Mercurial > hg > release > icedtea7-forest-2.5 > jdk

changeset 8224:7624485c3a56

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
8073894: Getting to the root of certificate chains Reviewed-by: weijun, igerasim, ahgross
author mullan
date Mon, 06 Jul 2015 11:59:55 +0100
parents f065d104df2d
children 0388dbd77c6b
files src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java src/share/classes/sun/security/validator/SimpleValidator.java
diffstat 2 files changed, 19 insertions(+), 3 deletions(-) [+]
line wrap: on
line diff
--- a/src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java	Mon Jul 20 00:22:59 2015 +0100
+++ b/src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java	Mon Jul 06 11:59:55 2015 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -311,6 +311,12 @@
                               pkixParam.getPolicyQualifiersRejected(),
                               rootNode);
         UntrustedChecker untrustedChecker = new UntrustedChecker();
+        // check if anchor is untrusted
+        X509Certificate anchorCert = anchor.getTrustedCert();
+        if (anchorCert != null) {
+            untrustedChecker.check(anchorCert,
+                                   Collections.<String>emptySet());
+        }
 
         ArrayList<PKIXCertPathChecker> certPathCheckers =
             new ArrayList<PKIXCertPathChecker>();
--- a/src/share/classes/sun/security/validator/SimpleValidator.java	Mon Jul 20 00:22:59 2015 +0100
+++ b/src/share/classes/sun/security/validator/SimpleValidator.java	Mon Jul 06 11:59:55 2015 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -141,8 +141,18 @@
         // create distrusted certificates checker
         UntrustedChecker untrustedChecker = new UntrustedChecker();
 
+        // check if anchor is untrusted
+        X509Certificate anchorCert = chain[chain.length - 1];
+        try {
+            untrustedChecker.check(anchorCert, Collections.<String>emptySet());
+        } catch (CertPathValidatorException cpve) {
+            throw new ValidatorException(
+                "Untrusted certificate: "+ anchorCert.getSubjectX500Principal(),
+                ValidatorException.T_UNTRUSTED_CERT, anchorCert, cpve);
+        }
+
         // create default algorithm constraints checker
-        TrustAnchor anchor = new TrustAnchor(chain[chain.length - 1], null);
+        TrustAnchor anchor = new TrustAnchor(anchorCert, null);
         AlgorithmChecker defaultAlgChecker = new AlgorithmChecker(anchor);
 
         // create application level algorithm constraints checker