# HG changeset patch
# User mullan
# Date 1436180395 -3600
# Node ID 7624485c3a561419df34b774fd0c119beaa21199
# Parent  f065d104df2d7b2940f83ee45beb7821f409e60a
8073894: Getting to the root of certificate chains
Reviewed-by: weijun, igerasim, ahgross

diff -r f065d104df2d -r 7624485c3a56 src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java
--- a/src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java	Mon Jul 20 00:22:59 2015 +0100
+++ b/src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java	Mon Jul 06 11:59:55 2015 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -311,6 +311,12 @@
                               pkixParam.getPolicyQualifiersRejected(),
                               rootNode);
         UntrustedChecker untrustedChecker = new UntrustedChecker();
+        // check if anchor is untrusted
+        X509Certificate anchorCert = anchor.getTrustedCert();
+        if (anchorCert != null) {
+            untrustedChecker.check(anchorCert,
+                                   Collections.<String>emptySet());
+        }
 
         ArrayList<PKIXCertPathChecker> certPathCheckers =
             new ArrayList<PKIXCertPathChecker>();
diff -r f065d104df2d -r 7624485c3a56 src/share/classes/sun/security/validator/SimpleValidator.java
--- a/src/share/classes/sun/security/validator/SimpleValidator.java	Mon Jul 20 00:22:59 2015 +0100
+++ b/src/share/classes/sun/security/validator/SimpleValidator.java	Mon Jul 06 11:59:55 2015 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -141,8 +141,18 @@
         // create distrusted certificates checker
         UntrustedChecker untrustedChecker = new UntrustedChecker();
 
+        // check if anchor is untrusted
+        X509Certificate anchorCert = chain[chain.length - 1];
+        try {
+            untrustedChecker.check(anchorCert, Collections.<String>emptySet());
+        } catch (CertPathValidatorException cpve) {
+            throw new ValidatorException(
+                "Untrusted certificate: "+ anchorCert.getSubjectX500Principal(),
+                ValidatorException.T_UNTRUSTED_CERT, anchorCert, cpve);
+        }
+
         // create default algorithm constraints checker
-        TrustAnchor anchor = new TrustAnchor(chain[chain.length - 1], null);
+        TrustAnchor anchor = new TrustAnchor(anchorCert, null);
         AlgorithmChecker defaultAlgChecker = new AlgorithmChecker(anchor);
 
         // create application level algorithm constraints checker