8296143: CertAttrSet's set/get mechanism is not type-safe

Reviewed-by: mullan

Author: wangweij

src/java.base/share/classes/java/security/cert/CertificateRevokedException.java

@@ -155,7 +155,7 @@ public Date getInvalidityDate() {
             return null;
         } else {
             try {
-                Date invalidity = InvalidityDateExtension.toImpl(ext).get("DATE");
+                Date invalidity = InvalidityDateExtension.toImpl(ext).getDate();
                 return new Date(invalidity.getTime());
             } catch (IOException ioe) {
                 return null;

src/java.base/share/classes/java/security/cert/X509CRLSelector.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2021, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -323,7 +323,7 @@ private static HashSet<Object> cloneAndCheckIssuerNames(Collection<?> names)
             else
                 namesCopy.add(nameObject);
         }
-        return(namesCopy);
+        return namesCopy;
     }
 
     /**
@@ -630,7 +630,7 @@ public boolean match(CRL crl) {
                 byte[] encoded = in.getOctetString();
                 CRLNumberExtension crlNumExt =
                     new CRLNumberExtension(Boolean.FALSE, encoded);
-                crlNum = crlNumExt.get(CRLNumberExtension.NUMBER);
+                crlNum = crlNumExt.getCrlNumber();
             } catch (IOException ex) {
                 if (debug != null) {
                     debug.println("X509CRLSelector.match: exception in "

src/java.base/share/classes/java/security/cert/X509CertSelector.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2021, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -1288,7 +1288,7 @@ public X500Principal getIssuer() {
      */
     @Deprecated(since="16")
     public String getIssuerAsString() {
-        return (issuer == null ? null : issuer.getName());
+        return issuer == null ? null : issuer.getName();
     }
 
     /**
@@ -1310,7 +1310,7 @@ public String getIssuerAsString() {
      * @throws IOException if an encoding error occurs
      */
     public byte[] getIssuerAsBytes() throws IOException {
-        return (issuer == null ? null: issuer.getEncoded());
+        return issuer == null ? null : issuer.getEncoded();
     }
 
     /**
@@ -1347,7 +1347,7 @@ public X500Principal getSubject() {
      */
     @Deprecated(since="16")
     public String getSubjectAsString() {
-        return (subject == null ? null : subject.getName());
+        return subject == null ? null : subject.getName();
     }
 
     /**
@@ -1369,7 +1369,7 @@ public String getSubjectAsString() {
      * @throws IOException if an encoding error occurs
      */
     public byte[] getSubjectAsBytes() throws IOException {
-        return (subject == null ? null : subject.getEncoded());
+        return subject == null ? null : subject.getEncoded();
     }
 
     /**
@@ -1868,7 +1868,7 @@ private static String keyUsageToString(boolean[] k) {
 
         s += "]\n";
 
-        return (s);
+        return s;
     }
 
     /**
@@ -2120,12 +2120,8 @@ private boolean matchPrivateKeyValid(X509Certificate xcert) {
         } catch (CertificateExpiredException e1) {
             if (debug != null) {
                 String time = "n/a";
-                try {
-                    Date notAfter = ext.get(PrivateKeyUsageExtension.NOT_AFTER);
-                    time = notAfter.toString();
-                } catch (CertificateException ex) {
-                    // not able to retrieve notAfter value
-                }
+                Date notAfter = ext.getNotAfter();
+                time = notAfter.toString();
                 debug.println("X509CertSelector.match: private key usage not "
                     + "within validity date; ext.NOT_After: "
                     + time + "; X509CertSelector: "
@@ -2136,12 +2132,8 @@ private boolean matchPrivateKeyValid(X509Certificate xcert) {
         } catch (CertificateNotYetValidException e2) {
             if (debug != null) {
                 String time = "n/a";
-                try {
-                    Date notBefore = ext.get(PrivateKeyUsageExtension.NOT_BEFORE);
-                    time = notBefore.toString();
-                } catch (CertificateException ex) {
-                    // not able to retrieve notBefore value
-                }
+                Date notBefore = ext.getNotBefore();
+                time = notBefore.toString();
                 debug.println("X509CertSelector.match: private key usage not "
                     + "within validity date; ext.NOT_BEFORE: "
                     + time + "; X509CertSelector: "
@@ -2227,8 +2219,7 @@ private boolean matchExtendedKeyUsage(X509Certificate xcert) {
                 (ExtendedKeyUsageExtension)getExtensionObject(xcert,
                                                 KnownOIDs.extendedKeyUsage);
             if (ext != null) {
-                Vector<ObjectIdentifier> certKeyPurposeVector =
-                    ext.get(ExtendedKeyUsageExtension.USAGES);
+                Vector<ObjectIdentifier> certKeyPurposeVector = ext.getUsages();
                 if (!certKeyPurposeVector.contains(ANY_EXTENDED_KEY_USAGE)
                         && !certKeyPurposeVector.containsAll(keyPurposeOIDSet)) {
                     if (debug != null) {
@@ -2264,8 +2255,7 @@ private boolean matchSubjectAlternativeNames(X509Certificate xcert) {
                 }
                 return false;
             }
-            GeneralNames certNames =
-                    sanExt.get(SubjectAlternativeNameExtension.SUBJECT_NAME);
+            GeneralNames certNames = sanExt.getNames();
             Iterator<GeneralNameInterface> i =
                                 subjectAlternativeGeneralNames.iterator();
             while (i.hasNext()) {
@@ -2333,7 +2323,7 @@ private boolean matchPolicy(X509Certificate xcert) {
                 }
                 return false;
             }
-            List<PolicyInformation> policies = ext.get(CertificatePoliciesExtension.POLICIES);
+            List<PolicyInformation> policies = ext.getCertPolicies();
             /*
              * Convert the Vector of PolicyInformation to a Vector
              * of CertificatePolicyIds for easier comparison.
@@ -2401,17 +2391,15 @@ private boolean matchPathToNames(X509Certificate xcert) {
                 }
             }
 
