Mercurial Mercurial > jdk-sandbox / diff
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
jdk/src/share/classes/sun/security/validator/PKIXValidator.java
changeset 4326 6874332ce959
parent 2926 6fbaec35c792
child 5506 202f599c92aa
child 5613 1146efa21514 
--- a/jdk/src/share/classes/sun/security/validator/PKIXValidator.java	Fri Nov 20 14:50:55 2009 +0100
+++ b/jdk/src/share/classes/sun/security/validator/PKIXValidator.java	Mon Nov 23 12:36:54 2009 -0500
@@ -150,9 +150,17 @@
                 ("null or zero-length certificate chain");
         }
         if (TRY_VALIDATOR) {
-            // check if chain contains trust anchor
+            // check that chain is in correct order and check if chain contains
+            // trust anchor
+            X500Principal prevIssuer = null;
             for (int i = 0; i < chain.length; i++) {
-                if (trustedCerts.contains(chain[i])) {
+                X509Certificate cert = chain[i];
+                if (i != 0 &&
+                    !cert.getSubjectX500Principal().equals(prevIssuer)) {
+                    // chain is not ordered correctly, call builder instead
+                    return doBuild(chain, otherCerts);
+                }
+                if (trustedCerts.contains(cert)) {
                     if (i == 0) {
                         return new X509Certificate[] {chain[0]};
                     }
@@ -161,6 +169,7 @@
                     System.arraycopy(chain, 0, newChain, 0, i);
                     return doValidate(newChain);
                 }
+                prevIssuer = cert.getIssuerX500Principal();
             }
 
             // apparently issued by trust anchor?
@@ -303,5 +312,4 @@
                 ("PKIX path building failed: " + e.toString(), e);
         }
     }
-
 }
jdk-sandbox