archive/jdk
1
0
Fork 0
mirror of https://github.com/openjdk/jdk.git synced 2025-08-26 22:34:27 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

8241003: Deprecate "denigrated" java.security.cert APIs that represent DNs as Principal or String objects

Browse source 
Reviewed-by: xuelei, valeriep, weijun
This commit is contained in:
Sean Mullan 2020-08-26 13:31:10 -04:00
parent 0df797de94
commit f879698c63
16 changed files with 115 additions and 105 deletions
Download patch file Download diff file Expand all files Collapse all files

10
src/java.base/share/classes/java/security/UnresolvedPermission.java
View file

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 1997, 2019, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 1997, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
@ -187,8 +187,8 @@ implements java.io.Serializable
while (i < certs.length) { while (i < certs.length) {
count++; count++;
while (((i+1) < certs.length) && while (((i+1) < certs.length) &&
((X509Certificate)certs[i]).getIssuerDN().equals( ((X509Certificate)certs[i]).getIssuerX500Principal().equals(
((X509Certificate)certs[i+1]).getSubjectDN())) { ((X509Certificate)certs[i+1]).getSubjectX500Principal())) {
i++; i++;
} }
i++; i++;
@ -207,8 +207,8 @@ implements java.io.Serializable
while (i < certs.length) { while (i < certs.length) {
signerCerts.add(certs[i]); signerCerts.add(certs[i]);
while (((i+1) < certs.length) && while (((i+1) < certs.length) &&
((X509Certificate)certs[i]).getIssuerDN().equals( ((X509Certificate)certs[i]).getIssuerX500Principal().equals(
((X509Certificate)certs[i+1]).getSubjectDN())) { ((X509Certificate)certs[i+1]).getSubjectX500Principal())) {
i++; i++;
} }
i++; i++;

14
src/java.base/share/classes/java/security/cert/X509CRL.java
View file

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 1997, 2019, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 1997, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
@ -279,12 +279,6 @@ public abstract class X509CRL extends CRL implements X509Extension {
public abstract int getVersion(); public abstract int getVersion();
/** /**
* <strong>Denigrated</strong>, replaced by {@linkplain
* #getIssuerX500Principal()}. This method returns the {@code issuer}
* as an implementation specific Principal object, which should not be
* relied upon by portable code.
*
* <p>
* Gets the {@code issuer} (issuer distinguished name) value from * Gets the {@code issuer} (issuer distinguished name) value from
* the CRL. The issuer name identifies the entity that signed (and * the CRL. The issuer name identifies the entity that signed (and
* issued) the CRL. * issued) the CRL.
@ -316,7 +310,13 @@ public abstract class X509CRL extends CRL implements X509Extension {
* {@code TeletexString} or {@code UniversalString}. * {@code TeletexString} or {@code UniversalString}.
* *
* @return a Principal whose name is the issuer distinguished name. * @return a Principal whose name is the issuer distinguished name.
*
* @deprecated Use {@link #getIssuerX500Principal} instead. This method
* returns the {@code issuer} as an implementation specific
* {@code Principal} object, which should not be relied upon by portable
* code.
*/ */
@Deprecated(since="16")
public abstract Principal getIssuerDN(); public abstract Principal getIssuerDN();
/** /**

