archive/jdk
1
0
Fork 0
mirror of https://github.com/openjdk/jdk.git synced 2025-08-28 07:14:30 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge

Browse source
This commit is contained in:
Jesper Wilhelmsson 2020-01-16 04:09:50 +01:00
commit 51d5164ca2
102 changed files with 2027 additions and 937 deletions
Download patch file Download diff file Expand all files Collapse all files

19
src/java.base/share/classes/sun/security/provider/JavaKeyStore.java
View file

@ -697,7 +697,7 @@ public abstract class JavaKeyStore extends KeyStoreSpi {
// Read the private key
entry.protectedPrivKey =
IOUtils.readFully(dis, dis.readInt(), true);
IOUtils.readExactlyNBytes(dis, dis.readInt());
// Read the certificate chain
int numOfCerts = dis.readInt();
@ -722,7 +722,7 @@ public abstract class JavaKeyStore extends KeyStoreSpi {
}
}
// instantiate the certificate
encoded = IOUtils.readFully(dis, dis.readInt(), true);
encoded = IOUtils.readExactlyNBytes(dis, dis.readInt());
bais = new ByteArrayInputStream(encoded);
certs.add(cf.generateCertificate(bais));
bais.close();
@ -761,7 +761,7 @@ public abstract class JavaKeyStore extends KeyStoreSpi {
cfs.put(certType, cf);
}
}
encoded = IOUtils.readFully(dis, dis.readInt(), true);
encoded = IOUtils.readExactlyNBytes(dis, dis.readInt());
bais = new ByteArrayInputStream(encoded);
entry.cert = cf.generateCertificate(bais);
bais.close();
@ -787,16 +787,13 @@ public abstract class JavaKeyStore extends KeyStoreSpi {
*/
if (password != null) {
byte[] computed = md.digest();
byte[] actual = new byte[computed.length];
dis.readFully(actual);
for (int i = 0; i < computed.length; i++) {
if (computed[i] != actual[i]) {
Throwable t = new UnrecoverableKeyException
byte[] actual = IOUtils.readExactlyNBytes(dis, computed.length);
if (!MessageDigest.isEqual(computed, actual)) {
Throwable t = new UnrecoverableKeyException
("Password verification failed");
throw (IOException)new IOException
throw (IOException) new IOException
("Keystore was tampered with, or "
+ "password was incorrect").initCause(t);
}
+ "password was incorrect").initCause(t);
}
}
}

10
src/java.base/share/classes/sun/security/ssl/Alert.java
View file

@ -271,8 +271,14 @@ enum Alert {
ClientAuthType.CLIENT_AUTH_REQUESTED)) {
throw tc.fatal(Alert.HANDSHAKE_FAILURE,
"received handshake warning: " + alert.description);
} // Otherwise, ignore the warning
} // Otherwise, ignore the warning.
} else {
// Otherwise ignore the warning but remove the
// CertificateVerify handshake consumer so the state
// machine doesn't expect it.
tc.handshakeContext.handshakeConsumers.remove(
SSLHandshake.CERTIFICATE_VERIFY.id);
}
} // Otherwise, ignore the warning
} else { // fatal or unknown
String diagnostic;
if (alert == null) {

8
src/java.base/share/classes/sun/security/ssl/CertificateMessage.java
View file

@ -371,6 +371,10 @@ final class CertificateMessage {
T12CertificateMessage certificateMessage )throws IOException {
List<byte[]> encodedCerts = certificateMessage.encodedCertChain;
if (encodedCerts == null || encodedCerts.isEmpty()) {
// For empty Certificate messages, we should not expect
// a CertificateVerify message to follow
shc.handshakeConsumers.remove(
SSLHandshake.CERTIFICATE_VERIFY.id);
if (shc.sslConfig.clientAuthType !=
ClientAuthType.CLIENT_AUTH_REQUESTED) {
// unexpected or require client authentication
@ -1165,6 +1169,10 @@ final class CertificateMessage {
T13CertificateMessage certificateMessage )throws IOException {
if (certificateMessage.certEntries == null ||
certificateMessage.certEntries.isEmpty()) {
// For empty Certificate messages, we should not expect
// a CertificateVerify message to follow
shc.handshakeConsumers.remove(
SSLHandshake.CERTIFICATE_VERIFY.id);
if (shc.sslConfig.clientAuthType == CLIENT_AUTH_REQUIRED) {
throw shc.conContext.fatal(Alert.BAD_CERTIFICATE,
"Empty client certificate chain");

