Remove "Reverse" PKIX CertPathBuilder implementation
Port from openJdk8u121-b13
Change-Id: I522a0f6e39d572a9f54b4c47e35258a67dca2c44
changeset: 11027:97b3a4fc3290
user: igerasim
date: Fri Sep 04 23:41:30 2015 +0300
summary: 7194452: Remove "Reverse" PKIX CertPathBuilder implementation
Test: CtsLibcoreTestCases
Bug: 36461944
diff --git a/ojluni/src/main/java/sun/security/provider/certpath/Builder.java b/ojluni/src/main/java/sun/security/provider/certpath/Builder.java
index 84cbe66..e6b5fc0 100644
--- a/ojluni/src/main/java/sun/security/provider/certpath/Builder.java
+++ b/ojluni/src/main/java/sun/security/provider/certpath/Builder.java
@@ -102,8 +102,8 @@
/**
* Verifies whether the input certificate completes the path.
- * When building forward, a trust anchor will complete the path.
- * When building reverse, the target certificate will complete the path.
+ * When building in the forward direction, a trust anchor will
+ * complete the path.
*
* @param cert the certificate to test
* @return a boolean value indicating whether the cert completes the path.
diff --git a/ojluni/src/main/java/sun/security/provider/certpath/PKIX.java b/ojluni/src/main/java/sun/security/provider/certpath/PKIX.java
index 98c8834..e33d4a2 100644
--- a/ojluni/src/main/java/sun/security/provider/certpath/PKIX.java
+++ b/ojluni/src/main/java/sun/security/provider/certpath/PKIX.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2012, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -25,7 +25,6 @@
package sun.security.provider.certpath;
import java.security.InvalidAlgorithmParameterException;
-import java.security.KeyStore;
import java.security.PublicKey;
import java.security.cert.*;
import java.security.interfaces.DSAPublicKey;
@@ -194,7 +193,6 @@
static class BuilderParams extends ValidatorParams {
private PKIXBuilderParameters params;
- private boolean buildForward = true;
private List<CertStore> stores;
private X500Principal targetSubject;
@@ -213,10 +211,6 @@
+ "targetCertConstraints parameter must be an "
+ "X509CertSelector");
}
- if (params instanceof SunCertPathBuilderParameters) {
- buildForward =
- ((SunCertPathBuilderParameters)params).getBuildForward();
- }
this.params = params;
this.targetSubject = getTargetSubject(
certStores(), (X509CertSelector)targetCertConstraints());
@@ -230,7 +224,6 @@
return stores;
}
int maxPathLength() { return params.getMaxPathLength(); }
- boolean buildForward() { return buildForward; }
PKIXBuilderParameters params() { return params; }
X500Principal targetSubject() { return targetSubject; }
diff --git a/ojluni/src/main/java/sun/security/provider/certpath/ReverseBuilder.java b/ojluni/src/main/java/sun/security/provider/certpath/ReverseBuilder.java
deleted file mode 100644
index 1815a22..0000000
--- a/ojluni/src/main/java/sun/security/provider/certpath/ReverseBuilder.java
+++ /dev/null
@@ -1,553 +0,0 @@
-/*
- * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation. Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-package sun.security.provider.certpath;
-
-import java.io.IOException;
-import java.security.GeneralSecurityException;
-import java.security.Principal;
-import java.security.cert.CertificateException;
-import java.security.cert.CertPathValidatorException;
-import java.security.cert.CertStore;
-import java.security.cert.CertStoreException;
-import java.security.cert.PKIXBuilderParameters;
-import java.security.cert.PKIXCertPathChecker;
-import java.security.cert.PKIXParameters;
-import java.security.cert.PKIXReason;
-import java.security.cert.TrustAnchor;
-import java.security.cert.X509Certificate;
-import java.security.cert.X509CertSelector;
-import java.util.ArrayList;
-import java.util.Collection;
-import java.util.Collections;
-import java.util.Comparator;
-import java.util.HashSet;
-import java.util.Iterator;
-import java.util.List;
-import java.util.LinkedList;
-import java.util.Set;
-
-import javax.security.auth.x500.X500Principal;
-
-import sun.security.provider.certpath.PKIX.BuilderParams;
-import sun.security.util.Debug;
-import sun.security.x509.Extension;
-import static sun.security.x509.PKIXExtensions.*;
-import sun.security.x509.X500Name;
-import sun.security.x509.X509CertImpl;
-import sun.security.x509.PolicyMappingsExtension;
-
-/**
- * This class represents a reverse builder, which is able to retrieve
- * matching certificates from CertStores and verify a particular certificate
- * against a ReverseState.
- *
- * @since 1.4
- * @author Sean Mullan
- * @author Yassir Elley
- */
-
-class ReverseBuilder extends Builder {
-
- private Debug debug = Debug.getInstance("certpath");
-
- private final Set<String> initPolicies;
-
- /**
- * Initialize the builder with the input parameters.
- *
- * @param params the parameter set used to build a certification path
- */
- ReverseBuilder(BuilderParams buildParams) {
- super(buildParams);
-
- Set<String> initialPolicies = buildParams.initialPolicies();
- initPolicies = new HashSet<String>();
- if (initialPolicies.isEmpty()) {
- // if no initialPolicies are specified by user, set
- // initPolicies to be anyPolicy by default
- initPolicies.add(PolicyChecker.ANY_POLICY);
- } else {
- initPolicies.addAll(initialPolicies);
- }
- }
-
- /**
- * Retrieves all certs from the specified CertStores that satisfy the
- * requirements specified in the parameters and the current
- * PKIX state (name constraints, policy constraints, etc).
- *
- * @param currentState the current state.
- * Must be an instance of <code>ReverseState</code>
- * @param certStores list of CertStores
- */
- @Override
- Collection<X509Certificate> getMatchingCerts
- (State currState, List<CertStore> certStores)
- throws CertStoreException, CertificateException, IOException
- {
- ReverseState currentState = (ReverseState) currState;
-
- if (debug != null)
- debug.println("In ReverseBuilder.getMatchingCerts.");
-
- /*
- * The last certificate could be an EE or a CA certificate
- * (we may be building a partial certification path or
- * establishing trust in a CA).
