# HG changeset patch
# User mullan
# Date 1258997814 18000
# Node ID 6874332ce9591eff73250dc7958f510e7a2f993d
# Parent  5fd48b8b450be8e00d438a8b3c16a664577f9841
6899503: Security code issue using Verisign root certificate
Summary: Add support for reordering out-of-order certificate chains
Reviewed-by: vinnie, xuelei

diff -r 5fd48b8b450b -r 6874332ce959 jdk/src/share/classes/sun/security/validator/PKIXValidator.java
--- a/jdk/src/share/classes/sun/security/validator/PKIXValidator.java	Fri Nov 20 14:50:55 2009 +0100
+++ b/jdk/src/share/classes/sun/security/validator/PKIXValidator.java	Mon Nov 23 12:36:54 2009 -0500
@@ -150,9 +150,17 @@
                 ("null or zero-length certificate chain");
         }
         if (TRY_VALIDATOR) {
-            // check if chain contains trust anchor
+            // check that chain is in correct order and check if chain contains
+            // trust anchor
+            X500Principal prevIssuer = null;
             for (int i = 0; i < chain.length; i++) {
-                if (trustedCerts.contains(chain[i])) {
+                X509Certificate cert = chain[i];
+                if (i != 0 &&
+                    !cert.getSubjectX500Principal().equals(prevIssuer)) {
+                    // chain is not ordered correctly, call builder instead
+                    return doBuild(chain, otherCerts);
+                }
+                if (trustedCerts.contains(cert)) {
                     if (i == 0) {
                         return new X509Certificate[] {chain[0]};
                     }
@@ -161,6 +169,7 @@
                     System.arraycopy(chain, 0, newChain, 0, i);
                     return doValidate(newChain);
                 }
+                prevIssuer = cert.getIssuerX500Principal();
             }
 
             // apparently issued by trust anchor?
@@ -303,5 +312,4 @@
                 ("PKIX path building failed: " + e.toString(), e);
         }
     }
-
 }