8241039: Retire the deprecated SSLSession.getPeerCertificateChain() method

Reviewed-by: mullan, alanb, dfuchs
2025-08-26 22:34:27 +02:00 · 2020-03-20 09:15:00 -07:00 · 2020-03-20 09:15:00 -07:00 · d243e40f7b
commit d243e40f7b
parent 2288788e03
7 changed files with 26 additions and 408 deletions
--- a/src/java.base/share/classes/com/sun/security/cert/internal/x509/X509V1CertImpl.java
+++ b/src/java.base/share/classes/com/sun/security/cert/internal/x509/X509V1CertImpl.java
@ -1,335 +0,0 @@
 /*
 * Copyright (c) 1997, 2019, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License version 2 only, as
 * published by the Free Software Foundation.  Oracle designates this
 * particular file as subject to the "Classpath" exception as provided
 * by Oracle in the LICENSE file that accompanied this code.
 *
 * This code is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * version 2 for more details (a copy is included in the LICENSE file that
 * accompanied this code).
 *
 * You should have received a copy of the GNU General Public License version
 * 2 along with this work; if not, write to the Free Software Foundation,
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
 * or visit www.oracle.com if you need additional information or have any
 * questions.
 */
 package com.sun.security.cert.internal.x509;
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.io.Serializable;
 import java.io.InputStream;
 import java.io.ObjectInputStream;
 import java.io.OutputStream;
 import java.io.ObjectOutputStream;
 import java.math.BigInteger;
 import java.security.Signature;
 import javax.security.cert.*;
 import java.security.*;
 import java.util.Date;
 import java.util.BitSet;
 import java.util.Enumeration;
 import java.util.Vector;
 /**
 * The X509V1CertImpl class is used as a conversion wrapper around
 * sun.security.x509.X509Cert certificates when running under JDK1.1.x.
 *
 * @deprecated This is the implementation class for the deprecated
 *  {@code javax.security.cert.X509Certificate} class. The classes in the
 *  {@code java.security.cert} package should be used instead.
 *
 * @author Jeff Nisewanger
 */
@SuppressWarnings("removal")
@Deprecated(since="9", forRemoval=true)
 public class X509V1CertImpl extends X509Certificate implements Serializable {
    @java.io.Serial
    static final long serialVersionUID = -2048442350420423405L;
    private java.security.cert.X509Certificate wrappedCert;
    private static synchronized java.security.cert.CertificateFactory
    getFactory()
    throws java.security.cert.CertificateException
    {
        return java.security.cert.CertificateFactory.getInstance("X.509");
    }
    /**
     * Default constructor.
     */
    public X509V1CertImpl() { }
    /**
     * Unmarshals a certificate from its encoded form, parsing the
     * encoded bytes.  This form of constructor is used by agents which
     * need to examine and use certificate contents.  That is, this is
     * one of the more commonly used constructors.  Note that the buffer
     * must include only a certificate, and no "garbage" may be left at
     * the end.  If you need to ignore data at the end of a certificate,
     * use another constructor.
     *
     * @param certData the encoded bytes, with no trailing padding.
     * @exception CertificateException on parsing errors.
     */
    public X509V1CertImpl(byte[] certData)
    throws CertificateException {
        try {
            ByteArrayInputStream bs;
            bs = new ByteArrayInputStream(certData);
            wrappedCert = (java.security.cert.X509Certificate)
                getFactory().generateCertificate(bs);
        } catch (java.security.cert.CertificateException e) {
            throw new CertificateException(e.getMessage());
        }
    }
    /**
     * unmarshals an X.509 certificate from an input stream.
     *
     * @param in an input stream holding at least one certificate
     * @exception CertificateException on parsing errors.
     */
    public X509V1CertImpl(InputStream in)
    throws CertificateException {
        try {
            wrappedCert = (java.security.cert.X509Certificate)
                getFactory().generateCertificate(in);
        } catch (java.security.cert.CertificateException e) {
            throw new CertificateException(e.getMessage());
        }
    }
    /**
     * Returns the encoded form of this certificate. It is
     * assumed that each certificate type would have only a single
     * form of encoding; for example, X.509 certificates would
     * be encoded as ASN.1 DER.
     */
    public byte[] getEncoded() throws CertificateEncodingException {
        try {
            return wrappedCert.getEncoded();
        } catch (java.security.cert.CertificateEncodingException e) {
            throw new CertificateEncodingException(e.getMessage());
        }
    }
    /**
     * Throws an exception if the certificate was not signed using the
     * verification key provided.  Successfully verifying a certificate
     * does <em>not</em> indicate that one should trust the entity which
     * it represents.
