
@ -2055,7 +2055,7 @@ public class Main {
|
||||
// Only add TrustedCertificateEntry and self-signed
|
||||
// PrivateKeyEntry
|
||||
if (store.isCertificateEntry(a) ||
|
||||
c.getSubjectDN().equals(c.getIssuerDN())) {
|
||||
c.getSubjectX500Principal().equals(c.getIssuerX500Principal())) {
|
||||
trustedCerts.add(c);
|
||||
}
|
||||
} catch (Exception e2) {
|
||||
|
@ -664,8 +664,7 @@ public class KeyStoreLoginModule implements LoginModule {
|
||||
/* Get principal and keys */
|
||||
try {
|
||||
X509Certificate certificate = (X509Certificate)fromKeyStore[0];
|
||||
principal = new javax.security.auth.x500.X500Principal
|
||||
(certificate.getSubjectDN().getName());
|
||||
principal = certificate.getSubjectX500Principal();
|
||||
|
||||
// if token, privateKeyPassword will be null
|
||||
Key privateKey = keyStore.getKey(keyStoreAlias, privateKeyPassword);
|
||||
|
Loading…
Reference in New Issue
Block a user