- *
- * Try the EE certs before the CA certs. It will be more
- * common to build a path to an end entity.
- */
- Collection<X509Certificate> certs =
- getMatchingEECerts(currentState, certStores);
- certs.addAll(getMatchingCACerts(currentState, certStores));
-
- return certs;
- }
-
- /*
- * Retrieves all end-entity certificates which satisfy constraints
- * and requirements specified in the parameters and PKIX state.
- */
- private Collection<X509Certificate> getMatchingEECerts
- (ReverseState currentState, List<CertStore> certStores)
- throws CertStoreException, CertificateException, IOException {
-
- /*
- * Compose a CertSelector to filter out
- * certs which do not satisfy requirements.
- *
- * First, retrieve clone of current target cert constraints, and
- * then add more selection criteria based on current validation state.
- */
- X509CertSelector sel = (X509CertSelector) targetCertConstraints.clone();
-
- /*
- * Match on issuer (subject of previous cert)
- */
- sel.setIssuer(currentState.subjectDN);
-
- /*
- * Match on certificate validity date.
- */
- sel.setCertificateValid(buildParams.date());
-
- /*
- * Policy processing optimizations
- */
- if (currentState.explicitPolicy == 0)
- sel.setPolicy(getMatchingPolicies());
-
- /*
- * If previous cert has a subject key identifier extension,
- * use it to match on authority key identifier extension.
- */
- /*if (currentState.subjKeyId != null) {
- AuthorityKeyIdentifierExtension authKeyId = new AuthorityKeyIdentifierExtension(
- (KeyIdentifier) currentState.subjKeyId.get(SubjectKeyIdentifierExtension.KEY_ID),
- null, null);
- sel.setAuthorityKeyIdentifier(authKeyId.getExtensionValue());
- }*/
-
- /*
- * Require EE certs
- */
- sel.setBasicConstraints(-2);
-
- /* Retrieve matching certs from CertStores */
- HashSet<X509Certificate> eeCerts = new HashSet<>();
- addMatchingCerts(sel, certStores, eeCerts, true);
-
- if (debug != null) {
- debug.println("ReverseBuilder.getMatchingEECerts got "
- + eeCerts.size() + " certs.");
- }
- return eeCerts;
- }
-
- /*
- * Retrieves all CA certificates which satisfy constraints
- * and requirements specified in the parameters and PKIX state.
- */
- private Collection<X509Certificate> getMatchingCACerts
- (ReverseState currentState, List<CertStore> certStores)
- throws CertificateException, CertStoreException, IOException {
-
- /*
- * Compose a CertSelector to filter out
- * certs which do not satisfy requirements.
- */
- X509CertSelector sel = new X509CertSelector();
-
- /*
- * Match on issuer (subject of previous cert)
- */
- sel.setIssuer(currentState.subjectDN);
-
- /*
- * Match on certificate validity date.
- */
- sel.setCertificateValid(buildParams.date());
-
- /*
- * Match on target subject name (checks that current cert's
- * name constraints permit it to certify target).
- * (4 is the integer type for DIRECTORY name).
- */
- byte[] subject = targetCertConstraints.getSubjectAsBytes();
- if (subject != null) {
- sel.addPathToName(4, subject);
- } else {
- X509Certificate cert = targetCertConstraints.getCertificate();
- if (cert != null) {
- sel.addPathToName(4,
- cert.getSubjectX500Principal().getEncoded());
- }
- }
-
- /*
- * Policy processing optimizations
- */
- if (currentState.explicitPolicy == 0)
- sel.setPolicy(getMatchingPolicies());
-
- /*
- * If previous cert has a subject key identifier extension,
- * use it to match on authority key identifier extension.
- */
- /*if (currentState.subjKeyId != null) {
- AuthorityKeyIdentifierExtension authKeyId = new AuthorityKeyIdentifierExtension(
- (KeyIdentifier) currentState.subjKeyId.get(SubjectKeyIdentifierExtension.KEY_ID),
- null, null);
- sel.setAuthorityKeyIdentifier(authKeyId.getExtensionValue());
- }*/
-
- /*
- * Require CA certs
- */
- sel.setBasicConstraints(0);
-
- /* Retrieve matching certs from CertStores */
- ArrayList<X509Certificate> reverseCerts = new ArrayList<>();
- addMatchingCerts(sel, certStores, reverseCerts, true);
-
- /* Sort remaining certs using name constraints */
- Collections.sort(reverseCerts, new PKIXCertComparator());
-
- if (debug != null)
- debug.println("ReverseBuilder.getMatchingCACerts got " +
- reverseCerts.size() + " certs.");
- return reverseCerts;
- }
-
- /*
- * This inner class compares 2 PKIX certificates according to which
- * should be tried first when building a path to the target. For
- * now, the algorithm is to look at name constraints in each cert and those
- * which constrain the path closer to the target should be
- * ranked higher. Later, we may want to consider other components,
- * such as key identifiers.
- */
- class PKIXCertComparator implements Comparator<X509Certificate> {
-
- private Debug debug = Debug.getInstance("certpath");
-
- @Override
- public int compare(X509Certificate cert1, X509Certificate cert2) {
-
- /*
- * if either cert certifies the target, always
- * put at head of list.
- */
- X500Principal targetSubject = buildParams.targetSubject();
- if (cert1.getSubjectX500Principal().equals(targetSubject)) {
- return -1;
- }
- if (cert2.getSubjectX500Principal().equals(targetSubject)) {
- return 1;
- }
-
- int targetDist1;
- int targetDist2;
- try {
- X500Name targetSubjectName = X500Name.asX500Name(targetSubject);
- targetDist1 = Builder.targetDistance(
- null, cert1, targetSubjectName);
- targetDist2 = Builder.targetDistance(
- null, cert2, targetSubjectName);
- } catch (IOException e) {
- if (debug != null) {
- debug.println("IOException in call to Builder.targetDistance");
- e.printStackTrace();
- }
- throw new ClassCastException
- ("Invalid target subject distinguished name");
- }
-
- if (targetDist1 == targetDist2)
- return 0;
-
- if (targetDist1 == -1)
- return 1;
-
- if (targetDist1 < targetDist2)
- return -1;
-
- return 1;
- }
- }
-
- /**
- * Verifies a matching certificate.
