Mercurial > hg > openjdk > aarch64-port > jdk
changeset 10946:89275e32e407
8073894: Getting to the root of certificate chains
Reviewed-by: weijun, igerasim, ahgross
| author | mullan |
|---|---|
| date | Mon, 02 Mar 2015 11:43:56 -0500 |
| parents | 775f184962e2 |
| children | cc75137936f9 |
| files | src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java src/share/classes/sun/security/validator/SimpleValidator.java |
| diffstat | 2 files changed, 21 insertions(+), 4 deletions(-) [+] |
line wrap: on
line diff
--- a/src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java Mon Apr 13 22:36:04 2015 -0700 +++ b/src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java Mon Mar 02 11:43:56 2015 -0500 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -159,12 +159,19 @@ ValidatorParams params) throws CertPathValidatorException { + // check if anchor is untrusted + UntrustedChecker untrustedChecker = new UntrustedChecker(); + X509Certificate anchorCert = anchor.getTrustedCert(); + if (anchorCert != null) { + untrustedChecker.check(anchorCert); + } + int certPathLen = params.certificates().size(); // create PKIXCertPathCheckers List<PKIXCertPathChecker> certPathCheckers = new ArrayList<>(); // add standard checkers that we will be using - certPathCheckers.add(new UntrustedChecker()); + certPathCheckers.add(untrustedChecker); certPathCheckers.add(new AlgorithmChecker(anchor)); certPathCheckers.add(new KeyChecker(certPathLen, params.targetCertConstraints()));
--- a/src/share/classes/sun/security/validator/SimpleValidator.java Mon Apr 13 22:36:04 2015 -0700 +++ b/src/share/classes/sun/security/validator/SimpleValidator.java Mon Mar 02 11:43:56 2015 -0500 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2002, 2012, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -141,8 +141,18 @@ // create distrusted certificates checker UntrustedChecker untrustedChecker = new UntrustedChecker(); + // check if anchor is untrusted + X509Certificate anchorCert = chain[chain.length - 1]; + try { + untrustedChecker.check(anchorCert); + } catch (CertPathValidatorException cpve) { + throw new ValidatorException( + "Untrusted certificate: "+ anchorCert.getSubjectX500Principal(), + ValidatorException.T_UNTRUSTED_CERT, anchorCert, cpve); + } + // create default algorithm constraints checker - TrustAnchor anchor = new TrustAnchor(chain[chain.length - 1], null); + TrustAnchor anchor = new TrustAnchor(anchorCert, null); AlgorithmChecker defaultAlgChecker = new AlgorithmChecker(anchor); // create application level algorithm constraints checker