20
src/java.base/share/classes/java/security/cert/X509CRLSelector.java
View file

@ -225,13 +225,6 @@ public class X509CRLSelector implements CRLSelector {
} }
/** /**
* <strong>Denigrated</strong>, use
* {@linkplain #addIssuer(X500Principal)} or
* {@linkplain #addIssuerName(byte[])} instead. This method should not be
* relied on as it can fail to match some CRLs because of a loss of
* encoding information in the RFC 2253 String form of some distinguished
* names.
* <p>
* Adds a name to the issuerNames criterion. The issuer distinguished * Adds a name to the issuerNames criterion. The issuer distinguished
* name in the {@code X509CRL} must match at least one of the specified * name in the {@code X509CRL} must match at least one of the specified
* distinguished names. * distinguished names.
@ -241,9 +234,17 @@ public class X509CRLSelector implements CRLSelector {
* any previous value for the issuerNames criterion. * any previous value for the issuerNames criterion.
* If the specified name is a duplicate, it may be ignored. * If the specified name is a duplicate, it may be ignored.
* *
* @param name the name in RFC 2253 form * @param name the name in
* <a href="http://www.ietf.org/rfc/rfc2253.txt">RFC 2253</a> form
* @throws IOException if a parsing error occurs * @throws IOException if a parsing error occurs
*
* @deprecated Use {@link #addIssuer(X500Principal)} or
* {@link #addIssuerName(byte[])} instead. This method should not be
* relied on as it can fail to match some CRLs because of a loss of
* encoding information in the RFC 2253 String form of some distinguished
* names.
*/ */
@Deprecated(since="16")
public void addIssuerName(String name) throws IOException { public void addIssuerName(String name) throws IOException {
addIssuerNameInternal(name, new X500Name(name).asX500Principal()); addIssuerNameInternal(name, new X500Name(name).asX500Principal());
} }
@ -481,7 +482,8 @@ public class X509CRLSelector implements CRLSelector {
* <p> * <p>
* If the value returned is not {@code null}, it is a * If the value returned is not {@code null}, it is a
* {@code Collection} of names. Each name is a {@code String} * {@code Collection} of names. Each name is a {@code String}
* or a byte array representing a distinguished name (in RFC 2253 or * or a byte array representing a distinguished name (in
* <a href="http://www.ietf.org/rfc/rfc2253.txt">RFC 2253</a> or
* ASN.1 DER encoded form, respectively). Note that the * ASN.1 DER encoded form, respectively). Note that the
* {@code Collection} returned may contain duplicate names. * {@code Collection} returned may contain duplicate names.
* <p> * <p>

81
src/java.base/share/classes/java/security/cert/X509CertSelector.java
View file

