OpenJDK / amber / amber
changeset 2941:af92a83128fe
6847459: Allow trust anchor self-issued intermediate version 1 and version 2 certificate
Reviewed-by: weijun
author | xuelei |
---|---|
date | Thu, 04 Jun 2009 11:28:03 +0800 |
parents | c6fe11c24d43 |
children | 37d9baeb7518 |
files | jdk/src/share/classes/sun/security/provider/certpath/ConstraintsChecker.java |
diffstat | 1 files changed, 26 insertions(+), 3 deletions(-) [+] |
line wrap: on
line diff
--- a/jdk/src/share/classes/sun/security/provider/certpath/ConstraintsChecker.java Fri May 29 16:34:49 2009 -0700 +++ b/jdk/src/share/classes/sun/security/provider/certpath/ConstraintsChecker.java Thu Jun 04 11:28:03 2009 +0800 @@ -228,11 +228,34 @@ /* check if intermediate cert */ if (i < certPathLength) { - int pathLenConstraint = currCert.getBasicConstraints(); + // RFC5280: If certificate i is a version 3 certificate, verify + // that the basicConstraints extension is present and that cA is + // set to TRUE. (If certificate i is a version 1 or version 2 + // certificate, then the application MUST either verify that + // certificate i is a CA certificate through out-of-band means + // or reject the certificate. Conforming implementations may + // choose to reject all version 1 and version 2 intermediate + // certificates.) + // + // We choose to reject all version 1 and version 2 intermediate + // certificates except that it is self issued by the trust + // anchor in order to support key rollover or changes in + // certificate policies. + int pathLenConstraint = -1; + if (currCert.getVersion() < 3) { // version 1 or version 2 + if (i == 1) { // issued by a trust anchor + if (X509CertImpl.isSelfIssued(currCert)) { + pathLenConstraint = Integer.MAX_VALUE; + } + } + } else { + pathLenConstraint = currCert.getBasicConstraints(); + } + if (pathLenConstraint == -1) { throw new CertPathValidatorException - (msg + " check failed: this is not a CA certificate", null, - null, -1, PKIXReason.NOT_CA_CERT); + (msg + " check failed: this is not a CA certificate", + null, null, -1, PKIXReason.NOT_CA_CERT); } if (!X509CertImpl.isSelfIssued(currCert)) {