- *
- * This method executes any of the validation steps in the PKIX path validation
- * algorithm which were not satisfied via filtering out non-compliant
- * certificates with certificate matching rules.
- *
- * If the last certificate is being verified (the one whose subject
- * matches the target subject, then the steps in Section 6.1.4 of the
- * Certification Path Validation algorithm are NOT executed,
- * regardless of whether or not the last cert is an end-entity
- * cert or not. This allows callers to certify CA certs as
- * well as EE certs.
- *
- * @param cert the certificate to be verified
- * @param currentState the current state against which the cert is verified
- * @param certPathList the certPathList generated thus far
- */
- @Override
- void verifyCert(X509Certificate cert, State currState,
- List<X509Certificate> certPathList)
- throws GeneralSecurityException
- {
- if (debug != null) {
- debug.println("ReverseBuilder.verifyCert(SN: "
- + Debug.toHexString(cert.getSerialNumber())
- + "\n Subject: " + cert.getSubjectX500Principal() + ")");
- }
-
- ReverseState currentState = (ReverseState) currState;
-
- /* we don't perform any validation of the trusted cert */
- if (currentState.isInitial()) {
- return;
- }
-
- // BEGIN Android-removed: Android doesn't use this mechanism for checking untrusted certificates.
- // // Don't bother to verify untrusted certificate more.
- // currentState.untrustedChecker.check(cert,
- // Collections.<String>emptySet());
- // END Android-removed: Android doesn't use this mechanism for checking untrusted certificates.
-
- /*
- * check for looping - abort a loop if
- * ((we encounter the same certificate twice) AND
- * ((policyMappingInhibited = true) OR (no policy mapping
- * extensions can be found between the occurrences of the same
- * certificate)))
- * in order to facilitate the check to see if there are
- * any policy mapping extensions found between the occurrences
- * of the same certificate, we reverse the certpathlist first
- */
- if ((certPathList != null) && (!certPathList.isEmpty())) {
- List<X509Certificate> reverseCertList = new ArrayList<>();
- for (X509Certificate c : certPathList) {
- reverseCertList.add(0, c);
- }
-
- boolean policyMappingFound = false;
- for (X509Certificate cpListCert : reverseCertList) {
- X509CertImpl cpListCertImpl = X509CertImpl.toImpl(cpListCert);
- PolicyMappingsExtension policyMappingsExt =
- cpListCertImpl.getPolicyMappingsExtension();
- if (policyMappingsExt != null) {
- policyMappingFound = true;
- }
- if (debug != null)
- debug.println("policyMappingFound = " + policyMappingFound);
- if (cert.equals(cpListCert)) {
- if ((buildParams.policyMappingInhibited()) ||
- (!policyMappingFound)){
- if (debug != null)
- debug.println("loop detected!!");
- throw new CertPathValidatorException("loop detected");
- }
- }
- }
- }
-
- /* check if target cert */
- boolean finalCert = cert.getSubjectX500Principal().equals(buildParams.targetSubject());
-
- /* check if CA cert */
- boolean caCert = (cert.getBasicConstraints() != -1 ? true : false);
-
- /* if there are more certs to follow, verify certain constraints */
- if (!finalCert) {
-
- /* check if CA cert */
- if (!caCert)
- throw new CertPathValidatorException("cert is NOT a CA cert");
-
- /* If the certificate was not self-issued, verify that
- * remainingCerts is greater than zero
- */
- if ((currentState.remainingCACerts <= 0) && !X509CertImpl.isSelfIssued(cert)) {
- throw new CertPathValidatorException
- ("pathLenConstraint violated, path too long", null,
- null, -1, PKIXReason.PATH_TOO_LONG);
- }
-
- /*
- * Check keyUsage extension (only if CA cert and not final cert)
- */
- KeyChecker.verifyCAKeyUsage(cert);
-
- } else {
-
- /*
- * If final cert, check that it satisfies specified target
- * constraints
- */
- if (targetCertConstraints.match(cert) == false) {
- throw new CertPathValidatorException("target certificate " +
- "constraints check failed");
- }
- }
-
- /*
- * Check revocation.
- */
- if (buildParams.revocationEnabled() && currentState.revChecker != null) {
- currentState.revChecker.check(cert, Collections.<String>emptySet());
- }
-
- /* Check name constraints if this is not a self-issued cert */
- if (finalCert || !X509CertImpl.isSelfIssued(cert)){
- if (currentState.nc != null) {
- try {
- if (!currentState.nc.verify(cert)){
- throw new CertPathValidatorException
- ("name constraints check failed", null, null, -1,
- PKIXReason.INVALID_NAME);
- }
- } catch (IOException ioe) {
- throw new CertPathValidatorException(ioe);
- }
- }
- }
-
- /*
- * Check policy
- */
- X509CertImpl certImpl = X509CertImpl.toImpl(cert);
- currentState.rootNode = PolicyChecker.processPolicies
- (currentState.certIndex, initPolicies,
- currentState.explicitPolicy, currentState.policyMapping,
- currentState.inhibitAnyPolicy,
- buildParams.policyQualifiersRejected(), currentState.rootNode,
- certImpl, finalCert);
-
- /*
- * Check CRITICAL private extensions
- */
- Set<String> unresolvedCritExts = cert.getCriticalExtensionOIDs();
- if (unresolvedCritExts == null) {
- unresolvedCritExts = Collections.<String>emptySet();
- }
-
- /*
- * Check that the signature algorithm is not disabled.