37
src/java.base/share/classes/sun/security/ssl/CertificateVerify.java
View file

@ -287,6 +287,17 @@ final class CertificateVerify {
ByteBuffer message) throws IOException {
// The consuming happens in server side only.
ServerHandshakeContext shc = (ServerHandshakeContext)context;
// Clean up this consumer
shc.handshakeConsumers.remove(SSLHandshake.CERTIFICATE_VERIFY.id);
// Ensure that the CV message follows the CKE
if (shc.handshakeConsumers.containsKey(
SSLHandshake.CLIENT_KEY_EXCHANGE.id)) {
throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected CertificateVerify handshake message");
}
S30CertificateVerifyMessage cvm =
new S30CertificateVerifyMessage(shc, message);
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
@ -529,6 +540,17 @@ final class CertificateVerify {
ByteBuffer message) throws IOException {
// The consuming happens in server side only.
ServerHandshakeContext shc = (ServerHandshakeContext)context;
// Clean up this consumer
shc.handshakeConsumers.remove(SSLHandshake.CERTIFICATE_VERIFY.id);
// Ensure that the CV message follows the CKE
if (shc.handshakeConsumers.containsKey(
SSLHandshake.CLIENT_KEY_EXCHANGE.id)) {
throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected CertificateVerify handshake message");
}
T10CertificateVerifyMessage cvm =
new T10CertificateVerifyMessage(shc, message);
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
@ -767,6 +789,17 @@ final class CertificateVerify {
ByteBuffer message) throws IOException {
// The consuming happens in server side only.
ServerHandshakeContext shc = (ServerHandshakeContext)context;
// Clean up this consumer
shc.handshakeConsumers.remove(SSLHandshake.CERTIFICATE_VERIFY.id);
// Ensure that the CV message follows the CKE
if (shc.handshakeConsumers.containsKey(
SSLHandshake.CLIENT_KEY_EXCHANGE.id)) {
throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected CertificateVerify handshake message");
}
T12CertificateVerifyMessage cvm =
new T12CertificateVerifyMessage(shc, message);
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
@ -1120,6 +1153,10 @@ final class CertificateVerify {
ByteBuffer message) throws IOException {
// The producing happens in handshake context only.
HandshakeContext hc = (HandshakeContext)context;
// Clean up this consumer
hc.handshakeConsumers.remove(SSLHandshake.CERTIFICATE_VERIFY.id);
T13CertificateVerifyMessage cvm =
new T13CertificateVerifyMessage(hc, message);
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {

9
src/java.base/share/classes/sun/security/ssl/ClientHello.java
View file

@ -1140,6 +1140,15 @@ final class ClientHello {
ServerHandshakeContext shc = (ServerHandshakeContext)context;
ClientHelloMessage clientHello = (ClientHelloMessage)message;
// [RFC 8446] TLS 1.3 forbids renegotiation. If a server has
// negotiated TLS 1.3 and receives a ClientHello at any other
// time, it MUST terminate the connection with an
// "unexpected_message" alert.
if (shc.conContext.isNegotiated) {
throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Received unexpected renegotiation handshake message");
}
// The client may send a dummy change_cipher_spec record
// immediately after the first ClientHello.
shc.conContext.consumers.putIfAbsent(