-            GeneralSubtrees permitted =
-                    ext.get(NameConstraintsExtension.PERMITTED_SUBTREES);
-            GeneralSubtrees excluded =
-                    ext.get(NameConstraintsExtension.EXCLUDED_SUBTREES);
+            GeneralSubtrees permitted = ext.getPermittedSubtrees();
+            GeneralSubtrees excluded = ext.getExcludedSubtrees();
             if (excluded != null) {
-                if (matchExcluded(excluded) == false) {
+                if (!matchExcluded(excluded)) {
                     return false;
                 }
             }
             if (permitted != null) {
-                if (matchPermitted(permitted) == false) {
+                if (!matchPermitted(permitted)) {
                     return false;
                 }
             }

src/java.base/share/classes/sun/security/pkcs/PKCS7.java

@@ -684,9 +684,7 @@ private void populateCertIssuerNames() {
                 try {
                     X509CertInfo tbsCert =
                         new X509CertInfo(cert.getTBSCertificate());
-                    certIssuerName = (Principal)
-                        tbsCert.get(X509CertInfo.ISSUER + "." +
-                                    X509CertInfo.DN_NAME);
+                    certIssuerName = tbsCert.getIssuer();
                 } catch (Exception e) {
                     // error generating X500Name object from the cert's
                     // issuer DN, leave name as is.

src/java.base/share/classes/sun/security/pkcs/PKCS9Attribute.java

@@ -617,11 +617,7 @@ public void derEncode(DerOutputStream out) throws IOException {
             {
                 DerOutputStream temp2 = new DerOutputStream();
                 CertificateExtensions exts = (CertificateExtensions)value;
-                try {
-                    exts.encode(temp2, true);
-                } catch (CertificateException ex) {
-                    throw new IOException(ex.toString());
-                }
+                exts.encode(temp2, true);
                 temp.write(DerValue.tag_Set, temp2.toByteArray());
             }
             break;
@@ -687,7 +683,7 @@ public ObjectIdentifier getOID() {
     public String getName() {
         String n = oid.toString();
         KnownOIDs os = KnownOIDs.findMatch(n);
-        return (os == null? n : os.stdName());
+        return os == null ? n : os.stdName();
     }
 
     /**

src/java.base/share/classes/sun/security/provider/certpath/AdaptableX509CertSelector.java

@@ -131,8 +131,7 @@ void setSkiAndSerialNumber(AuthorityKeyIdentifierExtension ext)
 
         if (ext != null) {
             ski = ext.getEncodedKeyIdentifier();
-            SerialNumber asn = (SerialNumber)ext.get(
-                AuthorityKeyIdentifierExtension.SERIAL_NUMBER);
+            SerialNumber asn = ext.getSerialNumber();
             if (asn != null) {
                 serial = asn.getNumber();
             }

src/java.base/share/classes/sun/security/provider/certpath/AlgorithmChecker.java

@@ -190,7 +190,7 @@ public void check(Certificate cert,
         AlgorithmId algorithmId;
         try {
             x509Cert = X509CertImpl.toImpl((X509Certificate)cert);
-            algorithmId = (AlgorithmId)x509Cert.get(X509CertImpl.SIG_ALG);
+            algorithmId = x509Cert.getSigAlg();
         } catch (CertificateException ce) {
             throw new CertPathValidatorException(ce);
         }