- */
- currentState.algorithmChecker.check(cert, unresolvedCritExts);
-
- for (PKIXCertPathChecker checker : currentState.userCheckers) {
- checker.check(cert, unresolvedCritExts);
- }
-
- /*
- * Look at the remaining extensions and remove any ones we have
- * already checked. If there are any left, throw an exception!
- */
- if (!unresolvedCritExts.isEmpty()) {
- unresolvedCritExts.remove(BasicConstraints_Id.toString());
- unresolvedCritExts.remove(NameConstraints_Id.toString());
- unresolvedCritExts.remove(CertificatePolicies_Id.toString());
- unresolvedCritExts.remove(PolicyMappings_Id.toString());
- unresolvedCritExts.remove(PolicyConstraints_Id.toString());
- unresolvedCritExts.remove(InhibitAnyPolicy_Id.toString());
- unresolvedCritExts.remove(SubjectAlternativeName_Id.toString());
- unresolvedCritExts.remove(KeyUsage_Id.toString());
- unresolvedCritExts.remove(ExtendedKeyUsage_Id.toString());
-
- if (!unresolvedCritExts.isEmpty())
- throw new CertPathValidatorException
- ("Unrecognized critical extension(s)", null, null, -1,
- PKIXReason.UNRECOGNIZED_CRIT_EXT);
- }
-
- /*
- * Check signature.
- */
- if (buildParams.sigProvider() != null) {
- cert.verify(currentState.pubKey, buildParams.sigProvider());
- } else {
- cert.verify(currentState.pubKey);
- }
- }
-
- /**
- * Verifies whether the input certificate completes the path.
- * This checks whether the cert is the target certificate.
- *
- * @param cert the certificate to test
- * @return a boolean value indicating whether the cert completes the path.
- */
- @Override
- boolean isPathCompleted(X509Certificate cert) {
- return cert.getSubjectX500Principal().equals(buildParams.targetSubject());
- }
-
- /** Adds the certificate to the certPathList
- *
- * @param cert the certificate to be added
- * @param certPathList the certification path list
- */
- @Override
- void addCertToPath(X509Certificate cert,
- LinkedList<X509Certificate> certPathList) {
- certPathList.addLast(cert);
- }
-
- /** Removes final certificate from the certPathList
- *
- * @param certPathList the certification path list
- */
- @Override
- void removeFinalCertFromPath(LinkedList<X509Certificate> certPathList) {
- certPathList.removeLast();
- }
-}
diff --git a/ojluni/src/main/java/sun/security/provider/certpath/ReverseState.java b/ojluni/src/main/java/sun/security/provider/certpath/ReverseState.java
deleted file mode 100644
index a9944af..0000000
--- a/ojluni/src/main/java/sun/security/provider/certpath/ReverseState.java
+++ /dev/null
@@ -1,407 +0,0 @@
-/*
- * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation. Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-package sun.security.provider.certpath;
-
-import java.io.IOException;
-import java.security.PublicKey;
-import java.security.cert.CertificateException;
-import java.security.cert.CertPathValidatorException;
-import java.security.cert.PKIXCertPathChecker;
-import java.security.cert.PKIXRevocationChecker;
-import java.security.cert.TrustAnchor;
-import java.security.cert.X509Certificate;
-import java.util.ArrayList;
-import java.util.HashSet;
-import java.util.List;
-import java.util.ListIterator;
-import java.util.Set;
-import javax.security.auth.x500.X500Principal;
-
-import sun.security.provider.certpath.PKIX.BuilderParams;
-import sun.security.util.Debug;
-import sun.security.x509.NameConstraintsExtension;
-import sun.security.x509.SubjectKeyIdentifierExtension;
-import sun.security.x509.X509CertImpl;
-
-/**
- * A specification of a reverse PKIX validation state
- * which is initialized by each build and updated each time a
- * certificate is added to the current path.
- * @since 1.4
- * @author Sean Mullan
- * @author Yassir Elley
- */
-
-class ReverseState implements State {
-
- private static final Debug debug = Debug.getInstance("certpath");
-
- /* The subject DN of the last cert in the path */
- X500Principal subjectDN;
-
- /* The subject public key of the last cert */
- PublicKey pubKey;
-
- /* The subject key identifier extension (if any) of the last cert */
- SubjectKeyIdentifierExtension subjKeyId;
-
- /* The PKIX constrained/excluded subtrees state variable */
- NameConstraintsExtension nc;
-
- /* The PKIX explicit policy, policy mapping, and inhibit_any-policy
- state variables */
- int explicitPolicy;
- int policyMapping;
- int inhibitAnyPolicy;
- int certIndex;
- PolicyNodeImpl rootNode;
-
- /* The number of remaining CA certs which may follow in the path.
- * -1: previous cert was an EE cert
- * 0: only EE certs may follow.
- * >0 and <Integer.MAX_VALUE:no more than this number of CA certs may follow
- * Integer.MAX_VALUE: unlimited
- */
- int remainingCACerts;
-
- /* The list of user-defined checkers retrieved from the PKIXParameters
- * instance */
- ArrayList<PKIXCertPathChecker> userCheckers;
-
- /* Flag indicating if state is initial (path is just starting) */
- private boolean init = true;
-
- /* the checker used for revocation status */
- RevocationChecker revChecker;
-
- /* the algorithm checker */
- AlgorithmChecker algorithmChecker;
-
- /* the untrusted certificates checker */
- // Android-removed: Android doesn't use this mechanism for checking untrusted certificates.