@ -46,13 +46,14 @@ import sun.security.x509.*;
* getBasicConstraints} method). Therefore, the {@link #match match} * getBasicConstraints} method). Therefore, the {@link #match match}
* method would return {@code true} for any {@code X509Certificate}. * method would return {@code true} for any {@code X509Certificate}.
* Typically, several criteria are enabled (by calling * Typically, several criteria are enabled (by calling
* {@link #setIssuer setIssuer} or * {@link #setIssuer(X500Principal)} or
* {@link #setKeyUsage setKeyUsage}, for instance) and then the * {@link #setKeyUsage setKeyUsage}, for instance) and then the
* {@code X509CertSelector} is passed to * {@code X509CertSelector} is passed to
* {@link CertStore#getCertificates CertStore.getCertificates} or some similar * {@link CertStore#getCertificates CertStore.getCertificates} or some similar
* method. * method.
* <p> * <p>
* Several criteria can be enabled (by calling {@link #setIssuer setIssuer} * Several criteria can be enabled (by calling
* {@link #setIssuer(X500Principal)}
* and {@link #setSerialNumber setSerialNumber}, * and {@link #setSerialNumber setSerialNumber},
* for example) such that the {@code match} method * for example) such that the {@code match} method
* usually uniquely matches a single {@code X509Certificate}. We say * usually uniquely matches a single {@code X509Certificate}. We say
@ -184,25 +185,25 @@ public class X509CertSelector implements CertSelector {
} }
/** /**
* <strong>Denigrated</strong>, use {@linkplain #setIssuer(X500Principal)}
* or {@linkplain #setIssuer(byte[])} instead. This method should not be
* relied on as it can fail to match some certificates because of a loss of
* encoding information in the
* <a href="http://www.ietf.org/rfc/rfc2253.txt">RFC 2253</a> String form
* of some distinguished names.
* <p>
* Sets the issuer criterion. The specified distinguished name * Sets the issuer criterion. The specified distinguished name
* must match the issuer distinguished name in the * must match the issuer distinguished name in the
* {@code X509Certificate}. If {@code null}, any issuer * {@code X509Certificate}. If {@code null}, any issuer
* distinguished name will do. * distinguished name will do.
* <p> * <p>
* If {@code issuerDN} is not {@code null}, it should contain a * If {@code issuerDN} is not {@code null}, it should contain a
* distinguished name, in RFC 2253 format. * distinguished name, in
* <a href="http://www.ietf.org/rfc/rfc2253.txt">RFC 2253</a> format.
* *
* @param issuerDN a distinguished name in RFC 2253 format * @param issuerDN a distinguished name in RFC 2253 format
* (or {@code null}) * (or {@code null})
* @throws IOException if a parsing error occurs (incorrect form for DN) * @throws IOException if a parsing error occurs (incorrect form for DN)
*
* @deprecated Use {@link #setIssuer(X500Principal)} or
* {@link #setIssuer(byte[])} instead. This method should not be relied on
* as it can fail to match some certificates because of a loss of encoding
* information in the RFC 2253 String form of some distinguished names.
*/ */
@Deprecated(since="16")
public void setIssuer(String issuerDN) throws IOException { public void setIssuer(String issuerDN) throws IOException {
if (issuerDN == null) { if (issuerDN == null) {
issuer = null; issuer = null;
@ -276,24 +277,26 @@ public class X509CertSelector implements CertSelector {
} }
/** /**
* <strong>Denigrated</strong>, use {@linkplain #setSubject(X500Principal)}
* or {@linkplain #setSubject(byte[])} instead. This method should not be
* relied on as it can fail to match some certificates because of a loss of
* encoding information in the RFC 2253 String form of some distinguished
* names.
* <p>
* Sets the subject criterion. The specified distinguished name * Sets the subject criterion. The specified distinguished name
* must match the subject distinguished name in the * must match the subject distinguished name in the
* {@code X509Certificate}. If {@code null}, any subject * {@code X509Certificate}. If {@code null}, any subject
* distinguished name will do. * distinguished name will do.
* <p> * <p>
* If {@code subjectDN} is not {@code null}, it should contain a * If {@code subjectDN} is not {@code null}, it should contain a
* distinguished name, in RFC 2253 format. * distinguished name, in
* <a href="http://www.ietf.org/rfc/rfc2253.txt">RFC 2253</a> format.
* *
* @param subjectDN a distinguished name in RFC 2253 format * @param subjectDN a distinguished name in RFC 2253 format
* (or {@code null}) * (or {@code null})
* @throws IOException if a parsing error occurs (incorrect form for DN) * @throws IOException if a parsing error occurs (incorrect form for DN)
*
* @deprecated Use {@link #setSubject(X500Principal)} or
* {@link #setSubject(byte[])} instead. This method should not be relied
* on as it can fail to match some certificates because of a loss of
* encoding information in the RFC 2253 String form of some distinguished
* names.
*/ */
@Deprecated(since="16")
public void setSubject(String subjectDN) throws IOException { public void setSubject(String subjectDN) throws IOException {
if (subjectDN == null) { if (subjectDN == null) {
subject = null; subject = null;
@ -310,8 +313,7 @@ public class X509CertSelector implements CertSelector {
* <p> * <p>
* If {@code subjectDN} is not {@code null}, it should contain a * If {@code subjectDN} is not {@code null}, it should contain a
* single DER encoded distinguished name, as defined in X.501. For the ASN.1 * single DER encoded distinguished name, as defined in X.501. For the ASN.1
* notation for this structure, see * notation for this structure, see {@link #setIssuer(byte[])}.
* {@link #setIssuer(byte [] issuerDN) setIssuer(byte [] issuerDN)}.
* *
* @param subjectDN a byte array containing the distinguished name in * @param subjectDN a byte array containing the distinguished name in
* ASN.1 DER format (or {@code null}) * ASN.1 DER format (or {@code null})
@ -711,7 +713,8 @@ public class X509CertSelector implements CertSelector {
* the restrictions included in RFC 5280). IPv4 address names are * the restrictions included in RFC 5280). IPv4 address names are
* supplied using dotted quad notation. OID address names are represented * supplied using dotted quad notation. OID address names are represented