     *
     * @param key the public key used for verification.
     */
    public void verify(PublicKey key)
        throws CertificateException, NoSuchAlgorithmException,
        InvalidKeyException, NoSuchProviderException,
        SignatureException
    {
        try {
            wrappedCert.verify(key);
        } catch (java.security.cert.CertificateException e) {
            throw new CertificateException(e.getMessage());
        }
    }
    /**
     * Throws an exception if the certificate was not signed using the
     * verification key provided.  Successfully verifying a certificate
     * does <em>not</em> indicate that one should trust the entity which
     * it represents.
     *
     * @param key the public key used for verification.
     * @param sigProvider the name of the provider.
     */
    public void verify(PublicKey key, String sigProvider)
        throws CertificateException, NoSuchAlgorithmException,
        InvalidKeyException, NoSuchProviderException,
        SignatureException
    {
        try {
            wrappedCert.verify(key, sigProvider);
        } catch (java.security.cert.CertificateException e) {
            throw new CertificateException(e.getMessage());
        }
    }
    /**
     * Checks that the certificate is currently valid, i.e. the current
     * time is within the specified validity period.
     */
    public void checkValidity() throws
      CertificateExpiredException, CertificateNotYetValidException {
        checkValidity(new Date());
    }
    /**
     * Checks that the specified date is within the certificate's
     * validity period, or basically if the certificate would be
     * valid at the specified date/time.
     *
     * @param date the Date to check against to see if this certificate
     *        is valid at that date/time.
     */
    public void checkValidity(Date date) throws
      CertificateExpiredException, CertificateNotYetValidException {
        try {
            wrappedCert.checkValidity(date);
        } catch (java.security.cert.CertificateNotYetValidException e) {
            throw new CertificateNotYetValidException(e.getMessage());
        } catch (java.security.cert.CertificateExpiredException e) {
            throw new CertificateExpiredException(e.getMessage());
        }
    }
    /**
     * Returns a printable representation of the certificate.  This does not
     * contain all the information available to distinguish this from any
     * other certificate.  The certificate must be fully constructed
     * before this function may be called.
     */
    public String toString() {
        return wrappedCert.toString();
    }
    /**
     * Gets the publickey from this certificate.
     *
     * @return the publickey.
     */
    public PublicKey getPublicKey() {
        PublicKey key = wrappedCert.getPublicKey();
        return key;
    }
    /*
     * Gets the version number from the certificate.
     *
     * @return the version number.
     */
    public int getVersion() {
        return wrappedCert.getVersion() - 1;
    }
    /**
     * Gets the serial number from the certificate.
     *
     * @return the serial number.
     */
    public BigInteger getSerialNumber() {
        return wrappedCert.getSerialNumber();
    }
    /**
     * Gets the subject distinguished name from the certificate.
     *
     * @return the subject name.
     * @exception CertificateException if a parsing error occurs.
     */
    public Principal getSubjectDN() {
        return wrappedCert.getSubjectDN();
    }
    /**
     * Gets the issuer distinguished name from the certificate.
     *
     * @return the issuer name.
     * @exception CertificateException if a parsing error occurs.
     */
    public Principal getIssuerDN() {
        return wrappedCert.getIssuerDN();
    }
    /**
     * Gets the notBefore date from the validity period of the certificate.
     *
     * @return the start date of the validity period.
     * @exception CertificateException if a parsing error occurs.
     */
    public Date getNotBefore() {
        return wrappedCert.getNotBefore();
    }
    /**
     * Gets the notAfter date from the validity period of the certificate.
     *
     * @return the end date of the validity period.
     * @exception CertificateException if a parsing error occurs.
     */
    public Date getNotAfter() {
        return wrappedCert.getNotAfter();
    }
    /**
     * Gets the signature algorithm name for the certificate
     * signature algorithm.
     * For example, the string "SHA1/DSA".
     *
     * @return the signature algorithm name.
     * @exception CertificateException if a parsing error occurs.
     */
    public String getSigAlgName() {
        return wrappedCert.getSigAlgName();
    }
    /**
     * Gets the signature algorithm OID string from the certificate.
     * For example, the string "1.2.840.10040.4.3"
     *
     * @return the signature algorithm oid string.
     * @exception CertificateException if a parsing error occurs.
