6899503: Security code issue using Verisign root certificate
Summary: Add support for reordering out-of-order certificate chains
Reviewed-by: vinnie, xuelei
--- a/jdk/src/share/classes/sun/security/validator/PKIXValidator.java Fri Nov 20 14:50:55 2009 +0100
+++ b/jdk/src/share/classes/sun/security/validator/PKIXValidator.java Mon Nov 23 12:36:54 2009 -0500
@@ -150,9 +150,17 @@
("null or zero-length certificate chain");
}
if (TRY_VALIDATOR) {
- // check if chain contains trust anchor
+ // check that chain is in correct order and check if chain contains
+ // trust anchor
+ X500Principal prevIssuer = null;
for (int i = 0; i < chain.length; i++) {
- if (trustedCerts.contains(chain[i])) {
+ X509Certificate cert = chain[i];
+ if (i != 0 &&
+ !cert.getSubjectX500Principal().equals(prevIssuer)) {
+ // chain is not ordered correctly, call builder instead
+ return doBuild(chain, otherCerts);
+ }
+ if (trustedCerts.contains(cert)) {
if (i == 0) {
return new X509Certificate[] {chain[0]};
}
@@ -161,6 +169,7 @@
System.arraycopy(chain, 0, newChain, 0, i);
return doValidate(newChain);
}
+ prevIssuer = cert.getIssuerX500Principal();
}
// apparently issued by trust anchor?
@@ -303,5 +312,4 @@
("PKIX path building failed: " + e.toString(), e);
}
}
-
}