8258247: Couple of issues in fix for JDK-8249906

Reviewed-by: rhalade, weijun

src/java.base/share/classes/sun/security/provider/certpath/OCSPResponse.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2021, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -462,6 +462,7 @@ public final class OCSPResponse {
         }
 
         // Check whether the signer cert returned by the responder is trusted
+        boolean signedByTrustedResponder = false;
         if (signerCert != null) {
             // Check if the response is signed by the issuing CA
             if (signerCert.getSubjectX500Principal().equals(
@@ -476,6 +477,7 @@ public final class OCSPResponse {
 
             // Check if the response is signed by a trusted responder
             } else if (signerCert.equals(responderCert)) {
+                signedByTrustedResponder = true;
                 if (debug != null) {
                     debug.println("OCSP response is signed by a Trusted " +
                         "Responder");
@@ -567,7 +569,9 @@ public final class OCSPResponse {
             // Check algorithm constraints specified in security property
             // "jdk.certpath.disabledAlgorithms".
             AlgorithmChecker.check(signerCert.getPublicKey(), sigAlgId, variant,
-                    issuerInfo.getAnchor());
+                    signedByTrustedResponder
+                        ? new TrustAnchor(responderCert, null)
+                        : issuerInfo.getAnchor());
 
             if (!verifySignature(signerCert)) {
                 throw new CertPathValidatorException(

src/java.base/share/classes/sun/security/x509/AlgorithmId.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2020, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2021, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -80,6 +80,7 @@ public class AlgorithmId implements Serializable, DerEncoder {
     @SuppressWarnings("serial") // Not statically typed as Serializable
     protected DerValue          params;
 
+    private transient byte[] encodedParams;
 
     /**
      * Constructs an algorithm ID which will be initialized
@@ -108,6 +109,18 @@ public class AlgorithmId implements Serializable, DerEncoder {
         algid = oid;
         algParams = algparams;
         constructedFromDer = false;
+        if (algParams != null) {
+            try {
+                encodedParams = algParams.getEncoded();
+            } catch (IOException ioe) {
+                // It should be safe to ignore this.
+                // This exception can occur if AlgorithmParameters was not
+                // initialized (which should not occur), or if it was
+                // initialized with bogus parameters, which should have
+                // been detected when init was called.
+                assert false;
+            }
+        }
     }
 
     /**
@@ -121,6 +134,7 @@ public class AlgorithmId implements Serializable, DerEncoder {
         this.algid = oid;
         this.params = params;
         if (this.params != null) {
+            encodedParams = params.toByteArray();
             decodeParams();
         }
     }
@@ -139,7 +153,7 @@ public class AlgorithmId implements Serializable, DerEncoder {
         }
 
         // Decode (parse) the parameters
-        algParams.init(params.toByteArray());
+        algParams.init(encodedParams);
     }
 
     /**
@@ -158,6 +172,7 @@ public class AlgorithmId implements Serializable, DerEncoder {
      *
      * @exception IOException on encoding error.
      */
+    @Override
     public void derEncode (OutputStream out) throws IOException {
         DerOutputStream bytes = new DerOutputStream();
         DerOutputStream tmp = new DerOutputStream();
@@ -165,8 +180,8 @@ public class AlgorithmId implements Serializable, DerEncoder {
         bytes.putOID(algid);
         // Setup params from algParams since no DER encoding is given
         if (constructedFromDer == false) {
-            if (algParams != null) {
-                params = new DerValue(algParams.getEncoded());
+            if (encodedParams != null) {
+                params = new DerValue(encodedParams);
             } else {
                 params = null;
             }
@@ -269,7 +284,7 @@ public class AlgorithmId implements Serializable, DerEncoder {
             if (params != null) {
                 try {
                     AlgorithmId digestParams =
-                        AlgorithmId.parse(new DerValue(params.toByteArray()));
+                        AlgorithmId.parse(new DerValue(encodedParams));
                     String digestAlg = digestParams.getName();
                     return digestAlg.replace("-", "") + "withECDSA";
                 } catch (IOException e) {
@@ -307,7 +322,7 @@ public class AlgorithmId implements Serializable, DerEncoder {
         return (params == null ||
             algid.toString().equals(KnownOIDs.SpecifiedSHA2withECDSA.value()))
                 ? null
-                : params.toByteArray();
+                : encodedParams;
     }
 
     /**
@@ -315,8 +330,8 @@ public class AlgorithmId implements Serializable, DerEncoder {
      * with the same parameters.
      */
     public boolean equals(AlgorithmId other) {
-        boolean paramsEqual = Objects.equals(other.params, params);
-        return (algid.equals((Object)other.algid) && paramsEqual);
+        return algid.equals((Object)other.algid) &&
+            Arrays.equals(encodedParams, other.encodedParams);
     }
 
     /**
@@ -326,6 +341,7 @@ public class AlgorithmId implements Serializable, DerEncoder {
      *
      * @param other preferably an AlgorithmId, else an ObjectIdentifier
      */
+    @Override
     public boolean equals(Object other) {
         if (this == other) {
             return true;
@@ -352,11 +368,11 @@ public class AlgorithmId implements Serializable, DerEncoder {
      *
      * @return a hashcode for this AlgorithmId.
      */
+    @Override
     public int hashCode() {
-        StringBuilder sbuf = new StringBuilder();
-        sbuf.append(algid.toString());
-        sbuf.append(paramsToString());
-        return sbuf.toString().hashCode();
+        int hashCode = algid.hashCode();
+        hashCode = 31 * hashCode + Arrays.hashCode(encodedParams);
+        return hashCode;
     }
 
     /**
@@ -364,10 +380,10 @@ public class AlgorithmId implements Serializable, DerEncoder {
      * This may be redefined by subclasses which parse those parameters.
      */
     protected String paramsToString() {
-        if (params == null) {
+        if (encodedParams == null) {
             return "";
         } else if (algParams != null) {
-            return algParams.toString();
+            return ", " + algParams.toString();
         } else {
             return ", params unparsed";
         }
@@ -376,6 +392,7 @@ public class AlgorithmId implements Serializable, DerEncoder {
     /**
      * Returns a string describing the algorithm and its parameters.
      */
+    @Override
     public String toString() {
         return getName() + paramsToString();
     }