src/java.base/share/classes/sun/security/provider/certpath/Builder.java

@@ -204,7 +204,7 @@ static int hops(GeneralNameInterface base, GeneralNameInterface test,
             /* base is ancestor of test */
         case GeneralNameInterface.NAME_NARROWS:
             /* base is descendant of test */
-            return (test.subtreeDepth()-base.subtreeDepth());
+            return test.subtreeDepth() - base.subtreeDepth();
         default: // should never occur
             return incomparable;
         }
@@ -230,7 +230,7 @@ static int hops(GeneralNameInterface base, GeneralNameInterface test,
             int commonDistance = commonName.subtreeDepth();
             int baseDistance = baseName.subtreeDepth();
             int testDistance = testName.subtreeDepth();
-            return (baseDistance + testDistance - (2 * commonDistance));
+            return baseDistance + testDistance - (2 * commonDistance);
         }
     }
 
@@ -300,8 +300,7 @@ static int targetDistance(NameConstraintsExtension constraints,
         SubjectAlternativeNameExtension altNameExt =
             certImpl.getSubjectAlternativeNameExtension();
         if (altNameExt != null) {
-            GeneralNames altNames = altNameExt.get(
-                    SubjectAlternativeNameExtension.SUBJECT_NAME);
+            GeneralNames altNames = altNameExt.getNames();
             /* see if any alternative name matches target */
             if (altNames != null) {
                 for (int j = 0, n = altNames.size(); j < n; j++) {
@@ -337,10 +336,8 @@ static int targetDistance(NameConstraintsExtension constraints,
                 + constraints);
         }
         /* reduce permitted by excluded */
-        GeneralSubtrees permitted =
-                constraints.get(NameConstraintsExtension.PERMITTED_SUBTREES);
-        GeneralSubtrees excluded =
-                constraints.get(NameConstraintsExtension.EXCLUDED_SUBTREES);
+        GeneralSubtrees permitted = constraints.getPermittedSubtrees();
+        GeneralSubtrees excluded = constraints.getExcludedSubtrees();
         if (permitted != null) {
             permitted.reduce(excluded);
         }
@@ -362,7 +359,7 @@ static int targetDistance(NameConstraintsExtension constraints,
             GeneralNameInterface perName = permitted.get(i).getName().getName();
             int distance = distance(perName, target, -1);
             if (distance >= 0) {
-                return (distance + 1);
+                return distance + 1;
             }
         }
         /* no matching type in permitted; cert holder could certify target */

src/java.base/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java

@@ -102,7 +102,7 @@ public static Collection<X509CRL> getCRLs(X509CRLSelector selector,
                 return Collections.emptySet();
             }
             List<DistributionPoint> points =
-                    ext.get(CRLDistributionPointsExtension.POINTS);
+                    ext.getDistributionPoints();
             Set<X509CRL> results = new HashSet<>();
             for (Iterator<DistributionPoint> t = points.iterator();
                  t.hasNext() && !Arrays.equals(reasonsMask, ALL_REASONS); ) {
@@ -116,7 +116,7 @@ public static Collection<X509CRL> getCRLs(X509CRLSelector selector,
                 debug.println("Returning " + results.size() + " CRLs");
             }
             return results;
-        } catch (CertificateException | IOException e) {
+        } catch (CertificateException e) {
             return Collections.emptySet();
         }
     }
@@ -333,9 +333,7 @@ static boolean verifyCRL(X509CertImpl certImpl, DistributionPoint point,
         GeneralNames pointCrlIssuers = point.getCRLIssuer();
         X500Name pointCrlIssuer = null;
         if (pointCrlIssuers != null) {
-            if (idpExt == null ||
-                    idpExt.get(IssuingDistributionPointExtension.INDIRECT_CRL)
-                    == Boolean.FALSE) {
+            if (idpExt == null || !idpExt.isIndirectCRL()) {
                 return false;
             }
             boolean match = false;
@@ -398,8 +396,7 @@ static boolean verifyCRL(X509CertImpl certImpl, DistributionPoint point,
         }
 
         if (idpExt != null) {
-            DistributionPointName idpPoint = (DistributionPointName)
-                idpExt.get(IssuingDistributionPointExtension.POINT);
+            DistributionPointName idpPoint = idpExt.getDistributionPoint();
             if (idpPoint != null) {
                 GeneralNames idpNames = idpPoint.getFullName();
                 if (idpNames == null) {
@@ -495,9 +492,8 @@ static boolean verifyCRL(X509CertImpl certImpl, DistributionPoint point,
 
