changeset 1331:045743e0eb2d

6847459: Allow trust anchor self-issued intermediate version 1 and version 2 certificate Reviewed-by: weijun
author xuelei
date Thu, 04 Jun 2009 11:28:03 +0800
parents d26c268597ed
children 8f405b65ddac
files src/share/classes/sun/security/provider/certpath/ConstraintsChecker.java
diffstat 1 files changed, 26 insertions(+), 3 deletions(-) [+]
line wrap: on
line diff
--- a/src/share/classes/sun/security/provider/certpath/ConstraintsChecker.java	Fri May 29 16:34:49 2009 -0700
+++ b/src/share/classes/sun/security/provider/certpath/ConstraintsChecker.java	Thu Jun 04 11:28:03 2009 +0800
@@ -228,11 +228,34 @@
 
         /* check if intermediate cert */
         if (i < certPathLength) {
-            int pathLenConstraint = currCert.getBasicConstraints();
+            // RFC5280: If certificate i is a version 3 certificate, verify
+            // that the basicConstraints extension is present and that cA is
+            // set to TRUE.  (If certificate i is a version 1 or version 2
+            // certificate, then the application MUST either verify that
+            // certificate i is a CA certificate through out-of-band means
+            // or reject the certificate.  Conforming implementations may
+            // choose to reject all version 1 and version 2 intermediate
+            // certificates.)
+            //
+            // We choose to reject all version 1 and version 2 intermediate
+            // certificates except that it is self issued by the trust
+            // anchor in order to support key rollover or changes in
+            // certificate policies.
+            int pathLenConstraint = -1;
+            if (currCert.getVersion() < 3) {    // version 1 or version 2
+                if (i == 1) {                   // issued by a trust anchor
+                    if (X509CertImpl.isSelfIssued(currCert)) {
+                        pathLenConstraint = Integer.MAX_VALUE;
+                    }
+                }
+            } else {
+                pathLenConstraint = currCert.getBasicConstraints();
+            }
+
             if (pathLenConstraint == -1) {
                 throw new CertPathValidatorException
-                    (msg + " check failed: this is not a CA certificate", null,
-                     null, -1, PKIXReason.NOT_CA_CERT);
+                    (msg + " check failed: this is not a CA certificate",
+                     null, null, -1, PKIXReason.NOT_CA_CERT);
             }
 
             if (!X509CertImpl.isSelfIssued(currCert)) {