commit fd88d3399d7f210b4a952834267e269d1ceed5f7
author Treehugger Robot <treehugger-gerrit@google.com> Tue Mar 28 14:53:22 2017 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Tue Mar 28 14:53:23 2017 +0000
tree 516eac02f932de8911a2da1fd05e75278f518729
parent 4eca636f785d6f8aa0d74d3569d775ee6cca3edf
parent 9e69159914774323c73e8d62d6199ea59c4cadef

Merge "Update sun.s.p.c.AlgorithmChecker class with openJdk changes."

ojluni/src/main/java/sun/security/provider/certpath/AlgorithmChecker.java

diff --git a/ojluni/src/main/java/sun/security/provider/certpath/AlgorithmChecker.java b/ojluni/src/main/java/sun/security/provider/certpath/AlgorithmChecker.java
index ab75ff0..f0970b4 100644
--- a/ojluni/src/main/java/sun/security/provider/certpath/AlgorithmChecker.java
+++ b/ojluni/src/main/java/sun/security/provider/certpath/AlgorithmChecker.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2009, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2009, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -75,7 +75,14 @@
     private PublicKey prevPubKey;
 
     private final static Set<CryptoPrimitive> SIGNATURE_PRIMITIVE_SET =
-                                    EnumSet.of(CryptoPrimitive.SIGNATURE);
+        Collections.unmodifiableSet(EnumSet.of(CryptoPrimitive.SIGNATURE));
+
+    private final static Set<CryptoPrimitive> KU_PRIMITIVE_SET =
+        Collections.unmodifiableSet(EnumSet.of(
+            CryptoPrimitive.SIGNATURE,
+            CryptoPrimitive.KEY_ENCAPSULATION,
+            CryptoPrimitive.PUBLIC_KEY_ENCRYPTION,
+            CryptoPrimitive.KEY_AGREEMENT));
 
     private final static DisabledAlgorithmConstraints
         certPathDefaultConstraints = new DisabledAlgorithmConstraints(
@@ -210,9 +217,11 @@
                 null, null, -1, PKIXReason.INVALID_KEY_USAGE);
         }
 
+        // Assume all key usage bits are set if key usage is not present
+        Set<CryptoPrimitive> primitives = KU_PRIMITIVE_SET;
+
         if (keyUsage != null) {
-            Set<CryptoPrimitive> primitives =
-                        EnumSet.noneOf(CryptoPrimitive.class);
+            primitives = EnumSet.noneOf(CryptoPrimitive.class);
 
             if (keyUsage[0] || keyUsage[1] || keyUsage[5] || keyUsage[6]) {
                 // keyUsage[0]: KeyUsage.digitalSignature
@@ -237,15 +246,19 @@
             // KeyUsage.encipherOnly and KeyUsage.decipherOnly are
             // undefined in the absence of the keyAgreement bit.
 
-            if (!primitives.isEmpty()) {
-                if (!constraints.permits(primitives, currPubKey)) {
-                    throw new CertPathValidatorException(
-                        "algorithm constraints check failed",
-                        null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
-                }
+            if (primitives.isEmpty()) {
+                throw new CertPathValidatorException(
+                    "incorrect KeyUsage extension",
+                    null, null, -1, PKIXReason.INVALID_KEY_USAGE);
             }
         }
 
+        if (!constraints.permits(primitives, currPubKey)) {
+            throw new CertPathValidatorException(
+                "algorithm constraints check failed",
+                null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
+        }
+
         // Check with previous cert for signature algorithm and public key
         if (prevPubKey != null) {
             if (currSigAlg != null) {
@@ -363,4 +376,3 @@
     }
 
 }
-