--- a/jdk/src/java.base/share/classes/sun/security/provider/certpath/RevocationChecker.java Mon Jun 29 11:44:53 2015 +0100
+++ b/jdk/src/java.base/share/classes/sun/security/provider/certpath/RevocationChecker.java Tue Jun 30 14:22:31 2015 -0700
@@ -1068,20 +1068,17 @@
boolean signFlag = true;
List<? extends Certificate> cpList =
cpbr.getCertPath().getCertificates();
- if (cpList.isEmpty()) {
- return;
- }
try {
- for (int i = cpList.size()-1; i >= 0; i-- ) {
- X509Certificate cert = (X509Certificate)cpList.get(i);
+ for (int i = cpList.size() - 1; i >= 0; i--) {
+ X509Certificate cert = (X509Certificate) cpList.get(i);
if (debug != null) {
debug.println("RevocationChecker.buildToNewKey()"
- + " index " + i + " checking "
- + cert);
+ + " index " + i + " checking "
+ + cert);
}
checkCRLs(cert, prevKey2, null, signFlag, true,
- stackedCerts, newAnchors);
+ stackedCerts, newAnchors);
signFlag = certCanSignCrl(cert);
prevKey2 = cert.getPublicKey();
}
@@ -1100,8 +1097,10 @@
// If it doesn't check out, try to find a different key.
// And if we can't find a key, then return false.
PublicKey newKey = cpbr.getPublicKey();
+ X509Certificate newCert = cpList.isEmpty() ?
+ null : (X509Certificate) cpList.get(0);
try {
- checkCRLs(currCert, newKey, (X509Certificate) cpList.get(0),
+ checkCRLs(currCert, newKey, newCert,
true, false, null, params.trustAnchors());
// If that passed, the cert is OK!
return;