     */
    public String getSigAlgOID() {
        return wrappedCert.getSigAlgOID();
    }
    /**
     * Gets the DER encoded signature algorithm parameters from this
     * certificate's signature algorithm.
     *
     * @return the DER encoded signature algorithm parameters, or
     *         null if no parameters are present.
     * @exception CertificateException if a parsing error occurs.
     */
    public byte[] getSigAlgParams() {
        return wrappedCert.getSigAlgParams();
    }
    @java.io.Serial
    private synchronized void writeObject(ObjectOutputStream stream)
        throws IOException {
        try {
            stream.write(getEncoded());
        } catch (CertificateEncodingException e) {
            throw new IOException("getEncoded failed: " + e.getMessage());
        }
    }
    @java.io.Serial
    private synchronized void readObject(ObjectInputStream stream)
        throws IOException {
        try {
            wrappedCert = (java.security.cert.X509Certificate)
                getFactory().generateCertificate(stream);
        } catch (java.security.cert.CertificateException e) {
            throw new IOException("generateCertificate failed: " + e.getMessage());
        }
    }
    public java.security.cert.X509Certificate getX509Certificate() {
        return wrappedCert;
    }
 }
--- a/src/java.base/share/classes/javax/net/ssl/HandshakeCompletedEvent.java
+++ b/src/java.base/share/classes/javax/net/ssl/HandshakeCompletedEvent.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2019, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2020, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -157,7 +157,10 @@ public class HandshakeCompletedEvent extends EventObject
     *          certificate authorities.  (The certificates are in
     *          the original JSSE
     *          {@link javax.security.cert.X509Certificate} format).
-     * @exception SSLPeerUnverifiedException if the peer is not verified.
+     * @throws SSLPeerUnverifiedException if the peer is not verified.
     * @throws UnsupportedOperationException if the underlying provider
     *         does not implement the
     *         {@link SSLSession#getPeerCertificateChain} operation.
     * @see #getPeerPrincipal()
     * @deprecated The {@link #getPeerCertificates()} method that returns an
     *               array of {@code java.security.cert.Certificate} should
@ -166,8 +169,7 @@ public class HandshakeCompletedEvent extends EventObject
    @SuppressWarnings("removal")
    @Deprecated(since="9", forRemoval=true)
    public javax.security.cert.X509Certificate [] getPeerCertificateChain()
-            throws SSLPeerUnverifiedException
+            throws SSLPeerUnverifiedException {
    {
        return session.getPeerCertificateChain();
    }
@ -176,7 +178,7 @@ public class HandshakeCompletedEvent extends EventObject
     * defining the session.
     *
     * @return the peer's principal. Returns an X500Principal of the
-     * end-entity certiticate for X509-based cipher suites, and
+     * end-entity certificate for X509-based cipher suites, and
     * KerberosPrincipal for Kerberos cipher suites.
     *
     * @throws SSLPeerUnverifiedException if the peer's identity has not
--- a/src/java.base/share/classes/javax/net/ssl/SSLSession.java
+++ b/src/java.base/share/classes/javax/net/ssl/SSLSession.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2019, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2020, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -270,13 +270,19 @@ public interface SSLSession {
     * releases. New applications should use
     * {@link #getPeerCertificates} instead.</em></p>
     *
     * @implSpec
     *     This default implementation throws UnsupportedOperationException.
     *
     * @return an ordered array of peer X.509 certificates,
     *          with the peer's own certificate first followed by any
     *          certificate authorities.  (The certificates are in
     *          the original JSSE certificate
     *          {@link javax.security.cert.X509Certificate} format.)
-     * @exception SSLPeerUnverifiedException if the peer's identity
+     * @throws SSLPeerUnverifiedException if the peer's identity
-     *          has not been verified
+     *         has not been verified.
     * @throws UnsupportedOperationException if the underlying provider
     *         does not implement the operation.
     *
     * @see #getPeerPrincipal()
     * @deprecated The {@link #getPeerCertificates()} method that returns an
     *               array of {@code java.security.cert.Certificate} should
@ -284,15 +290,19 @@ public interface SSLSession {
     */
    @SuppressWarnings("removal")
    @Deprecated(since="9", forRemoval=true)
-    public javax.security.cert.X509Certificate [] getPeerCertificateChain()
+    public default javax.security.cert.X509Certificate[]
-            throws SSLPeerUnverifiedException;
+            getPeerCertificateChain() throws SSLPeerUnverifiedException {
        throw new UnsupportedOperationException(
             "This method is deprecated and marked for removal. Use the " +
             "getPeerCertificates() method instead.");
    }
    /**
     * Returns the identity of the peer which was established as part of
     * defining the session.