30
src/java.base/share/classes/sun/security/ssl/Finished.java
View file

@ -589,6 +589,16 @@ final class Finished {
private void onConsumeFinished(ServerHandshakeContext shc,
ByteBuffer message) throws IOException {
// Make sure that any expected CertificateVerify message
// has been received and processed.
if (!shc.isResumption) {
if (shc.handshakeConsumers.containsKey(
SSLHandshake.CERTIFICATE_VERIFY.id)) {
throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected Finished handshake message");
}
}
FinishedMessage fm = new FinishedMessage(shc, message);
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
SSLLogger.fine(
@ -883,6 +893,16 @@ final class Finished {
private void onConsumeFinished(ClientHandshakeContext chc,
ByteBuffer message) throws IOException {
// Make sure that any expected CertificateVerify message
// has been received and processed.
if (!chc.isResumption) {
if (chc.handshakeConsumers.containsKey(
SSLHandshake.CERTIFICATE_VERIFY.id)) {
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected Finished handshake message");
}
}
FinishedMessage fm = new FinishedMessage(chc, message);
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
SSLLogger.fine(
@ -1005,6 +1025,16 @@ final class Finished {
private void onConsumeFinished(ServerHandshakeContext shc,
ByteBuffer message) throws IOException {
// Make sure that any expected CertificateVerify message
// has been received and processed.
if (!shc.isResumption) {
if (shc.handshakeConsumers.containsKey(
SSLHandshake.CERTIFICATE_VERIFY.id)) {
throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected Finished handshake message");
}
}
FinishedMessage fm = new FinishedMessage(shc, message);
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
SSLLogger.fine(

2
src/java.base/share/classes/sun/security/util/DerValue.java
View file

@ -395,7 +395,7 @@ public class DerValue {
if (fullyBuffered && in.available() != length)
throw new IOException("extra data given to DerValue constructor");
byte[] bytes = IOUtils.readFully(in, length, true);
byte[] bytes = IOUtils.readExactlyNBytes(in, length);
buffer = new DerInputBuffer(bytes, allowBER);
return new DerInputStream(buffer);

72
src/java.base/share/classes/sun/security/util/IOUtils.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2009, 2017, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2009, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -32,68 +32,34 @@ package sun.security.util;
import java.io.EOFException;
import java.io.IOException;
import java.io.InputStream;
import java.util.Arrays;
public class IOUtils {
/**
* Read up to {@code length} of bytes from {@code in}
* until EOF is detected.
* @param is input stream, must not be null
* @param length number of bytes to read
* @param readAll if true, an EOFException will be thrown if not enough
* bytes are read.
* @return bytes read
* @throws IOException Any IO error or a premature EOF is detected
*/
public static byte[] readFully(InputStream is, int length, boolean readAll)
throws IOException {
if (length < 0) {
throw new IOException("Invalid length");
}
byte[] output = {};
int pos = 0;
while (pos < length) {
int bytesToRead;
if (pos >= output.length) { // Only expand when there's no room
bytesToRead = Math.min(length - pos, output.length + 1024);
if (output.length < pos + bytesToRead) {
output = Arrays.copyOf(output, pos + bytesToRead);
}
} else {
bytesToRead = output.length - pos;
}
int cc = is.read(output, pos, bytesToRead);
if (cc < 0) {
if (readAll) {
throw new EOFException("Detect premature EOF");
} else {
if (output.length != pos) {
output = Arrays.copyOf(output, pos);
}
break;
}
}
pos += cc;
}
return output;
}
/**
* Read {@code length} of bytes from {@code in}. An exception is
* thrown if there are not enough bytes in the stream.
* Read exactly {@code length} of bytes from {@code in}.
*
* <p> Note that this method is safe to be called with unknown large
* {@code length} argument. The memory used is proportional to the
* actual bytes available. An exception is thrown if there are not
* enough bytes in the stream.
*
* @param is input stream, must not be null
* @param length number of bytes to read, must not be negative
* @param length number of bytes to read
* @return bytes read
* @throws IOException if any IO error or a premature EOF is detected, or
* if {@code length} is negative since this length is usually also
* read from {@code is}.
* @throws EOFException if there are not enough bytes in the stream
* @throws IOException if an I/O error occurs or {@code length} is negative
* @throws OutOfMemoryError if an array of the required size cannot be
* allocated.
*/
public static byte[] readNBytes(InputStream is, int length) throws IOException {
public static byte[] readExactlyNBytes(InputStream is, int length)
throws IOException {
if (length < 0) {
throw new IOException("length cannot be negative: " + length);
}
return readFully(is, length, true);
byte[] data = is.readNBytes(length);
if (data.length < length) {
throw new EOFException();
}
return data;
}
}