- // UntrustedChecker untrustedChecker;
-
- /* the trust anchor used to validate the path */
- TrustAnchor trustAnchor;
-
- /* Flag indicating if current cert can vouch for the CRL for
- * the next cert
- */
- boolean crlSign = true;
-
- /**
- * Returns a boolean flag indicating if the state is initial
- * (just starting)
- *
- * @return boolean flag indicating if the state is initial (just starting)
- */
- @Override
- public boolean isInitial() {
- return init;
- }
-
- /**
- * Display state for debugging purposes
- */
- @Override
- public String toString() {
- StringBuilder sb = new StringBuilder();
- sb.append("State [");
- sb.append("\n subjectDN of last cert: ").append(subjectDN);
- sb.append("\n subjectKeyIdentifier: ").append
- (String.valueOf(subjKeyId));
- sb.append("\n nameConstraints: ").append(String.valueOf(nc));
- sb.append("\n certIndex: ").append(certIndex);
- sb.append("\n explicitPolicy: ").append(explicitPolicy);
- sb.append("\n policyMapping: ").append(policyMapping);
- sb.append("\n inhibitAnyPolicy: ").append(inhibitAnyPolicy);
- sb.append("\n rootNode: ").append(rootNode);
- sb.append("\n remainingCACerts: ").append(remainingCACerts);
- sb.append("\n crlSign: ").append(crlSign);
- sb.append("\n init: ").append(init);
- sb.append("\n]\n");
- return sb.toString();
- }
-
- /**
- * Initialize the state.
- *
- * @param buildParams builder parameters
- */
- public void initState(BuilderParams buildParams)
- throws CertPathValidatorException
- {
- /*
- * Initialize number of remainingCACerts.
- * Note that -1 maxPathLen implies unlimited.
- * 0 implies only an EE cert is acceptable.
- */
- int maxPathLen = buildParams.maxPathLength();
- remainingCACerts = (maxPathLen == -1) ? Integer.MAX_VALUE
- : maxPathLen;
-
- /* Initialize explicit policy state variable */
- if (buildParams.explicitPolicyRequired()) {
- explicitPolicy = 0;
- } else {
- // unconstrained if maxPathLen is -1,
- // otherwise, we want to initialize this to the value of the
- // longest possible path + 1 (i.e. maxpathlen + finalcert + 1)
- explicitPolicy = (maxPathLen == -1) ? maxPathLen : maxPathLen + 2;
- }
-
- /* Initialize policy mapping state variable */
- if (buildParams.policyMappingInhibited()) {
- policyMapping = 0;
- } else {
- policyMapping = (maxPathLen == -1) ? maxPathLen : maxPathLen + 2;
- }
-
- /* Initialize inhibit any policy state variable */
- if (buildParams.anyPolicyInhibited()) {
- inhibitAnyPolicy = 0;
- } else {
- inhibitAnyPolicy = (maxPathLen == -1) ? maxPathLen : maxPathLen + 2;
- }
-
- /* Initialize certIndex */
- certIndex = 1;
-
- /* Initialize policy tree */
- Set<String> initExpPolSet = new HashSet<>(1);
- initExpPolSet.add(PolicyChecker.ANY_POLICY);
-
- rootNode = new PolicyNodeImpl(null, PolicyChecker.ANY_POLICY, null,
- false, initExpPolSet, false);
-
- /*
- * Initialize each user-defined checker
- * Shallow copy the checkers
- */
- userCheckers = new ArrayList<>(buildParams.certPathCheckers());
- /* initialize each checker (just in case) */
- for (PKIXCertPathChecker checker : userCheckers) {
- checker.init(false);
- }
-
- /* Start by trusting the cert to sign CRLs */
- crlSign = true;
-
- init = true;
- }
-
- /**
- * Update the state with the specified trust anchor.
- *
- * @param anchor the most-trusted CA
- * @param buildParams builder parameters
- */
- public void updateState(TrustAnchor anchor, BuilderParams buildParams)
- throws CertificateException, IOException, CertPathValidatorException
- {
- trustAnchor = anchor;
- X509Certificate trustedCert = anchor.getTrustedCert();
- if (trustedCert != null) {
- updateState(trustedCert);
- } else {
- X500Principal caName = anchor.getCA();
- updateState(anchor.getCAPublicKey(), caName);
- }
-
- // The user specified AlgorithmChecker and RevocationChecker may not be
- // able to set the trust anchor until now.
- boolean revCheckerAdded = false;
- for (PKIXCertPathChecker checker : userCheckers) {
- if (checker instanceof AlgorithmChecker) {
- ((AlgorithmChecker)checker).trySetTrustAnchor(anchor);
- } else if (checker instanceof PKIXRevocationChecker) {
- if (revCheckerAdded) {
- throw new CertPathValidatorException(
- "Only one PKIXRevocationChecker can be specified");
- }
- // if it's our own, initialize it
- if (checker instanceof RevocationChecker) {
- ((RevocationChecker)checker).init(anchor, buildParams);
- }
- ((PKIXRevocationChecker)checker).init(false);
- revCheckerAdded = true;
- }
- }
-
- // only create a RevocationChecker if revocation is enabled and
- // a PKIXRevocationChecker has not already been added
- if (buildParams.revocationEnabled() && !revCheckerAdded) {
- revChecker = new RevocationChecker(anchor, buildParams);
- revChecker.init(false);
- }
-
- init = false;
- }
-
- /**
- * Update the state. This method is used when the most-trusted CA is
- * a trusted public-key and caName, instead of a trusted cert.
- *
- * @param pubKey the public key of the trusted CA
- * @param subjectDN the subject distinguished name of the trusted CA
- */
- private void updateState(PublicKey pubKey, X500Principal subjectDN) {
-
- /* update subject DN */
- this.subjectDN = subjectDN;
-
- /* update subject public key */
- this.pubKey = pubKey;
- }
-
- /**
- * Update the state with the next certificate added to the path.