* as a series of nonnegative integers separated by periods. And * as a series of nonnegative integers separated by periods. And
* directory names (distinguished names) are supplied in RFC 2253 format. * directory names (distinguished names) are supplied in
* <a href="http://www.ietf.org/rfc/rfc2253.txt">RFC 2253</a> format.
* No standard string format is defined for otherNames, X.400 names, * No standard string format is defined for otherNames, X.400 names,
* EDI party names, IPv6 address names, or any other type of names. They * EDI party names, IPv6 address names, or any other type of names. They
* should be specified using the * should be specified using the
@ -1299,23 +1302,24 @@ public class X509CertSelector implements CertSelector {
} }
/** /**
* <strong>Denigrated</strong>, use {@linkplain #getIssuer()} or
* {@linkplain #getIssuerAsBytes()} instead. This method should not be
* relied on as it can fail to match some certificates because of a loss of
* encoding information in the RFC 2253 String form of some distinguished
* names.
* <p>
* Returns the issuer criterion as a {@code String}. This * Returns the issuer criterion as a {@code String}. This
* distinguished name must match the issuer distinguished name in the * distinguished name must match the issuer distinguished name in the
* {@code X509Certificate}. If {@code null}, the issuer criterion * {@code X509Certificate}. If {@code null}, the issuer criterion
* is disabled and any issuer distinguished name will do. * is disabled and any issuer distinguished name will do.
* <p> * <p>
* If the value returned is not {@code null}, it is a * If the value returned is not {@code null}, it is a
* distinguished name, in RFC 2253 format. * distinguished name, in
* <a href="http://www.ietf.org/rfc/rfc2253.txt">RFC 2253</a> format.
* *
* @return the required issuer distinguished name in RFC 2253 format * @return the required issuer distinguished name in RFC 2253 format
* (or {@code null}) * (or {@code null})
*
* @deprecated Use {@link #getIssuer()} or {@link #getIssuerAsBytes()}
* instead. This method should not be relied on as it can fail to match
* some certificates because of a loss of encoding information in the
* RFC 2253 String form of some distinguished names.
*/ */
@Deprecated(since="16")
public String getIssuerAsString() { public String getIssuerAsString() {
return (issuer == null ? null : issuer.getName()); return (issuer == null ? null : issuer.getName());
} }
@ -1329,8 +1333,7 @@ public class X509CertSelector implements CertSelector {
* If the value returned is not {@code null}, it is a byte * If the value returned is not {@code null}, it is a byte
* array containing a single DER encoded distinguished name, as defined in * array containing a single DER encoded distinguished name, as defined in
* X.501. The ASN.1 notation for this structure is supplied in the * X.501. The ASN.1 notation for this structure is supplied in the
* documentation for * documentation for {@link #setIssuer(byte[])}.
* {@link #setIssuer(byte [] issuerDN) setIssuer(byte [] issuerDN)}.
* <p> * <p>
* Note that the byte array returned is cloned to protect against * Note that the byte array returned is cloned to protect against
* subsequent modifications. * subsequent modifications.
@ -1358,23 +1361,24 @@ public class X509CertSelector implements CertSelector {
} }
/** /**
* <strong>Denigrated</strong>, use {@linkplain #getSubject()} or
* {@linkplain #getSubjectAsBytes()} instead. This method should not be
* relied on as it can fail to match some certificates because of a loss of
* encoding information in the RFC 2253 String form of some distinguished
* names.
* <p>
* Returns the subject criterion as a {@code String}. This * Returns the subject criterion as a {@code String}. This
* distinguished name must match the subject distinguished name in the * distinguished name must match the subject distinguished name in the
* {@code X509Certificate}. If {@code null}, the subject criterion * {@code X509Certificate}. If {@code null}, the subject criterion
* is disabled and any subject distinguished name will do. * is disabled and any subject distinguished name will do.
* <p> * <p>
* If the value returned is not {@code null}, it is a * If the value returned is not {@code null}, it is a
* distinguished name, in RFC 2253 format. * distinguished name, in
* <a href="http://www.ietf.org/rfc/rfc2253.txt">RFC 2253</a> format.
* *
* @return the required subject distinguished name in RFC 2253 format * @return the required subject distinguished name in RFC 2253 format
* (or {@code null}) * (or {@code null})
*
* @deprecated Use {@link #getSubject()} or {@link #getSubjectAsBytes()}
* instead. This method should not be relied on as it can fail to match
* some certificates because of a loss of encoding information in the
* RFC 2253 String form of some distinguished names.
*/ */
@Deprecated(since="16")
public String getSubjectAsString() { public String getSubjectAsString() {
return (subject == null ? null : subject.getName()); return (subject == null ? null : subject.getName());
} }
@ -1388,8 +1392,7 @@ public class X509CertSelector implements CertSelector {
* If the value returned is not {@code null}, it is a byte * If the value returned is not {@code null}, it is a byte
* array containing a single DER encoded distinguished name, as defined in * array containing a single DER encoded distinguished name, as defined in
* X.501. The ASN.1 notation for this structure is supplied in the * X.501. The ASN.1 notation for this structure is supplied in the
* documentation for * documentation for {@link #setSubject(byte[])}.
* {@link #setSubject(byte [] subjectDN) setSubject(byte [] subjectDN)}.
* <p> * <p>
* Note that the byte array returned is cloned to protect against * Note that the byte array returned is cloned to protect against
* subsequent modifications. * subsequent modifications.
@ -1985,7 +1988,7 @@ public class X509CertSelector implements CertSelector {
if (debug != null) { if (debug != null) {
debug.println("X509CertSelector.match(SN: " debug.println("X509CertSelector.match(SN: "
+ (xcert.getSerialNumber()).toString(16) + "\n Issuer: " + (xcert.getSerialNumber()).toString(16) + "\n Issuer: "
+ xcert.getIssuerDN() + "\n Subject: " + xcert.getSubjectDN() + xcert.getIssuerX500Principal() + "\n Subject: " + xcert.getSubjectX500Principal()
+ ")"); + ")");
} }