100
src/java.base/share/classes/sun/security/validator/PKIXValidator.java
View file

@ -32,6 +32,7 @@ import java.security.cert.*;
import javax.security.auth.x500.X500Principal;
import sun.security.action.GetBooleanAction;
import sun.security.action.GetPropertyAction;
import sun.security.provider.certpath.AlgorithmChecker;
import sun.security.provider.certpath.PKIXExtendedParameters;
@ -60,6 +61,18 @@ public final class PKIXValidator extends Validator {
private static final boolean checkTLSRevocation = GetBooleanAction
.privilegedGetProperty("com.sun.net.ssl.checkRevocation");
/**
* System property that if set (or set to "true"), allows trust anchor
* certificates to be used if they do not have the proper CA extensions.
* Set to false if prop is not set, or set to any other value.
*/
private static final boolean ALLOW_NON_CA_ANCHOR = allowNonCaAnchor();
private static boolean allowNonCaAnchor() {
String prop = GetPropertyAction
.privilegedGetProperty("jdk.security.allowNonCaAnchor");
return prop != null && (prop.isEmpty() || prop.equalsIgnoreCase("true"));
}
private final Set<X509Certificate> trustedCerts;
private final PKIXBuilderParameters parameterTemplate;
private int certPathLength = -1;
@ -195,6 +208,7 @@ public final class PKIXValidator extends Validator {
("null or zero-length certificate chain");
}
// Use PKIXExtendedParameters for timestamp and variant additions
PKIXBuilderParameters pkixParameters = null;
try {
@ -224,28 +238,30 @@ public final class PKIXValidator extends Validator {
for (int i = 0; i < chain.length; i++) {
X509Certificate cert = chain[i];
X500Principal dn = cert.getSubjectX500Principal();
if (i != 0 && !dn.equals(prevIssuer)) {
// chain is not ordered correctly, call builder instead
return doBuild(chain, otherCerts, pkixParameters);
}
// Check if chain[i] is already trusted. It may be inside
// trustedCerts, or has the same dn and public key as a cert
// inside trustedCerts. The latter happens when a CA has
// updated its cert with a stronger signature algorithm in JRE
// but the weak one is still in circulation.
if (trustedCerts.contains(cert) || // trusted cert
(trustedSubjects.containsKey(dn) && // replacing ...
trustedSubjects.get(dn).contains( // ... weak cert
cert.getPublicKey()))) {
if (i == 0) {
if (i == 0) {
if (trustedCerts.contains(cert)) {
return new X509Certificate[] {chain[0]};
}
// Remove and call validator on partial chain [0 .. i-1]
X509Certificate[] newChain = new X509Certificate[i];
System.arraycopy(chain, 0, newChain, 0, i);
return doValidate(newChain, pkixParameters);
} else {
if (!dn.equals(prevIssuer)) {
// chain is not ordered correctly, call builder instead
return doBuild(chain, otherCerts, pkixParameters);
