changeset 57688:e5dff6472c29

8227758: More valid PKIX processing Reviewed-by: xuelei, rhalade, coffeys, mschoene
author mullan
date Mon, 26 Aug 2019 13:57:51 -0400
parents 114c4bc33596
children e331a67f4059
files src/java.base/share/classes/sun/security/validator/PKIXValidator.java test/jdk/sun/security/tools/jarsigner/ConciseJarsigner.java
diffstat 2 files changed, 25 insertions(+), 28 deletions(-) [+]
line wrap: on
line diff
--- a/src/java.base/share/classes/sun/security/validator/PKIXValidator.java	Wed Aug 21 18:07:29 2019 -0700
+++ b/src/java.base/share/classes/sun/security/validator/PKIXValidator.java	Mon Aug 26 13:57:51 2019 -0400
@@ -195,6 +195,7 @@
                 ("null or zero-length certificate chain");
         }
 
+
         // Use PKIXExtendedParameters for timestamp and variant additions
         PKIXBuilderParameters pkixParameters = null;
         try {
@@ -224,28 +225,30 @@
         for (int i = 0; i < chain.length; i++) {
             X509Certificate cert = chain[i];
             X500Principal dn = cert.getSubjectX500Principal();
-            if (i != 0 && !dn.equals(prevIssuer)) {
-                // chain is not ordered correctly, call builder instead
-                return doBuild(chain, otherCerts, pkixParameters);
-            }
 
-            // Check if chain[i] is already trusted. It may be inside
-            // trustedCerts, or has the same dn and public key as a cert
-            // inside trustedCerts. The latter happens when a CA has
-            // updated its cert with a stronger signature algorithm in JRE
-            // but the weak one is still in circulation.
-
-            if (trustedCerts.contains(cert) ||          // trusted cert
-                    (trustedSubjects.containsKey(dn) && // replacing ...
-                     trustedSubjects.get(dn).contains(  // ... weak cert
-                        cert.getPublicKey()))) {
-                if (i == 0) {
+            if (i == 0) {
+                if (trustedCerts.contains(cert)) {
                     return new X509Certificate[] {chain[0]};
                 }
-                // Remove and call validator on partial chain [0 .. i-1]
-                X509Certificate[] newChain = new X509Certificate[i];
-                System.arraycopy(chain, 0, newChain, 0, i);
-                return doValidate(newChain, pkixParameters);
+            } else {
+                if (!dn.equals(prevIssuer)) {
+                    // chain is not ordered correctly, call builder instead
+                    return doBuild(chain, otherCerts, pkixParameters);
+                }
+                // Check if chain[i] is already trusted. It may be inside
+                // trustedCerts, or has the same dn and public key as a cert
+                // inside trustedCerts. The latter happens when a CA has
+                // updated its cert with a stronger signature algorithm in JRE
+                // but the weak one is still in circulation.
+                if (trustedCerts.contains(cert) ||          // trusted cert
+                        (trustedSubjects.containsKey(dn) && // replacing ...
+                         trustedSubjects.get(dn).contains(  // ... weak cert
+                            cert.getPublicKey()))) {
+                    // Remove and call validator on partial chain [0 .. i-1]
+                    X509Certificate[] newChain = new X509Certificate[i];
+                    System.arraycopy(chain, 0, newChain, 0, i);
+                    return doValidate(newChain, pkixParameters);
+                }
             }
             prevIssuer = cert.getIssuerX500Principal();
         }
--- a/test/jdk/sun/security/tools/jarsigner/ConciseJarsigner.java	Wed Aug 21 18:07:29 2019 -0700
+++ b/test/jdk/sun/security/tools/jarsigner/ConciseJarsigner.java	Mon Aug 26 13:57:51 2019 -0400
@@ -23,7 +23,7 @@
 
 /*
  * @test
- * @bug 6802846 8172529
+ * @bug 6802846 8172529 8227758
  * @summary jarsigner needs enhanced cert validation(options)
  * @library /test/lib
  * @run main/timeout=240 ConciseJarsigner
@@ -227,17 +227,11 @@
                 + "a.jar altchain")
                 .shouldHaveExitValue(0);
 
-        // if ca2 is removed, -certchain still work because altchain is a
-        // self-signed entry and it is trusted by jarsigner
+        // if ca2 is removed and cert is imported, -certchain won't work
+        // because this certificate entry is not trusted
         // save ca2.cert for easy replay
         kt("-exportcert -file ca2.cert -alias ca2");
         kt("-delete -alias ca2");
-        js("-strict -keystore ks -storepass changeit "
-                + "-certchain certchain a.jar altchain")
-                .shouldHaveExitValue(0);
-
-        // if cert is imported, -certchain won't work because this
-        // certificate entry is not trusted
         kt("-importcert -file certchain -alias altchain -noprompt");
         js("-strict -keystore ks -storepass changeit "
                 + "-certchain certchain a.jar altchain")