- *
- * @param cert the certificate which is used to update the state
- */
- public void updateState(X509Certificate cert)
- throws CertificateException, IOException, CertPathValidatorException {
-
- if (cert == null) {
- return;
- }
-
- /* update subject DN */
- subjectDN = cert.getSubjectX500Principal();
-
- /* check for key needing to inherit alg parameters */
- X509CertImpl icert = X509CertImpl.toImpl(cert);
- PublicKey newKey = cert.getPublicKey();
- if (PKIX.isDSAPublicKeyWithoutParams(newKey)) {
- newKey = BasicChecker.makeInheritedParamsKey(newKey, pubKey);
- }
-
- /* update subject public key */
- pubKey = newKey;
-
- /*
- * if this is a trusted cert (init == true), then we
- * don't update any of the remaining fields
- */
- if (init) {
- init = false;
- return;
- }
-
- /* update subject key identifier */
- subjKeyId = icert.getSubjectKeyIdentifierExtension();
-
- /* update crlSign */
- crlSign = RevocationChecker.certCanSignCrl(cert);
-
- /* update current name constraints */
- if (nc != null) {
- nc.merge(icert.getNameConstraintsExtension());
- } else {
- nc = icert.getNameConstraintsExtension();
- if (nc != null) {
- // Make sure we do a clone here, because we're probably
- // going to modify this object later and we don't want to
- // be sharing it with a Certificate object!
- nc = (NameConstraintsExtension) nc.clone();
- }
- }
-
- /* update policy state variables */
- explicitPolicy =
- PolicyChecker.mergeExplicitPolicy(explicitPolicy, icert, false);
- policyMapping =
- PolicyChecker.mergePolicyMapping(policyMapping, icert);
- inhibitAnyPolicy =
- PolicyChecker.mergeInhibitAnyPolicy(inhibitAnyPolicy, icert);
- certIndex++;
-
- /*
- * Update remaining CA certs
- */
- remainingCACerts =
- ConstraintsChecker.mergeBasicConstraints(cert, remainingCACerts);
-
- init = false;
- }
-
- /**
- * Returns a boolean flag indicating if a key lacking necessary key
- * algorithm parameters has been encountered.
- *
- * @return boolean flag indicating if key lacking parameters encountered.
- */
- @Override
- public boolean keyParamsNeeded() {
- /* when building in reverse, we immediately get parameters needed
- * or else throw an exception
- */
- return false;
- }
-
- /*
- * Clone current state. The state is cloned as each cert is
- * added to the path. This is necessary if backtracking occurs,
- * and a prior state needs to be restored.
- *
- * Note that this is a SMART clone. Not all fields are fully copied,
- * because some of them (e.g., subjKeyId) will
- * not have their contents modified by subsequent calls to updateState.
- */
- @Override
- @SuppressWarnings("unchecked") // Safe casts assuming clone() works correctly
- public Object clone() {
- try {
- ReverseState clonedState = (ReverseState) super.clone();
-
- /* clone checkers, if cloneable */
- clonedState.userCheckers =
- (ArrayList<PKIXCertPathChecker>)userCheckers.clone();
- ListIterator<PKIXCertPathChecker> li =
- clonedState.userCheckers.listIterator();
- while (li.hasNext()) {
- PKIXCertPathChecker checker = li.next();
- if (checker instanceof Cloneable) {
- li.set((PKIXCertPathChecker)checker.clone());
- }
- }
-
- /* make copy of name constraints */
- if (nc != null) {
- clonedState.nc = (NameConstraintsExtension) nc.clone();
- }
-
- /* make copy of policy tree */
- if (rootNode != null) {
- clonedState.rootNode = rootNode.copyTree();
- }
-
- return clonedState;
- } catch (CloneNotSupportedException e) {
- throw new InternalError(e.toString(), e);
- }
- }
-}
diff --git a/ojluni/src/main/java/sun/security/provider/certpath/SunCertPathBuilder.java b/ojluni/src/main/java/sun/security/provider/certpath/SunCertPathBuilder.java
index 9b21a99..7ff8d6c 100644
--- a/ojluni/src/main/java/sun/security/provider/certpath/SunCertPathBuilder.java
+++ b/ojluni/src/main/java/sun/security/provider/certpath/SunCertPathBuilder.java
@@ -35,8 +35,6 @@
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
-import java.util.HashSet;
-import java.util.Iterator;
import java.util.List;
import java.util.LinkedList;
import java.util.Set;
@@ -47,8 +45,7 @@
import sun.security.util.Debug;
/**
- * This class is able to build certification paths in either the forward
- * or reverse directions.
+ * This class builds certification paths in the forward direction.
*
* <p> If successful, it returns a certification path which has successfully
* satisfied all the constraints and requirements specified in the
@@ -102,10 +99,8 @@
/**
* Attempts to build a certification path using the Sun build
* algorithm from a trusted anchor(s) to a target subject, which must both
- * be specified in the input parameter set. By default, this method will
- * attempt to build in the forward direction. In order to build in the
- * reverse direction, the caller needs to pass in an instance of
- * SunCertPathBuilderParameters with the buildForward flag set to false.
+ * be specified in the input parameter set. This method will
+ * attempt to build in the forward direction: from the target to the CA.
*
* <p>The certification path that is constructed is validated
* according to the PKIX specification.
@@ -162,11 +157,7 @@
policyTreeResult = null;
LinkedList<X509Certificate> certPathList = new LinkedList<>();
try {
- if (buildParams.buildForward()) {
- buildForward(adjList, certPathList, searchAllCertStores);
- } else {
- buildReverse(adjList, certPathList);
- }
+ buildForward(adjList, certPathList, searchAllCertStores);
} catch (GeneralSecurityException | IOException e) {
if (debug != null) {
debug.println("SunCertPathBuilder.engineBuild() exception in "
@@ -210,82 +201,6 @@
}
/*
- * Private build reverse method.
