8179998: Clear certificate chain connections
Reviewed-by: mullan, ahgross, rhalade, igerasim
diff --git a/jdk/src/share/classes/sun/security/pkcs/SignerInfo.java b/jdk/src/share/classes/sun/security/pkcs/SignerInfo.java
index 5e69438..628d6d0 100644
--- a/jdk/src/share/classes/sun/security/pkcs/SignerInfo.java
+++ b/jdk/src/share/classes/sun/security/pkcs/SignerInfo.java
@@ -323,6 +323,12 @@
data = content.getContentBytes();
}
+ Timestamp timestamp = null;
+ try {
+ timestamp = getTimestamp();
+ } catch (Exception ignore) {
+ }
+
ConstraintsParameters cparams =
new ConstraintsParameters(timestamp);
String digestAlgname = getDigestAlgorithmId().getName();
diff --git a/jdk/src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java b/jdk/src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java
index 11d8a06..5f825ff 100644
--- a/jdk/src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java
+++ b/jdk/src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java
@@ -344,7 +344,7 @@
// add the algorithm checker
checkers.add(new AlgorithmChecker(builder.trustAnchor,
- buildParams.date(), null));
+ buildParams.date(), buildParams.variant()));
BasicChecker basicChecker = null;
if (nextState.keyParamsNeeded()) {
diff --git a/jdk/src/share/lib/security/java.security-aix b/jdk/src/share/lib/security/java.security-aix
index d44a6f3..18cc34d 100644
--- a/jdk/src/share/lib/security/java.security-aix
+++ b/jdk/src/share/lib/security/java.security-aix
@@ -488,21 +488,21 @@
# jdkCA
# This constraint prohibits the specified algorithm only if the
# algorithm is used in a certificate chain that terminates at a marked
-# trust anchor in the lib/security/cacerts keystore. If the jdkCA
-# constraint is not set, then all chains using the specified algorithm
+# trust anchor in the lib/security/cacerts keystore. If the jdkCA
+# constraint is not set, then all chains using the specified algorithm
# are restricted. jdkCA may only be used once in a DisabledAlgorithm
# expression.
-# Example: To apply this constraint to SHA-1 certificates, include
-# the following: "SHA1 jdkCA"
+# Example: To apply this constraint to SHA-1 certificates, include
+# the following: "SHA1 jdkCA"
#
# DenyAfterConstraint:
# denyAfter YYYY-MM-DD
# This constraint prohibits a certificate with the specified algorithm
# from being used after the date regardless of the certificate's
-# validity. JAR files that are signed and timestamped before the
+# validity. JAR files that are signed and timestamped before the
# constraint date with certificates containing the disabled algorithm
-# will not be restricted. The date is processed in the UTC timezone.
-# This constraint can only be used once in a DisabledAlgorithm
+# will not be restricted. The date is processed in the UTC timezone.
+# This constraint can only be used once in a DisabledAlgorithm
# expression.
# Example: To deny usage of RSA 2048 bit certificates after Feb 3 2020,
# use the following: "RSA keySize == 2048 & denyAfter 2020-02-03"
diff --git a/jdk/src/share/lib/security/java.security-linux b/jdk/src/share/lib/security/java.security-linux
index d44a6f3..18cc34d 100644
--- a/jdk/src/share/lib/security/java.security-linux
+++ b/jdk/src/share/lib/security/java.security-linux
@@ -488,21 +488,21 @@
# jdkCA
# This constraint prohibits the specified algorithm only if the
# algorithm is used in a certificate chain that terminates at a marked
-# trust anchor in the lib/security/cacerts keystore. If the jdkCA
-# constraint is not set, then all chains using the specified algorithm
+# trust anchor in the lib/security/cacerts keystore. If the jdkCA
+# constraint is not set, then all chains using the specified algorithm
# are restricted. jdkCA may only be used once in a DisabledAlgorithm
# expression.
-# Example: To apply this constraint to SHA-1 certificates, include
-# the following: "SHA1 jdkCA"
+# Example: To apply this constraint to SHA-1 certificates, include
+# the following: "SHA1 jdkCA"
#
# DenyAfterConstraint:
# denyAfter YYYY-MM-DD
# This constraint prohibits a certificate with the specified algorithm
# from being used after the date regardless of the certificate's
-# validity. JAR files that are signed and timestamped before the
+# validity. JAR files that are signed and timestamped before the
# constraint date with certificates containing the disabled algorithm
-# will not be restricted. The date is processed in the UTC timezone.
-# This constraint can only be used once in a DisabledAlgorithm
+# will not be restricted. The date is processed in the UTC timezone.