     *
     * @return the peer's principal. Returns an X500Principal of the
-     * end-entity certiticate for X509-based cipher suites, and
+     * end-entity certificate for X509-based cipher suites, and
     * KerberosPrincipal for Kerberos cipher suites.
     *
     * @throws SSLPeerUnverifiedException if the peer's identity has not
--- a/src/java.base/share/classes/sun/security/ssl/SSLSessionImpl.java
+++ b/src/java.base/share/classes/sun/security/ssl/SSLSessionImpl.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2019, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2020, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -1071,50 +1071,6 @@ final class SSLSessionImpl extends ExtendedSSLSession {
            (java.security.cert.Certificate[])localCerts.clone());
    }
    /**
     * Return the cert chain presented by the peer in the
     * javax.security.cert format.
     * Note: This method can be used only when using certificate-based
     * cipher suites; using it with non-certificate-based cipher suites
     * will throw an SSLPeerUnverifiedException.
     *
     * @return array of peer X.509 certs, with the peer's own cert
     *  first in the chain, and with the "root" CA last.
     *
     * @deprecated This method returns the deprecated
     *  {@code javax.security.cert.X509Certificate} type.
     *  Use {@code getPeerCertificates()} instead.
     */
    @Override
    @SuppressWarnings("removal")
    @Deprecated(since="9", forRemoval=true)
    public javax.security.cert.X509Certificate[] getPeerCertificateChain()
            throws SSLPeerUnverifiedException {
        //
        // clone to preserve integrity of session ... caller can't
        // change record of peer identity even by accident, much
        // less do it intentionally.
        //
        if (peerCerts == null) {
            throw new SSLPeerUnverifiedException("peer not authenticated");
        }
        javax.security.cert.X509Certificate[] certs;
        certs = new javax.security.cert.X509Certificate[peerCerts.length];
        for (int i = 0; i < peerCerts.length; i++) {
            byte[] der = null;
            try {
                der = peerCerts[i].getEncoded();
                certs[i] = javax.security.cert.X509Certificate.getInstance(der);
            } catch (CertificateEncodingException e) {
                throw new SSLPeerUnverifiedException(e.getMessage());
            } catch (javax.security.cert.CertificateException e) {
                throw new SSLPeerUnverifiedException(e.getMessage());
            }
        }
        return certs;
    }
    /**
     * Return the cert chain presented by the peer.
     * Note: This method can be used only when using certificate-based
--- a/src/java.net.http/share/classes/jdk/internal/net/http/common/ImmutableExtendedSSLSession.java
+++ b/src/java.net.http/share/classes/jdk/internal/net/http/common/ImmutableExtendedSSLSession.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2018, 2020, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -92,13 +92,6 @@ public class ImmutableExtendedSSLSession extends ExtendedSSLSession {
        return delegate.getLocalCertificates();
    }
    @SuppressWarnings("removal")
    @Deprecated(since="11", forRemoval=true)
    public javax.security.cert.X509Certificate [] getPeerCertificateChain()
            throws SSLPeerUnverifiedException {
        return delegate.getPeerCertificateChain();
    }
    public Principal getPeerPrincipal()
            throws SSLPeerUnverifiedException {
        return delegate.getPeerPrincipal();
--- a/src/java.net.http/share/classes/jdk/internal/net/http/common/ImmutableSSLSession.java
+++ b/src/java.net.http/share/classes/jdk/internal/net/http/common/ImmutableSSLSession.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2018, 2020, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -91,13 +91,6 @@ public class ImmutableSSLSession implements SSLSession {
        return delegate.getLocalCertificates();
    }
    @SuppressWarnings("removal")
    @Deprecated(since="11", forRemoval=true)
    public javax.security.cert.X509Certificate [] getPeerCertificateChain()
            throws SSLPeerUnverifiedException {
        return delegate.getPeerCertificateChain();
    }
    public Principal getPeerPrincipal()
            throws SSLPeerUnverifiedException {
        return delegate.getPeerPrincipal();
--- a/test/jdk/sun/security/ssl/GenSSLConfigs/main.java
+++ b/test/jdk/sun/security/ssl/GenSSLConfigs/main.java
@ -32,7 +32,6 @@
 import java.io.*;
 import java.security.SecureRandom;
 import java.security.KeyStore;
 import javax.security.cert.*;
 import java.util.Date;
 import java.util.Vector;
 import java.util.ArrayList;