- */
- private void buildReverse(List<List<Vertex>> adjacencyList,
- LinkedList<X509Certificate> certPathList)
- throws GeneralSecurityException, IOException
- {
- if (debug != null) {
- debug.println("SunCertPathBuilder.buildReverse()...");
- debug.println("SunCertPathBuilder.buildReverse() InitialPolicies: "
- + buildParams.initialPolicies());
- }
-
- ReverseState currentState = new ReverseState();
- /* Initialize adjacency list */
- adjacencyList.clear();
- adjacencyList.add(new LinkedList<Vertex>());
-
- /*
- * Perform a search using each trust anchor, until a valid
- * path is found
- */
- Iterator<TrustAnchor> iter = buildParams.trustAnchors().iterator();
- while (iter.hasNext()) {
- TrustAnchor anchor = iter.next();
-
- /* check if anchor satisfies target constraints */
- if (anchorIsTarget(anchor, buildParams.targetCertConstraints())) {
- this.trustAnchor = anchor;
- this.pathCompleted = true;
- this.finalPublicKey = anchor.getTrustedCert().getPublicKey();
- break;
- }
-
- // skip anchor if it contains a DSA key with no DSA params
- X509Certificate trustedCert = anchor.getTrustedCert();
- PublicKey pubKey = trustedCert != null ? trustedCert.getPublicKey()
- : anchor.getCAPublicKey();
-
- if (PKIX.isDSAPublicKeyWithoutParams(pubKey)) {
- continue;
- }
-
- /* Initialize current state */
- currentState.initState(buildParams);
- currentState.updateState(anchor, buildParams);
-
- currentState.algorithmChecker = new AlgorithmChecker(anchor);
- // Android-removed: Android doesn't use this mechanism for checking untrusted certificates
- // currentState.untrustedChecker = new UntrustedChecker();
- try {
- depthFirstSearchReverse(null, currentState,
- new ReverseBuilder(buildParams),
- adjacencyList, certPathList);
- } catch (GeneralSecurityException | IOException e) {
- // continue on error if more anchors to try
- if (iter.hasNext())
- continue;
- else
- throw e;
- }
-
- // break out of loop if search is successful
- if (pathCompleted) {
- break;
- }
- }
-
- if (debug != null) {
- debug.println("SunCertPathBuilder.buildReverse() returned from "
- + "depthFirstSearchReverse()");
- debug.println("SunCertPathBuilder.buildReverse() "
- + "certPathList.size: " + certPathList.size());
- }
- }
-
- /*
* Private build forward method.
*/
private void buildForward(List<List<Vertex>> adjacencyList,
@@ -634,147 +549,6 @@
}
/*
- * This method performs a depth first search for a certification
- * path while building reverse which meets the requirements set in
- * the parameters object.
- * It uses an adjacency list to store all certificates which were
- * tried (i.e. at one time added to the path - they may not end up in
- * the final path if backtracking occurs). This information can
- * be used later to debug or demo the build.
- *
- * See "Data Structure and Algorithms, by Aho, Hopcroft, and Ullman"
- * for an explanation of the DFS algorithm.
- *
- * @param dN the distinguished name being currently searched for certs
- * @param currentState the current PKIX validation state
- */
- private void depthFirstSearchReverse(X500Principal dN,
- ReverseState currentState,
- ReverseBuilder builder,
- List<List<Vertex>> adjList,
- LinkedList<X509Certificate> cpList)
- throws GeneralSecurityException, IOException
- {
- if (debug != null)
- debug.println("SunCertPathBuilder.depthFirstSearchReverse(" + dN
- + ", " + currentState.toString() + ")");
-
- /*
- * Find all the certificates issued by dN which
- * satisfy the PKIX certification path constraints.
- */
- Collection<X509Certificate> certs =
- builder.getMatchingCerts(currentState, buildParams.certStores());
- List<Vertex> vertices = addVertices(certs, adjList);
- if (debug != null)
- debug.println("SunCertPathBuilder.depthFirstSearchReverse(): "
- + "certs.size=" + vertices.size());
-
- /*
- * For each cert in the collection, verify anything
- * that hasn't been checked yet (signature, revocation, etc)
- * and check for loops. Call depthFirstSearchReverse()
- * recursively for each good cert.
- */
- for (Vertex vertex : vertices) {
- /**
- * Restore state to currentState each time through the loop.
- * This is important because some of the user-defined
- * checkers modify the state, which MUST be restored if
- * the cert eventually fails to lead to the target and
- * the next matching cert is tried.
- */
- ReverseState nextState = (ReverseState) currentState.clone();
- X509Certificate cert = vertex.getCertificate();
- try {
- builder.verifyCert(cert, nextState, cpList);
- } catch (GeneralSecurityException gse) {
- if (debug != null)
- debug.println("SunCertPathBuilder.depthFirstSearchReverse()"
- + ": validation failed: " + gse);
- vertex.setThrowable(gse);
- continue;
- }
-
- /*
- * Certificate is good, add it to the path (if it isn't a
- * self-signed cert) and update state
- */
- if (!currentState.isInitial())
- builder.addCertToPath(cert, cpList);
- // save trust anchor
- this.trustAnchor = currentState.trustAnchor;
-
- /*
- * Check if path is completed, return ASAP if so.
- */
- if (builder.isPathCompleted(cert)) {
- if (debug != null)
- debug.println("SunCertPathBuilder.depthFirstSearchReverse()"
- + ": path completed!");
- pathCompleted = true;
-
- PolicyNodeImpl rootNode = nextState.rootNode;
-
- if (rootNode == null)
- policyTreeResult = null;
- else {
- policyTreeResult = rootNode.copyTree();
- ((PolicyNodeImpl)policyTreeResult).setImmutable();
- }
-
- /*
- * Extract and save the final target public key
- */
- finalPublicKey = cert.getPublicKey();
- if (PKIX.isDSAPublicKeyWithoutParams(finalPublicKey)) {
- finalPublicKey =
- BasicChecker.makeInheritedParamsKey
- (finalPublicKey, currentState.pubKey);
- }
-
- return;
- }
-
- /* Update the PKIX state */
- nextState.updateState(cert);
-
- /*
- * Append an entry for cert in adjacency list and
- * set index for current vertex.
- */
- adjList.add(new LinkedList<Vertex>());
- vertex.setIndex(adjList.size() - 1);
-
- /* recursively search for matching certs at next dN */
- depthFirstSearchReverse(cert.getSubjectX500Principal(), nextState,
- builder, adjList, cpList);
-
- /*
- * If path has been completed, return ASAP!
- */
- if (pathCompleted) {
- return;
- } else {
- /*
- * If we get here, it means we have searched all possible
- * certs issued by the dN w/o finding any matching certs. This
- * means we have to backtrack to the previous cert in the path
- * and try some other paths.