+# This constraint can only be used once in a DisabledAlgorithm
# expression.
# Example: To deny usage of RSA 2048 bit certificates after Feb 3 2020,
# use the following: "RSA keySize == 2048 & denyAfter 2020-02-03"
diff --git a/jdk/src/share/lib/security/java.security-macosx b/jdk/src/share/lib/security/java.security-macosx
index 80d175f..388031a 100644
--- a/jdk/src/share/lib/security/java.security-macosx
+++ b/jdk/src/share/lib/security/java.security-macosx
@@ -491,21 +491,21 @@
# jdkCA
# This constraint prohibits the specified algorithm only if the
# algorithm is used in a certificate chain that terminates at a marked
-# trust anchor in the lib/security/cacerts keystore. If the jdkCA
-# constraint is not set, then all chains using the specified algorithm
+# trust anchor in the lib/security/cacerts keystore. If the jdkCA
+# constraint is not set, then all chains using the specified algorithm
# are restricted. jdkCA may only be used once in a DisabledAlgorithm
# expression.
-# Example: To apply this constraint to SHA-1 certificates, include
-# the following: "SHA1 jdkCA"
+# Example: To apply this constraint to SHA-1 certificates, include
+# the following: "SHA1 jdkCA"
#
# DenyAfterConstraint:
# denyAfter YYYY-MM-DD
# This constraint prohibits a certificate with the specified algorithm
# from being used after the date regardless of the certificate's
-# validity. JAR files that are signed and timestamped before the
+# validity. JAR files that are signed and timestamped before the
# constraint date with certificates containing the disabled algorithm
-# will not be restricted. The date is processed in the UTC timezone.
-# This constraint can only be used once in a DisabledAlgorithm
+# will not be restricted. The date is processed in the UTC timezone.
+# This constraint can only be used once in a DisabledAlgorithm
# expression.
# Example: To deny usage of RSA 2048 bit certificates after Feb 3 2020,
# use the following: "RSA keySize == 2048 & denyAfter 2020-02-03"
diff --git a/jdk/src/share/lib/security/java.security-solaris b/jdk/src/share/lib/security/java.security-solaris
index 4acc547..818b619 100644
--- a/jdk/src/share/lib/security/java.security-solaris
+++ b/jdk/src/share/lib/security/java.security-solaris
@@ -490,21 +490,21 @@
# jdkCA
# This constraint prohibits the specified algorithm only if the
# algorithm is used in a certificate chain that terminates at a marked
-# trust anchor in the lib/security/cacerts keystore. If the jdkCA
-# constraint is not set, then all chains using the specified algorithm
+# trust anchor in the lib/security/cacerts keystore. If the jdkCA
+# constraint is not set, then all chains using the specified algorithm
# are restricted. jdkCA may only be used once in a DisabledAlgorithm
# expression.
-# Example: To apply this constraint to SHA-1 certificates, include
-# the following: "SHA1 jdkCA"
+# Example: To apply this constraint to SHA-1 certificates, include
+# the following: "SHA1 jdkCA"
#
# DenyAfterConstraint:
# denyAfter YYYY-MM-DD
# This constraint prohibits a certificate with the specified algorithm
# from being used after the date regardless of the certificate's
-# validity. JAR files that are signed and timestamped before the
+# validity. JAR files that are signed and timestamped before the
# constraint date with certificates containing the disabled algorithm
-# will not be restricted. The date is processed in the UTC timezone.
-# This constraint can only be used once in a DisabledAlgorithm
+# will not be restricted. The date is processed in the UTC timezone.
+# This constraint can only be used once in a DisabledAlgorithm
# expression.
# Example: To deny usage of RSA 2048 bit certificates after Feb 3 2020,
# use the following: "RSA keySize == 2048 & denyAfter 2020-02-03"
diff --git a/jdk/src/share/lib/security/java.security-windows b/jdk/src/share/lib/security/java.security-windows
index 3760cad..5dc77e6 100644
--- a/jdk/src/share/lib/security/java.security-windows
+++ b/jdk/src/share/lib/security/java.security-windows
@@ -491,21 +491,21 @@
# jdkCA
# This constraint prohibits the specified algorithm only if the
# algorithm is used in a certificate chain that terminates at a marked
-# trust anchor in the lib/security/cacerts keystore. If the jdkCA
-# constraint is not set, then all chains using the specified algorithm
+# trust anchor in the lib/security/cacerts keystore. If the jdkCA
+# constraint is not set, then all chains using the specified algorithm
# are restricted. jdkCA may only be used once in a DisabledAlgorithm
# expression.
-# Example: To apply this constraint to SHA-1 certificates, include
-# the following: "SHA1 jdkCA"
+# Example: To apply this constraint to SHA-1 certificates, include
+# the following: "SHA1 jdkCA"
#
# DenyAfterConstraint:
# denyAfter YYYY-MM-DD
# This constraint prohibits a certificate with the specified algorithm
# from being used after the date regardless of the certificate's
-# validity. JAR files that are signed and timestamped before the
+# validity. JAR files that are signed and timestamped before the
# constraint date with certificates containing the disabled algorithm
-# will not be restricted. The date is processed in the UTC timezone.
-# This constraint can only be used once in a DisabledAlgorithm
+# will not be restricted. The date is processed in the UTC timezone.
+# This constraint can only be used once in a DisabledAlgorithm
# expression.
# Example: To deny usage of RSA 2048 bit certificates after Feb 3 2020,
# use the following: "RSA keySize == 2048 & denyAfter 2020-02-03"