             // if the onlyContainsUserCerts boolean is asserted, verify that the
             // cert is not a CA cert
-            Boolean b = (Boolean)
-                idpExt.get(IssuingDistributionPointExtension.ONLY_USER_CERTS);
-            if (b.equals(Boolean.TRUE) && certImpl.getBasicConstraints() != -1) {
+            boolean b = idpExt.hasOnlyUserCerts();
+            if (b && certImpl.getBasicConstraints() != -1) {
                 if (debug != null) {
                     debug.println("cert must be a EE cert");
                 }
@@ -506,9 +502,8 @@ static boolean verifyCRL(X509CertImpl certImpl, DistributionPoint point,
 
             // if the onlyContainsCACerts boolean is asserted, verify that the
             // cert is a CA cert
-            b = (Boolean)
-                idpExt.get(IssuingDistributionPointExtension.ONLY_CA_CERTS);
-            if (b.equals(Boolean.TRUE) && certImpl.getBasicConstraints() == -1) {
+            b = idpExt.hasOnlyCACerts();
+            if (b && certImpl.getBasicConstraints() == -1) {
                 if (debug != null) {
                     debug.println("cert must be a CA cert");
                 }
@@ -517,9 +512,8 @@ static boolean verifyCRL(X509CertImpl certImpl, DistributionPoint point,
 
             // verify that the onlyContainsAttributeCerts boolean is not
             // asserted
-            b = (Boolean) idpExt.get
-                (IssuingDistributionPointExtension.ONLY_ATTRIBUTE_CERTS);
-            if (b.equals(Boolean.TRUE)) {
+            b = idpExt.hasOnlyAttributeCerts();
+            if (b) {
                 if (debug != null) {
                     debug.println("cert must not be an AA cert");
                 }
@@ -531,8 +525,7 @@ static boolean verifyCRL(X509CertImpl certImpl, DistributionPoint point,
         boolean[] interimReasonsMask = new boolean[9];
         ReasonFlags reasons = null;
         if (idpExt != null) {
-            reasons = (ReasonFlags)
-                idpExt.get(IssuingDistributionPointExtension.REASONS);
+            reasons = idpExt.getRevocationReasons();
         }
 
         boolean[] pointReasonFlags = point.getReasonFlags();
@@ -603,8 +596,7 @@ static boolean verifyCRL(X509CertImpl certImpl, DistributionPoint point,
                     certSel.setSubjectKeyIdentifier(kid);
                 }
 
-                SerialNumber asn = (SerialNumber)akidext.get(
-                        AuthorityKeyIdentifierExtension.SERIAL_NUMBER);
+                SerialNumber asn = akidext.getSerialNumber();
                 if (asn != null) {
                     certSel.setSerialNumber(asn.getNumber());
                 }

src/java.base/share/classes/sun/security/provider/certpath/ForwardState.java

@@ -187,27 +187,17 @@ public void updateState(X509Certificate cert)
 
         /* update subjectNamesTraversed only if this is the EE cert or if
            this cert is not self-issued */
-        if (init || !X509CertImpl.isSelfIssued(cert)){
+        if (init || !X509CertImpl.isSelfIssued(cert)) {
             X500Principal subjName = cert.getSubjectX500Principal();
             subjectNamesTraversed.add(X500Name.asX500Name(subjName));
 
-            try {
-                SubjectAlternativeNameExtension subjAltNameExt
+            SubjectAlternativeNameExtension subjAltNameExt
                     = icert.getSubjectAlternativeNameExtension();
-                if (subjAltNameExt != null) {
-                    GeneralNames gNames = subjAltNameExt.get(
-                            SubjectAlternativeNameExtension.SUBJECT_NAME);
-                    for (GeneralName gName : gNames.names()) {
-                        subjectNamesTraversed.add(gName.getName());
-                    }
+            if (subjAltNameExt != null) {
+                GeneralNames gNames = subjAltNameExt.getNames();
+                for (GeneralName gName : gNames.names()) {
+                    subjectNamesTraversed.add(gName.getName());
                 }
-            } catch (IOException e) {
-                if (debug != null) {
-                    debug.println("ForwardState.updateState() unexpected "
-                        + "exception");
-                    e.printStackTrace();
-                }
-                throw new CertPathValidatorException(e);
             }
         }