26
src/java.base/share/classes/java/security/cert/X509Certificate.java
View file

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 1997, 2019, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 1997, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
@ -197,12 +197,6 @@ implements X509Extension {
public abstract BigInteger getSerialNumber(); public abstract BigInteger getSerialNumber();
/** /**
* <strong>Denigrated</strong>, replaced by {@linkplain
* #getIssuerX500Principal()}. This method returns the {@code issuer}
* as an implementation specific Principal object, which should not be
* relied upon by portable code.
*
* <p>
* Gets the {@code issuer} (issuer distinguished name) value from * Gets the {@code issuer} (issuer distinguished name) value from
* the certificate. The issuer name identifies the entity that signed (and * the certificate. The issuer name identifies the entity that signed (and
* issued) the certificate. * issued) the certificate.
@ -234,7 +228,13 @@ implements X509Extension {
* {@code TeletexString} or {@code UniversalString}. * {@code TeletexString} or {@code UniversalString}.
* *
* @return a Principal whose name is the issuer distinguished name. * @return a Principal whose name is the issuer distinguished name.
*
* @deprecated Use {@link #getIssuerX500Principal} instead. This method
* returns the {@code issuer} as an implementation specific
* {@code Principal} object, which should not be relied upon by portable
* code.
*/ */
@Deprecated(since="16")
public abstract Principal getIssuerDN(); public abstract Principal getIssuerDN();
/** /**
@ -255,12 +255,6 @@ implements X509Extension {
} }
/** /**
* <strong>Denigrated</strong>, replaced by {@linkplain
* #getSubjectX500Principal()}. This method returns the {@code subject}
* as an implementation specific Principal object, which should not be
* relied upon by portable code.
*
* <p>
* Gets the {@code subject} (subject distinguished name) value * Gets the {@code subject} (subject distinguished name) value
* from the certificate. If the {@code subject} value is empty, * from the certificate. If the {@code subject} value is empty,
* then the {@code getName()} method of the returned * then the {@code getName()} method of the returned
@ -275,7 +269,13 @@ implements X509Extension {
* and other relevant definitions. * and other relevant definitions.
* *
* @return a Principal whose name is the subject name. * @return a Principal whose name is the subject name.
*
* @deprecated Use {@link #getSubjectX500Principal} instead. This method
* returns the {@code subject} as an implementation specific
* {@code Principal} object, which should not be relied upon by portable
* code.
*/ */
@Deprecated(since="16")
public abstract Principal getSubjectDN(); public abstract Principal getSubjectDN();
/** /**

1
src/java.base/share/classes/sun/security/pkcs/PKCS7.java
View file

@ -704,6 +704,7 @@ public class PKCS7 {
* Populate array of Issuer DNs from certificates and convert * Populate array of Issuer DNs from certificates and convert
* each Principal to type X500Name if necessary. * each Principal to type X500Name if necessary.
*/ */
@SuppressWarnings("deprecation")
private void populateCertIssuerNames() { private void populateCertIssuerNames() {
if (certificates == null) if (certificates == null)
return; return;

12
src/java.base/share/classes/sun/security/pkcs/SignerInfo.java
View file

@ -269,26 +269,26 @@ public class SignerInfo implements DerEncoder {
X509Certificate[] pkcsCerts = block.getCertificates(); X509Certificate[] pkcsCerts = block.getCertificates();
if (pkcsCerts == null if (pkcsCerts == null
|| userCert.getSubjectDN().equals(userCert.getIssuerDN())) { || userCert.getSubjectX500Principal().equals(userCert.getIssuerX500Principal())) {
return certList; return certList;
} }
Principal issuer = userCert.getIssuerDN(); Principal issuer = userCert.getIssuerX500Principal();
int start = 0; int start = 0;
while (true) { while (true) {
boolean match = false; boolean match = false;
int i = start; int i = start;
while (i < pkcsCerts.length) { while (i < pkcsCerts.length) {
if (issuer.equals(pkcsCerts[i].getSubjectDN())) { if (issuer.equals(pkcsCerts[i].getSubjectX500Principal())) {
// next cert in chain found // next cert in chain found
certList.add(pkcsCerts[i]); certList.add(pkcsCerts[i]);
// if selected cert is self-signed, we're done // if selected cert is self-signed, we're done
// constructing the chain // constructing the chain
if (pkcsCerts[i].getSubjectDN().equals( if (pkcsCerts[i].getSubjectX500Principal().equals(
pkcsCerts[i].getIssuerDN())) { pkcsCerts[i].getIssuerX500Principal())) {
start = pkcsCerts.length; start = pkcsCerts.length;
} else { } else {
issuer = pkcsCerts[i].getIssuerDN(); issuer = pkcsCerts[i].getIssuerX500Principal();
X509Certificate tmpCert = pkcsCerts[start]; X509Certificate tmpCert = pkcsCerts[start];
pkcsCerts[start] = pkcsCerts[i]; pkcsCerts[start] = pkcsCerts[i];
pkcsCerts[i] = tmpCert; pkcsCerts[i] = tmpCert;

