Mercurial Mercurial > jdk-sandbox / diff
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
src/java.base/share/classes/sun/security/validator/CADistrustPolicy.java
changeset 53428 f443de1cee05
parent 52948 04c9b7111aac 
--- a/src/java.base/share/classes/sun/security/validator/CADistrustPolicy.java	Tue Jan 22 10:25:22 2019 +0800
+++ b/src/java.base/share/classes/sun/security/validator/CADistrustPolicy.java	Tue Jan 22 09:27:19 2019 -0500
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -39,17 +39,19 @@
 enum CADistrustPolicy {
     /**
      * Distrust TLS Server certificates anchored by a Symantec root CA and
-     * issued after April 16, 2019. If enabled, this policy is currently
-     * enforced by the PKIX and SunX509 TrustManager implementations of the
-     * SunJSSE provider implementation.
+     * issued after April 16, 2019 (with exceptions for a couple of subordinate
+     * CAs, see the jdk.security.caDistrustPolicies definition in the
+     * java.security file for more details). If enabled, this policy is
+     * currently enforced by the PKIX and SunX509 TrustManager implementations
+     * of the SunJSSE provider implementation.
      */
     SYMANTEC_TLS {
-        void checkDistrust(String variant, X509Certificate anchor,
-                           X509Certificate ee) throws ValidatorException {
+        void checkDistrust(String variant, X509Certificate[] chain)
+                           throws ValidatorException {
             if (!variant.equals(Validator.VAR_TLS_SERVER)) {
                 return;
             }
-            SymantecTLSPolicy.checkDistrust(anchor, ee);
+            SymantecTLSPolicy.checkDistrust(chain);
         }
     };
 
@@ -57,13 +59,13 @@
      * Checks if the end-entity certificate is distrusted.
      *
      * @param variant the type of certificate being checked
-     * @param anchor the trust anchor certificate
-     * @param ee the end-entity certificate to check
+     * @param chain the end-entity's certificate chain. The end entity cert
+     *              is at index 0, the trust anchor at index n-1.
      * @throws ValidatorException if the end-entity certificate is distrusted
      */
     abstract void checkDistrust(String variant,
-                                X509Certificate anchor,
-                                X509Certificate ee) throws ValidatorException;
+                                X509Certificate[] chain)
+                                throws ValidatorException;
 
     // The policies set in the jdk.security.caDistrustPolicies property.
     static final EnumSet<CADistrustPolicy> POLICIES = parseProperty();
jdk-sandbox