jdk-sandbox: changeset 31688:42c9b194a469

--- a/jdk/src/java.base/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java	Wed Feb 04 11:13:14 2015 +0000
+++ b/jdk/src/java.base/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java	Mon Mar 02 08:52:08 2015 -0500
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -159,12 +159,19 @@
                                                         ValidatorParams params)
         throws CertPathValidatorException
     {
+        // check if anchor is untrusted
+        UntrustedChecker untrustedChecker = new UntrustedChecker();
+        X509Certificate anchorCert = anchor.getTrustedCert();
+        if (anchorCert != null) {
+            untrustedChecker.check(anchorCert);
+        }
+
         int certPathLen = params.certificates().size();
 
         // create PKIXCertPathCheckers
         List<PKIXCertPathChecker> certPathCheckers = new ArrayList<>();
         // add standard checkers that we will be using
-        certPathCheckers.add(new UntrustedChecker());
+        certPathCheckers.add(untrustedChecker);
         certPathCheckers.add(new AlgorithmChecker(anchor));
         certPathCheckers.add(new KeyChecker(certPathLen,
                                             params.targetCertConstraints()));

--- a/jdk/src/java.base/share/classes/sun/security/validator/SimpleValidator.java	Wed Feb 04 11:13:14 2015 +0000
+++ b/jdk/src/java.base/share/classes/sun/security/validator/SimpleValidator.java	Mon Mar 02 08:52:08 2015 -0500
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -141,8 +141,18 @@
         // create distrusted certificates checker
         UntrustedChecker untrustedChecker = new UntrustedChecker();
 
+        // check if anchor is untrusted
+        X509Certificate anchorCert = chain[chain.length - 1];
+        try {
+            untrustedChecker.check(anchorCert);
+        } catch (CertPathValidatorException cpve) {
+            throw new ValidatorException(
+                "Untrusted certificate: "+ anchorCert.getSubjectX500Principal(),
+                ValidatorException.T_UNTRUSTED_CERT, anchorCert, cpve);
+        }
+
         // create default algorithm constraints checker
-        TrustAnchor anchor = new TrustAnchor(chain[chain.length - 1], null);
+        TrustAnchor anchor = new TrustAnchor(anchorCert, null);
         AlgorithmChecker defaultAlgChecker = new AlgorithmChecker(anchor);
 
         // create application level algorithm constraints checker

author	mullan
	Mon, 02 Mar 2015 08:52:08 -0500
changeset 31688	42c9b194a469
parent 31687	d6eb4f028c60
child 31689	1201792aa3a3

jdk/src/java.base/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java		file \| annotate \| diff \| comparison \| revisions
jdk/src/java.base/share/classes/sun/security/validator/SimpleValidator.java		file \| annotate \| diff \| comparison \| revisions