16
src/java.base/share/classes/sun/security/provider/PolicyFile.java
View file

@ -1555,8 +1555,8 @@ public class PolicyFile extends java.security.Policy {
while (i < certs.length) { while (i < certs.length) {
count++; count++;
while (((i+1) < certs.length) while (((i+1) < certs.length)
&& ((X509Certificate)certs[i]).getIssuerDN().equals( && ((X509Certificate)certs[i]).getIssuerX500Principal().equals(
((X509Certificate)certs[i+1]).getSubjectDN())) { ((X509Certificate)certs[i+1]).getSubjectX500Principal())) {
i++; i++;
} }
i++; i++;
@ -1570,8 +1570,8 @@ public class PolicyFile extends java.security.Policy {
while (i < certs.length) { while (i < certs.length) {
userCertList.add(certs[i]); userCertList.add(certs[i]);
while (((i+1) < certs.length) while (((i+1) < certs.length)
&& ((X509Certificate)certs[i]).getIssuerDN().equals( && ((X509Certificate)certs[i]).getIssuerX500Principal().equals(
((X509Certificate)certs[i+1]).getSubjectDN())) { ((X509Certificate)certs[i+1]).getSubjectX500Principal())) {
i++; i++;
} }
i++; i++;
@ -2017,8 +2017,8 @@ public class PolicyFile extends java.security.Policy {
while (i < certs.length) { while (i < certs.length) {
count++; count++;
while (((i+1) < certs.length) && while (((i+1) < certs.length) &&
((X509Certificate)certs[i]).getIssuerDN().equals( ((X509Certificate)certs[i]).getIssuerX500Principal().equals(
((X509Certificate)certs[i+1]).getSubjectDN())) { ((X509Certificate)certs[i+1]).getSubjectX500Principal())) {
i++; i++;
} }
i++; i++;
@ -2036,8 +2036,8 @@ public class PolicyFile extends java.security.Policy {
while (i < certs.length) { while (i < certs.length) {
signerCerts.add(certs[i]); signerCerts.add(certs[i]);
while (((i+1) < certs.length) && while (((i+1) < certs.length) &&
((X509Certificate)certs[i]).getIssuerDN().equals( ((X509Certificate)certs[i]).getIssuerX500Principal().equals(
((X509Certificate)certs[i+1]).getSubjectDN())) { ((X509Certificate)certs[i+1]).getSubjectX500Principal())) {
i++; i++;
} }
i++; i++;