}
// Check if chain[i] is already trusted. It may be inside
// trustedCerts, or has the same dn and public key as a cert
// inside trustedCerts. The latter happens when a CA has
// updated its cert with a stronger signature algorithm in JRE
// but the weak one is still in circulation.
if (trustedCerts.contains(cert) || // trusted cert
(trustedSubjects.containsKey(dn) && // replacing ...
trustedSubjects.get(dn).contains( // ... weak cert
cert.getPublicKey()))) {
// Remove and call validator on partial chain [0 .. i-1]
X509Certificate[] newChain = new X509Certificate[i];
System.arraycopy(chain, 0, newChain, 0, i);
return doValidate(newChain, pkixParameters);
}
}
prevIssuer = cert.getIssuerX500Principal();
}
@ -308,15 +324,18 @@ public final class PKIXValidator extends Validator {
private static X509Certificate[] toArray(CertPath path, TrustAnchor anchor)
throws CertificateException {
List<? extends java.security.cert.Certificate> list =
path.getCertificates();
X509Certificate[] chain = new X509Certificate[list.size() + 1];
list.toArray(chain);
X509Certificate trustedCert = anchor.getTrustedCert();
if (trustedCert == null) {
throw new ValidatorException
("TrustAnchor must be specified as certificate");
}
verifyTrustAnchor(trustedCert);
List<? extends java.security.cert.Certificate> list =
path.getCertificates();
X509Certificate[] chain = new X509Certificate[list.size() + 1];
list.toArray(chain);
chain[chain.length - 1] = trustedCert;
return chain;
}
@ -351,6 +370,41 @@ public final class PKIXValidator extends Validator {
}
}
/**
* Verify that a trust anchor certificate is a CA certificate.
*/
private static void verifyTrustAnchor(X509Certificate trustedCert)
throws ValidatorException {
// skip check if jdk.security.allowNonCAAnchor system property is set
if (ALLOW_NON_CA_ANCHOR) {
return;
}
// allow v1 trust anchor certificates
if (trustedCert.getVersion() < 3) {
return;
}
// check that the BasicConstraints cA field is not set to false
if (trustedCert.getBasicConstraints() == -1) {
throw new ValidatorException
("TrustAnchor with subject \"" +
trustedCert.getSubjectX500Principal() +
"\" is not a CA certificate");
}
// check that the KeyUsage extension, if included, asserts the
// keyCertSign bit
boolean[] keyUsageBits = trustedCert.getKeyUsage();
if (keyUsageBits != null && !keyUsageBits[5]) {
throw new ValidatorException
("TrustAnchor with subject \"" +
trustedCert.getSubjectX500Principal() +
"\" does not have keyCertSign bit set in KeyUsage extension");
}
}
private X509Certificate[] doBuild(X509Certificate[] chain,
Collection<X509Certificate> otherCerts,
PKIXBuilderParameters params) throws CertificateException {

