am ce07d1e8: am 45583d71: am f26ef9f9: am 50256449: am 9cd5caec: am 8c9ea691: Revert "Add API to check certificate chain signatures"

* commit 'ce07d1e8436d22dca6cf8a375f636680e3aca472':
  Revert "Add API to check certificate chain signatures"

3 files changed, 11 insertions, 66 deletions

diff --git a/luni/src/main/java/java/util/jar/JarFile.java b/luni/src/main/java/java/util/jar/JarFile.java
index 178688f..0b270bc 100644
--- a/luni/src/main/java/java/util/jar/JarFile.java
+++ b/luni/src/main/java/java/util/jar/JarFile.java
@@ -184,19 +184,9 @@ public class JarFile extends ZipFile {
      *             If the file cannot be read.
      */
     public JarFile(File file, boolean verify, int mode) throws IOException {
-        this(file, verify, mode, false);
-    }
-
-    /**
-     * See previous constructor for other parameter definitions.
-     * @param chainCheck
-     *            whether or not to check certificate chain signatures
-     * @hide
-     */
-    public JarFile(File file, boolean verify, int mode, boolean chainCheck) throws IOException {
         super(file, mode);
         if (verify) {
-            verifier = new JarVerifier(file.getPath(), chainCheck);
+            verifier = new JarVerifier(file.getPath());
         }
         readMetaEntries();
     }
@@ -226,19 +216,9 @@ public class JarFile extends ZipFile {
      *             If file cannot be opened or read.
      */
     public JarFile(String filename, boolean verify) throws IOException {
-        this(filename, verify, false);
-    }
-
-    /**
-     * See previous constructor for other parameter definitions.
-     * @param chainCheck
-     *            whether or not to check certificate chain signatures
-     * @hide
-     */
-    public JarFile(String filename, boolean verify, boolean chainCheck) throws IOException {
         super(filename);
         if (verify) {
-            verifier = new JarVerifier(filename, chainCheck);
+            verifier = new JarVerifier(filename);
         }
         readMetaEntries();
     }
diff --git a/luni/src/main/java/java/util/jar/JarVerifier.java b/luni/src/main/java/java/util/jar/JarVerifier.java
index 5e3dd76..187b229 100644
--- a/luni/src/main/java/java/util/jar/JarVerifier.java
+++ b/luni/src/main/java/java/util/jar/JarVerifier.java
@@ -78,9 +78,6 @@ class JarVerifier {
 
     int mainAttributesEnd;
 
-    /** Whether or not to check certificate chain signatures. */
-    private final boolean chainCheck;
-
     /**
      * Stores and a hash and a message digest and verifies that massage digest
      * matches the hash.
@@ -150,23 +147,13 @@ class JarVerifier {
     }
 
     /**
-     * Convenience constructor for backward compatibility.
-     */
-    JarVerifier(String name) {
-        this(name, false);
-    }
-
-    /**
      * Constructs and returns a new instance of {@code JarVerifier}.
      *
      * @param name
      *            the name of the JAR file being verified.
-     * @param chainCheck
-     *            whether to check the certificate chain signatures
      */
-    JarVerifier(String name, boolean chainCheck) {
+    JarVerifier(String name) {
         jarName = name;
-        this.chainCheck = chainCheck;
     }
 
     /**
@@ -306,8 +293,7 @@ class JarVerifier {
         try {
             Certificate[] signerCertChain = JarUtils.verifySignature(
                     new ByteArrayInputStream(sfBytes),
-                    new ByteArrayInputStream(sBlockBytes),
-                    chainCheck);
+                    new ByteArrayInputStream(sBlockBytes));
             /*
              * Recursive call in loading security provider related class which
              * is in a signed JAR.
diff --git a/luni/src/main/java/org/apache/harmony/security/utils/JarUtils.java b/luni/src/main/java/org/apache/harmony/security/utils/JarUtils.java
index 6d86dc6..f31754b 100644
--- a/luni/src/main/java/org/apache/harmony/security/utils/JarUtils.java
+++ b/luni/src/main/java/org/apache/harmony/security/utils/JarUtils.java
@@ -52,27 +52,18 @@ public class JarUtils {
         new int[] {1, 2, 840, 113549, 1, 9, 4};
 
     /**
-     * @see #verifySignature(InputStream, InputStream, boolean)
-     */
-    public static Certificate[] verifySignature(InputStream signature, InputStream signatureBlock)
-            throws IOException, GeneralSecurityException {
-        return verifySignature(signature, signatureBlock, false);
-    }
-
-    /**
      * This method handle all the work with  PKCS7, ASN1 encoding, signature verifying,
      * and certification path building.
      * See also PKCS #7: Cryptographic Message Syntax Standard:
      * http://www.ietf.org/rfc/rfc2315.txt
      * @param signature - the input stream of signature file to be verified
      * @param signatureBlock - the input stream of corresponding signature block file
-     * @param chainCheck - whether to validate certificate chain signatures
      * @return array of certificates used to verify the signature file
      * @throws IOException - if some errors occurs during reading from the stream
      * @throws GeneralSecurityException - if signature verification process fails
      */
     public static Certificate[] verifySignature(InputStream signature, InputStream
-            signatureBlock, boolean chainCheck) throws IOException, GeneralSecurityException {
+            signatureBlock) throws IOException, GeneralSecurityException {
 
         BerInputStream bis = new BerInputStream(signatureBlock);
         ContentInfo info = (ContentInfo)ContentInfo.ASN1.decode(bis);
@@ -209,11 +200,10 @@ public class JarUtils {
             throw new SecurityException("Incorrect signature");
         }
 
-        return createChain(certs[issuerSertIndex], certs, chainCheck);
+        return createChain(certs[issuerSertIndex], certs);
     }
 
-    private static X509Certificate[] createChain(X509Certificate  signer,
-            X509Certificate[] candidates, boolean chainCheck) {
+    private static X509Certificate[] createChain(X509Certificate  signer, X509Certificate[] candidates) {
         LinkedList chain = new LinkedList();
         chain.add(0, signer);
 
@@ -223,16 +213,13 @@ public class JarUtils {
         }
 
         Principal issuer = signer.getIssuerDN();
-        X509Certificate issuerCert = null;
-        X509Certificate subjectCert = signer;
+        X509Certificate issuerCert;
         int count = 1;
         while (true) {
-            X509Certificate newIssuerCert = findCert(issuer, candidates, subjectCert, chainCheck);
-            if (newIssuerCert == null) {
+            issuerCert = findCert(issuer, candidates);
+            if( issuerCert == null) {
                 break;
             }
-            subjectCert = issuerCert;
-            issuerCert = newIssuerCert;
             chain.add(issuerCert);
             count++;
             if (issuerCert.getSubjectDN().equals(issuerCert.getIssuerDN())) {
@@ -243,17 +230,9 @@ public class JarUtils {
         return (X509Certificate[])chain.toArray(new X509Certificate[count]);
     }
 
-    private static X509Certificate findCert(Principal issuer, X509Certificate[] candidates,
-            X509Certificate subjectCert, boolean chainCheck) {
+    private static X509Certificate findCert(Principal issuer, X509Certificate[] candidates) {
         for (int i = 0; i < candidates.length; i++) {
             if (issuer.equals(candidates[i].getSubjectDN())) {
-                if (chainCheck) {
-                    try {
-                        subjectCert.verify(candidates[i].getPublicKey());
-                    } catch (Exception e) {
-                        continue;
-                    }
-                }
                 return candidates[i];
             }
         }