- */
- if (debug != null)
- debug.println("SunCertPathBuilder.depthFirstSearchReverse()"
- + ": backtracking");
- if (!currentState.isInitial())
- builder.removeFinalCertFromPath(cpList);
- }
- }
- if (debug != null)
- debug.println("SunCertPathBuilder.depthFirstSearchReverse() all "
- + "certs in this adjacency list checked");
- }
-
- /*
* Adds a collection of matching certificates to the
* adjacency list.
*/
diff --git a/ojluni/src/main/java/sun/security/provider/certpath/SunCertPathBuilderParameters.java b/ojluni/src/main/java/sun/security/provider/certpath/SunCertPathBuilderParameters.java
deleted file mode 100644
index 186e252..0000000
--- a/ojluni/src/main/java/sun/security/provider/certpath/SunCertPathBuilderParameters.java
+++ /dev/null
@@ -1,131 +0,0 @@
-/*
- * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation. Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-package sun.security.provider.certpath;
-
-import java.security.InvalidAlgorithmParameterException;
-import java.security.KeyStore;
-import java.security.KeyStoreException;
-import java.security.cert.*;
-import java.util.Set;
-
-/**
- * This class specifies the set of parameters used as input for the Sun
- * certification path build algorithm. It is identical to PKIXBuilderParameters
- * with the addition of a <code>buildForward</code> parameter which allows
- * the caller to specify whether or not the path should be constructed in
- * the forward direction.
- *
- * The default for the <code>buildForward</code> parameter is
- * true, which means that the build algorithm should construct paths
- * from the target subject back to the trusted anchor.
- *
- * @since 1.4
- * @author Sean Mullan
- * @author Yassir Elley
- */
-public class SunCertPathBuilderParameters extends PKIXBuilderParameters {
-
- private boolean buildForward = true;
-
- /**
- * Creates an instance of <code>SunCertPathBuilderParameters</code> with the
- * specified parameter values.
- *
- * @param trustAnchors a <code>Set</code> of <code>TrustAnchor</code>s
- * @param targetConstraints a <code>CertSelector</code> specifying the
- * constraints on the target certificate
- * @throws InvalidAlgorithmParameterException if the specified
- * <code>Set</code> is empty <code>(trustAnchors.isEmpty() == true)</code>
- * @throws NullPointerException if the specified <code>Set</code> is
- * <code>null</code>
- * @throws ClassCastException if any of the elements in the <code>Set</code>
- * are not of type <code>java.security.cert.TrustAnchor</code>
- */
- public SunCertPathBuilderParameters(Set<TrustAnchor> trustAnchors,
- CertSelector targetConstraints) throws InvalidAlgorithmParameterException
- {
- super(trustAnchors, targetConstraints);
- setBuildForward(true);
- }
-
- /**
- * Creates an instance of <code>SunCertPathBuilderParameters</code> that
- * uses the specified <code>KeyStore</code> to populate the set
- * of most-trusted CA certificates.
- *
- * @param keystore A keystore from which the set of most-trusted
- * CA certificates will be populated.
- * @param targetConstraints a <code>CertSelector</code> specifying the
- * constraints on the target certificate
- * @throws KeyStoreException if the keystore has not been initialized.
- * @throws InvalidAlgorithmParameterException if the keystore does
- * not contain at least one trusted certificate entry
- * @throws NullPointerException if the keystore is <code>null</code>
- */
- public SunCertPathBuilderParameters(KeyStore keystore,
- CertSelector targetConstraints)
- throws KeyStoreException, InvalidAlgorithmParameterException
- {
- super(keystore, targetConstraints);
- setBuildForward(true);
- }
-
- /**
- * Returns the value of the buildForward flag.
- *
- * @return the value of the buildForward flag
- */
- public boolean getBuildForward() {
- return this.buildForward;
- }
-
- /**
- * Sets the value of the buildForward flag. If true, paths
- * are built from the target subject to the trusted anchor.
- * If false, paths are built from the trusted anchor to the
- * target subject. The default value if not specified is true.
- *
- * @param buildForward the value of the buildForward flag
- */
- public void setBuildForward(boolean buildForward) {
- this.buildForward = buildForward;
- }
-
- /**
- * Returns a formatted string describing the parameters.
- *
- * @return a formatted string describing the parameters.
- */
- @Override
- public String toString() {
- StringBuilder sb = new StringBuilder();
- sb.append("[\n");
- sb.append(super.toString());
- sb.append(" Build Forward Flag: " + String.valueOf(buildForward) + "\n");
- sb.append("]\n");
- return sb.toString();
- }
-}
diff --git a/openjdk_java_files.mk b/openjdk_java_files.mk
index 3b38617..a812e07 100644
--- a/openjdk_java_files.mk
+++ b/openjdk_java_files.mk
@@ -1596,13 +1596,10 @@
ojluni/src/main/java/sun/security/provider/certpath/PKIXMasterCertPathValidator.java \
ojluni/src/main/java/sun/security/provider/certpath/PolicyChecker.java \
ojluni/src/main/java/sun/security/provider/certpath/PolicyNodeImpl.java \
- ojluni/src/main/java/sun/security/provider/certpath/ReverseBuilder.java \
- ojluni/src/main/java/sun/security/provider/certpath/ReverseState.java \
ojluni/src/main/java/sun/security/provider/certpath/RevocationChecker.java \
ojluni/src/main/java/sun/security/provider/certpath/State.java \
ojluni/src/main/java/sun/security/provider/certpath/SunCertPathBuilder.java \
ojluni/src/main/java/sun/security/provider/certpath/SunCertPathBuilderException.java \
- ojluni/src/main/java/sun/security/provider/certpath/SunCertPathBuilderParameters.java \
ojluni/src/main/java/sun/security/provider/certpath/SunCertPathBuilderResult.java \
ojluni/src/main/java/sun/security/provider/certpath/URICertStore.java \
ojluni/src/main/java/sun/security/provider/certpath/Vertex.java \