2
src/java.base/share/classes/sun/security/x509/AVA.java
View file

@ -599,7 +599,7 @@ public class AVA implements DerEncoder {
if (derval.tag != DerValue.tag_Sequence) {
throw new IOException("AVA not a sequence");
}
oid = X500Name.intern(derval.data.getOID());
oid = derval.data.getOID();
value = derval.data.getDerValue();
if (derval.data.available() != 0) {

144
src/java.base/share/classes/sun/security/x509/X500Name.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 1996, 2014, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1996, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -1097,18 +1097,6 @@ public class X500Name implements GeneralNameInterface, Principal {
/****************************************************************/
/*
* Maybe return a preallocated OID, to reduce storage costs
* and speed recognition of common X.500 attributes.
*/
static ObjectIdentifier intern(ObjectIdentifier oid) {
ObjectIdentifier interned = internedOIDs.putIfAbsent(oid, oid);
return (interned == null) ? oid : interned;
}
private static final Map<ObjectIdentifier,ObjectIdentifier> internedOIDs
= new HashMap<ObjectIdentifier,ObjectIdentifier>();
/*
* Selected OIDs from X.520
* Includes all those specified in RFC 5280 as MUST or SHOULD
@ -1136,92 +1124,82 @@ public class X500Name implements GeneralNameInterface, Principal {
{ 0, 9, 2342, 19200300, 100, 1, 1 };
public static final ObjectIdentifier commonName_oid;
public static final ObjectIdentifier countryName_oid;
public static final ObjectIdentifier localityName_oid;
public static final ObjectIdentifier orgName_oid;
public static final ObjectIdentifier orgUnitName_oid;
public static final ObjectIdentifier stateName_oid;
public static final ObjectIdentifier streetAddress_oid;
public static final ObjectIdentifier title_oid;
public static final ObjectIdentifier DNQUALIFIER_OID;
public static final ObjectIdentifier SURNAME_OID;
public static final ObjectIdentifier GIVENNAME_OID;
public static final ObjectIdentifier INITIALS_OID;
public static final ObjectIdentifier GENERATIONQUALIFIER_OID;
public static final ObjectIdentifier ipAddress_oid;
public static final ObjectIdentifier DOMAIN_COMPONENT_OID;
public static final ObjectIdentifier userid_oid;
public static final ObjectIdentifier SERIALNUMBER_OID;
// OID for the "CN=" attribute, denoting a person's common name.
public static final ObjectIdentifier commonName_oid =
ObjectIdentifier.newInternal(commonName_data);
static {
/** OID for the "CN=" attribute, denoting a person's common name. */
commonName_oid = intern(ObjectIdentifier.newInternal(commonName_data));
// OID for the "SERIALNUMBER=" attribute, denoting a serial number for.
// a name. Do not confuse with PKCS#9 issuerAndSerialNumber or the
// certificate serial number.
public static final ObjectIdentifier SERIALNUMBER_OID =
ObjectIdentifier.newInternal(SERIALNUMBER_DATA);
/** OID for the "SERIALNUMBER=" attribute, denoting a serial number for.
a name. Do not confuse with PKCS#9 issuerAndSerialNumber or the
certificate serial number. */
SERIALNUMBER_OID = intern(ObjectIdentifier.newInternal(SERIALNUMBER_DATA));
// OID for the "C=" attribute, denoting a country.
public static final ObjectIdentifier countryName_oid =
ObjectIdentifier.newInternal(countryName_data);
/** OID for the "C=" attribute, denoting a country. */
countryName_oid = intern(ObjectIdentifier.newInternal(countryName_data));
// OID for the "L=" attribute, denoting a locality (such as a city).
public static final ObjectIdentifier localityName_oid =
ObjectIdentifier.newInternal(localityName_data);
/** OID for the "L=" attribute, denoting a locality (such as a city) */
localityName_oid = intern(ObjectIdentifier.newInternal(localityName_data));
// OID for the "O=" attribute, denoting an organization name.
public static final ObjectIdentifier orgName_oid =
ObjectIdentifier.newInternal(orgName_data);
/** OID for the "O=" attribute, denoting an organization name */
orgName_oid = intern(ObjectIdentifier.newInternal(orgName_data));
// OID for the "OU=" attribute, denoting an organizational unit name.
