diff options
| author | Sergio Giro <sgiro@google.com> | 2016-09-09 15:14:15 +0100 |
|---|---|---|
| committer | Sergio Giro <sgiro@google.com> | 2016-09-13 11:22:36 +0000 |
| commit | c415feea05de0907cf741293bd538bd10d3194c6 (patch) | |
| tree | f93eb44e130cd3c341fb158a355b3996bae33937 /bcprov/src/main/java | |
| parent | 54416dd637f5fb07da71651f0546ad45c6285e88 (diff) | |
| download | bouncycastle-c415feea05de0907cf741293bd538bd10d3194c6.tar.gz | |
X509V3CertificateGenerator: use a X509CertificateObject from a different package
Use org.bouncycastle.jcajce.provider.asymmetric.x509.X509CertificateObject
instead of org.bouncycastle.jce.provider.X509CertificateObject.
These classes serve the same purpose, the latter is kept by BouncyCastle
only in case developers have serialized instances. The former is better as
it uses the more up-to-date hash equivalent to that of Java 8.
In Java 8, the hash code in the abstract class Certificate was changed.
This led TrustedCertificateStore#testMultipleIssuers to fail as it uses
HashSets for comparison and org.bouncycastle.jce.provider.X509CertificateObject
was still using the old definition (while conscrypt generated ones use the
ones in the abstract class). After this commit the certificate generator
uses a more up-to-date version of the class, in which the hash coincides
with the one in Java 8 and the test now passes and everything's great.
Bug: 31287348
Test: old-cts run cts --class com.android.org.conscrypt.TrustedCertificateStoreTest
Change-Id: I4e373380f8a3e669cfcdf8ce7386f58e559c0c16
Diffstat (limited to 'bcprov/src/main/java')
| -rw-r--r-- | bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/x509/X509CertificateObject.java | 6 | ||||
| -rw-r--r-- | bcprov/src/main/java/org/bouncycastle/x509/X509V3CertificateGenerator.java | 21 |
2 files changed, 23 insertions, 4 deletions
diff --git a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/x509/X509CertificateObject.java b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/x509/X509CertificateObject.java index 51213d42..8242b117 100644 --- a/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/x509/X509CertificateObject.java +++ b/bcprov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/x509/X509CertificateObject.java @@ -68,7 +68,11 @@ import org.bouncycastle.util.Integers; import org.bouncycastle.util.Strings; import org.bouncycastle.util.encoders.Hex; -class X509CertificateObject +// BEGIN ANDROID-CHANGED +// Was: class X509CertificateObject +// Changed to public so that it can be accessed from X509V3CertificateGenerator +public class X509CertificateObject +// END ANDROID-CHANGED extends X509Certificate implements PKCS12BagAttributeCarrier { diff --git a/bcprov/src/main/java/org/bouncycastle/x509/X509V3CertificateGenerator.java b/bcprov/src/main/java/org/bouncycastle/x509/X509V3CertificateGenerator.java index c422cb26..54be0016 100644 --- a/bcprov/src/main/java/org/bouncycastle/x509/X509V3CertificateGenerator.java +++ b/bcprov/src/main/java/org/bouncycastle/x509/X509V3CertificateGenerator.java @@ -34,7 +34,12 @@ import org.bouncycastle.asn1.x509.V3TBSCertificateGenerator; import org.bouncycastle.asn1.x509.X509ExtensionsGenerator; import org.bouncycastle.asn1.x509.X509Name; import org.bouncycastle.jce.X509Principal; -import org.bouncycastle.jce.provider.X509CertificateObject; +// BEGIN ANDROID-ADDED +// See the definition of the jcaJceHelper field for details. +import org.bouncycastle.jcajce.provider.asymmetric.x509.X509CertificateObject; +import org.bouncycastle.jcajce.util.BCJcaJceHelper; +import org.bouncycastle.jcajce.util.JcaJceHelper; +// END ANDROID-ADDED import org.bouncycastle.x509.extension.X509ExtensionUtil; /** @@ -48,6 +53,12 @@ public class X509V3CertificateGenerator private AlgorithmIdentifier sigAlgId; private String signatureAlgorithm; private X509ExtensionsGenerator extGenerator; + // BEGIN ANDROID-ADDED + // Use org.bouncycastle.jcajce.provider.asymmetric.x509.X509CertificateObject + // instead of org.bouncycastle.jce.provider.X509CertificateObject. + // We need to pass one instance of JcaJceHelper in the constructor of the former class. + private final JcaJceHelper jcaJceHelper = new BCJcaJceHelper(); + // END ANDROID-ADDED public X509V3CertificateGenerator() { @@ -510,8 +521,12 @@ public class X509V3CertificateGenerator v.add(tbsCert); v.add(sigAlgId); v.add(new DERBitString(signature)); - - return new X509CertificateObject(Certificate.getInstance(new DERSequence(v))); + // BEGIN ANDROID-CHANGED + // Was: return new X509CertificateObject(Certificate.getInstance(new DERSequence(v))); + // We are using a different X509CertificateObject class than the original, see definition + // of the jcaJceHelper field for details. + return new X509CertificateObject(jcaJceHelper, Certificate.getInstance(new DERSequence(v))); + // END ANDROID-CHANGED } /** |