14
src/java.base/share/classes/sun/security/tools/keytool/Main.java
View file

@ -1614,7 +1614,7 @@ public final class Main {
SignatureUtil.initSignWithParam(signature, privKey, params, null); SignatureUtil.initSignWithParam(signature, privKey, params, null);
X500Name subject = dname == null? X500Name subject = dname == null?
new X500Name(((X509Certificate)cert).getSubjectDN().toString()): new X500Name(((X509Certificate)cert).getSubjectX500Principal().getEncoded()):
new X500Name(dname); new X500Name(dname);
// Sign the request and base-64 encode it // Sign the request and base-64 encode it
@ -2806,7 +2806,7 @@ public final class Main {
for (Certificate cert: certs) { for (Certificate cert: certs) {
X509Certificate x = (X509Certificate)cert; X509Certificate x = (X509Certificate)cert;
if (rfc) { if (rfc) {
out.println(rb.getString("Certificate.owner.") + x.getSubjectDN() + "\n"); out.println(rb.getString("Certificate.owner.") + x.getSubjectX500Principal() + "\n");
dumpCert(x, out); dumpCert(x, out);
} else { } else {
printX509Cert(x, out); printX509Cert(x, out);
@ -2823,7 +2823,7 @@ public final class Main {
for (Certificate cert: certs) { for (Certificate cert: certs) {
X509Certificate x = (X509Certificate)cert; X509Certificate x = (X509Certificate)cert;
if (rfc) { if (rfc) {
out.println(rb.getString("Certificate.owner.") + x.getSubjectDN() + "\n"); out.println(rb.getString("Certificate.owner.") + x.getSubjectX500Principal() + "\n");
dumpCert(x, out); dumpCert(x, out);
} else { } else {
printX509Cert(x, out); printX509Cert(x, out);
@ -3373,8 +3373,8 @@ public final class Main {
if (!isTrustedCert(cert)) { if (!isTrustedCert(cert)) {
sigName = withWeak(sigName); sigName = withWeak(sigName);
} }
Object[] source = {cert.getSubjectDN().toString(), Object[] source = {cert.getSubjectX500Principal().toString(),
cert.getIssuerDN().toString(), cert.getIssuerX500Principal().toString(),
cert.getSerialNumber().toString(16), cert.getSerialNumber().toString(16),
cert.getNotBefore().toString(), cert.getNotBefore().toString(),
cert.getNotAfter().toString(), cert.getNotAfter().toString(),
@ -3931,7 +3931,7 @@ public final class Main {
return true; return true;
} }
Principal issuer = certToVerify.snd.getIssuerDN(); Principal issuer = certToVerify.snd.getIssuerX500Principal();
// Get the issuer's certificate(s) // Get the issuer's certificate(s)
Vector<Pair<String,X509Certificate>> vec = certs.get(issuer); Vector<Pair<String,X509Certificate>> vec = certs.get(issuer);
@ -4009,7 +4009,7 @@ public final class Main {
String alias = aliases.nextElement(); String alias = aliases.nextElement();
Certificate cert = ks.getCertificate(alias); Certificate cert = ks.getCertificate(alias);
if (cert != null) { if (cert != null) {
Principal subjectDN = ((X509Certificate)cert).getSubjectDN(); Principal subjectDN = ((X509Certificate)cert).getSubjectX500Principal();
Pair<String,X509Certificate> pair = new Pair<>( Pair<String,X509Certificate> pair = new Pair<>(
String.format( String.format(
rb.getString(ks == caks ? rb.getString(ks == caks ?

2
src/java.base/share/classes/sun/security/util/AnchorCertificates.java
View file

@ -93,7 +93,7 @@ public class AnchorCertificates {
boolean result = certs.contains(key); boolean result = certs.contains(key);
if (result && debug != null) { if (result && debug != null) {
debug.println("AnchorCertificate.contains: matched " + debug.println("AnchorCertificate.contains: matched " +
cert.getSubjectDN()); cert.getSubjectX500Principal());
} }
return result; return result;
} }

1
src/java.base/share/classes/sun/security/util/HostnameChecker.java
View file

@ -242,6 +242,7 @@ public class HostnameChecker {
* *
* This method is currently used from within JSSE, do not remove. * This method is currently used from within JSSE, do not remove.
*/ */
@SuppressWarnings("deprecation")
public static X500Name getSubjectX500Name(X509Certificate cert) public static X500Name getSubjectX500Name(X509Certificate cert)
throws CertificateParsingException { throws CertificateParsingException {
try { try {

3
src/java.base/share/classes/sun/security/x509/X509CRLImpl.java
View file

@ -682,8 +682,9 @@ public class X509CRLImpl extends X509CRL implements DerEncoder {
* TeletexString or UniversalString. * TeletexString or UniversalString.
* @return the issuer name. * @return the issuer name.
*/ */
@SuppressWarnings("deprecation")
public Principal getIssuerDN() { public Principal getIssuerDN() {
return (Principal)issuer; return issuer;
} }
/** /**

