archive/jdk
1
0
Fork 0
mirror of https://github.com/openjdk/jdk.git synced 2025-08-28 07:14:30 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

8277246: Check for NonRepudiation as well when validating a TSA certificate

Browse source 
Reviewed-by: xuelei, mullan
This commit is contained in:
Weijun Wang 2021-11-17 20:03:55 +00:00
parent a907b2b144
commit 262d07001b
2 changed files with 6 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

7
src/java.base/share/classes/sun/security/validator/EndEntityChecker.java
View file

@ -105,6 +105,7 @@ class EndEntityChecker {
// bit numbers in the key usage extension
private static final int KU_SIGNATURE = 0;
private static final int KU_NON_REPUDIATION = 1;
private static final int KU_KEY_ENCIPHERMENT = 2;
private static final int KU_KEY_AGREEMENT = 4;
@ -356,9 +357,11 @@ class EndEntityChecker {
*/
private void checkTSAServer(X509Certificate cert, Set<String> exts)
throws CertificateException {
if (checkKeyUsage(cert, KU_SIGNATURE) == false) {
// KU and EKU should be consistent
if (!checkKeyUsage(cert, KU_SIGNATURE)
&& !checkKeyUsage(cert, KU_NON_REPUDIATION)) {
throw new ValidatorException
("KeyUsage does not allow digital signatures",
("KeyUsage does not allow digital signatures or non repudiation",
ValidatorException.T_EE_EXTENSIONS, cert);
}