Mercurial > hg > release > icedtea7-forest-2.5 > jdk
changeset 8224:7624485c3a56
8073894: Getting to the root of certificate chains
Reviewed-by: weijun, igerasim, ahgross
author | mullan |
---|---|
date | Mon, 06 Jul 2015 11:59:55 +0100 |
parents | f065d104df2d |
children | 0388dbd77c6b |
files | src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java src/share/classes/sun/security/validator/SimpleValidator.java |
diffstat | 2 files changed, 19 insertions(+), 3 deletions(-) [+] |
line wrap: on
line diff
--- a/src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java Mon Jul 20 00:22:59 2015 +0100 +++ b/src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java Mon Jul 06 11:59:55 2015 +0100 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -311,6 +311,12 @@ pkixParam.getPolicyQualifiersRejected(), rootNode); UntrustedChecker untrustedChecker = new UntrustedChecker(); + // check if anchor is untrusted + X509Certificate anchorCert = anchor.getTrustedCert(); + if (anchorCert != null) { + untrustedChecker.check(anchorCert, + Collections.<String>emptySet()); + } ArrayList<PKIXCertPathChecker> certPathCheckers = new ArrayList<PKIXCertPathChecker>();
--- a/src/share/classes/sun/security/validator/SimpleValidator.java Mon Jul 20 00:22:59 2015 +0100 +++ b/src/share/classes/sun/security/validator/SimpleValidator.java Mon Jul 06 11:59:55 2015 +0100 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2002, 2012, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -141,8 +141,18 @@ // create distrusted certificates checker UntrustedChecker untrustedChecker = new UntrustedChecker(); + // check if anchor is untrusted + X509Certificate anchorCert = chain[chain.length - 1]; + try { + untrustedChecker.check(anchorCert, Collections.<String>emptySet()); + } catch (CertPathValidatorException cpve) { + throw new ValidatorException( + "Untrusted certificate: "+ anchorCert.getSubjectX500Principal(), + ValidatorException.T_UNTRUSTED_CERT, anchorCert, cpve); + } + // create default algorithm constraints checker - TrustAnchor anchor = new TrustAnchor(chain[chain.length - 1], null); + TrustAnchor anchor = new TrustAnchor(anchorCert, null); AlgorithmChecker defaultAlgChecker = new AlgorithmChecker(anchor); // create application level algorithm constraints checker