4
src/java.base/share/classes/sun/security/x509/X509CertImpl.java
View file

@ -901,7 +901,7 @@ public class X509CertImpl extends X509Certificate implements DerEncoder {
SerialNumber ser = (SerialNumber)info.get( SerialNumber ser = (SerialNumber)info.get(
CertificateSerialNumber.NAME + DOT + CertificateSerialNumber.NAME + DOT +
CertificateSerialNumber.NUMBER); CertificateSerialNumber.NUMBER);
return ser; return ser;
} catch (Exception e) { } catch (Exception e) {
return null; return null;
} }
@ -913,6 +913,7 @@ public class X509CertImpl extends X509Certificate implements DerEncoder {
* *
* @return the subject name. * @return the subject name.
*/ */
@SuppressWarnings("deprecation")
public Principal getSubjectDN() { public Principal getSubjectDN() {
if (info == null) if (info == null)
return null; return null;
@ -949,6 +950,7 @@ public class X509CertImpl extends X509Certificate implements DerEncoder {
* *
* @return the issuer name. * @return the issuer name.
*/ */
@SuppressWarnings("deprecation")
public Principal getIssuerDN() { public Principal getIssuerDN() {
if (info == null) if (info == null)
return null; return null;

9
src/java.naming/share/classes/sun/security/provider/certpath/ldap/LDAPCertStoreImpl.java
View file

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2015, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
@ -562,10 +562,11 @@ final class LDAPCertStoreImpl {
(X509CertSelector xsel, String ldapDN) throws CertStoreException { (X509CertSelector xsel, String ldapDN) throws CertStoreException {
if (ldapDN == null) { if (ldapDN == null) {
ldapDN = xsel.getSubjectAsString(); X500Principal subject = xsel.getSubject();
ldapDN = subject == null ? null : subject.getName();
} }
int basicConstraints = xsel.getBasicConstraints(); int basicConstraints = xsel.getBasicConstraints();
String issuer = xsel.getIssuerAsString(); X500Principal issuer = xsel.getIssuer();
HashSet<X509Certificate> certs = new HashSet<>(); HashSet<X509Certificate> certs = new HashSet<>();
if (debug != null) { if (debug != null) {
debug.println("LDAPCertStore.engineGetCertificates() basicConstraints: " debug.println("LDAPCertStore.engineGetCertificates() basicConstraints: "
@ -634,7 +635,7 @@ final class LDAPCertStoreImpl {
+ "getMatchingCrossCerts..."); + "getMatchingCrossCerts...");
} }
if ((issuer != null) && (basicConstraints > -2)) { if ((issuer != null) && (basicConstraints > -2)) {
LDAPRequest request = new LDAPRequest(issuer); LDAPRequest request = new LDAPRequest(issuer.getName());
request.addRequestedAttribute(CROSS_CERT); request.addRequestedAttribute(CROSS_CERT);
request.addRequestedAttribute(CA_CERT); request.addRequestedAttribute(CA_CERT);
request.addRequestedAttribute(ARL); request.addRequestedAttribute(ARL);

4
src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java
View file

@ -1431,7 +1431,7 @@ public class Main {
x509Cert = (X509Certificate) c; x509Cert = (X509Certificate) c;
certStr.append(tab).append(x509Cert.getType()) certStr.append(tab).append(x509Cert.getType())
.append(rb.getString("COMMA")) .append(rb.getString("COMMA"))
.append(x509Cert.getSubjectDN().getName()); .append(x509Cert.getSubjectX500Principal().toString());
} else { } else {
certStr.append(tab).append(c.getType()); certStr.append(tab).append(c.getType());
} }
@ -2055,7 +2055,7 @@ public class Main {
// Only add TrustedCertificateEntry and self-signed // Only add TrustedCertificateEntry and self-signed
// PrivateKeyEntry // PrivateKeyEntry
if (store.isCertificateEntry(a) || if (store.isCertificateEntry(a) ||
c.getSubjectDN().equals(c.getIssuerDN())) { c.getSubjectX500Principal().equals(c.getIssuerX500Principal())) {
trustedCerts.add(c); trustedCerts.add(c);
} }
} catch (Exception e2) { } catch (Exception e2) {

3
src/jdk.security.auth/share/classes/com/sun/security/auth/module/KeyStoreLoginModule.java
View file

@ -664,8 +664,7 @@ public class KeyStoreLoginModule implements LoginModule {
/* Get principal and keys */ /* Get principal and keys */
try { try {
X509Certificate certificate = (X509Certificate)fromKeyStore[0]; X509Certificate certificate = (X509Certificate)fromKeyStore[0];
principal = new javax.security.auth.x500.X500Principal principal = certificate.getSubjectX500Principal();
(certificate.getSubjectDN().getName());
// if token, privateKeyPassword will be null // if token, privateKeyPassword will be null
Key privateKey = keyStore.getKey(keyStoreAlias, privateKeyPassword); Key privateKey = keyStore.getKey(keyStoreAlias, privateKeyPassword);