public static final ObjectIdentifier orgUnitName_oid =
ObjectIdentifier.newInternal(orgUnitName_data);
/** OID for the "OU=" attribute, denoting an organizational unit name */
orgUnitName_oid = intern(ObjectIdentifier.newInternal(orgUnitName_data));
// OID for the "S=" attribute, denoting a state (such as Delaware).
public static final ObjectIdentifier stateName_oid =
ObjectIdentifier.newInternal(stateName_data);
/** OID for the "S=" attribute, denoting a state (such as Delaware) */
stateName_oid = intern(ObjectIdentifier.newInternal(stateName_data));
// OID for the "STREET=" attribute, denoting a street address.
public static final ObjectIdentifier streetAddress_oid =
ObjectIdentifier.newInternal(streetAddress_data);
/** OID for the "STREET=" attribute, denoting a street address. */
streetAddress_oid = intern(ObjectIdentifier.newInternal(streetAddress_data));
// OID for the "T=" attribute, denoting a person's title.
public static final ObjectIdentifier title_oid =
ObjectIdentifier.newInternal(title_data);
/** OID for the "T=" attribute, denoting a person's title. */
title_oid = intern(ObjectIdentifier.newInternal(title_data));
// OID for the "DNQUALIFIER=" or "DNQ=" attribute, denoting DN
// disambiguating information.
public static final ObjectIdentifier DNQUALIFIER_OID =
ObjectIdentifier.newInternal(DNQUALIFIER_DATA);
/** OID for the "DNQUALIFIER=" or "DNQ=" attribute, denoting DN
disambiguating information.*/
DNQUALIFIER_OID = intern(ObjectIdentifier.newInternal(DNQUALIFIER_DATA));
// OID for the "SURNAME=" attribute, denoting a person's surname.
public static final ObjectIdentifier SURNAME_OID =
ObjectIdentifier.newInternal(SURNAME_DATA);
/** OID for the "SURNAME=" attribute, denoting a person's surname.*/
SURNAME_OID = intern(ObjectIdentifier.newInternal(SURNAME_DATA));
// OID for the "GIVENNAME=" attribute, denoting a person's given name.
public static final ObjectIdentifier GIVENNAME_OID =
ObjectIdentifier.newInternal(GIVENNAME_DATA);
/** OID for the "GIVENNAME=" attribute, denoting a person's given name.*/
GIVENNAME_OID = intern(ObjectIdentifier.newInternal(GIVENNAME_DATA));
// OID for the "INITIALS=" attribute, denoting a person's initials.
public static final ObjectIdentifier INITIALS_OID =
ObjectIdentifier.newInternal(INITIALS_DATA);
/** OID for the "INITIALS=" attribute, denoting a person's initials.*/
INITIALS_OID = intern(ObjectIdentifier.newInternal(INITIALS_DATA));
// OID for the "GENERATION=" attribute, denoting Jr., II, etc.
public static final ObjectIdentifier GENERATIONQUALIFIER_OID =
ObjectIdentifier.newInternal(GENERATIONQUALIFIER_DATA);
/** OID for the "GENERATION=" attribute, denoting Jr., II, etc.*/
GENERATIONQUALIFIER_OID =
intern(ObjectIdentifier.newInternal(GENERATIONQUALIFIER_DATA));
// OIDs from other sources which show up in X.500 names we
// expect to deal with often.
//
// OID for "IP=" IP address attributes, used with SKIP.
public static final ObjectIdentifier ipAddress_oid =
ObjectIdentifier.newInternal(ipAddress_data);
/*
* OIDs from other sources which show up in X.500 names we
* expect to deal with often
*/
/** OID for "IP=" IP address attributes, used with SKIP. */
ipAddress_oid = intern(ObjectIdentifier.newInternal(ipAddress_data));
// Domain component OID from RFC 1274, RFC 2247, RFC 5280.
//
// OID for "DC=" domain component attributes, used with DNSNames in DN
// format.
public static final ObjectIdentifier DOMAIN_COMPONENT_OID =
ObjectIdentifier.newInternal(DOMAIN_COMPONENT_DATA);
/*
* Domain component OID from RFC 1274, RFC 2247, RFC 5280
*/
/*
* OID for "DC=" domain component attributes, used with DNSNames in DN
* format
*/
DOMAIN_COMPONENT_OID =
intern(ObjectIdentifier.newInternal(DOMAIN_COMPONENT_DATA));
/** OID for "UID=" denoting a user id, defined in RFCs 1274 & 2798. */
userid_oid = intern(ObjectIdentifier.newInternal(userid_data));
}
// OID for "UID=" denoting a user id, defined in RFCs 1274 & 2798.
public static final ObjectIdentifier userid_oid =
ObjectIdentifier.newInternal(userid_data);
/**
* Return constraint type:<ul>