OpenJDK / jdk / jdk
changeset 57688:e5dff6472c29
8227758: More valid PKIX processing
Reviewed-by: xuelei, rhalade, coffeys, mschoene
| author | mullan |
|---|---|
| date | Mon, 26 Aug 2019 13:57:51 -0400 |
| parents | 114c4bc33596 |
| children | e331a67f4059 |
| files | src/java.base/share/classes/sun/security/validator/PKIXValidator.java test/jdk/sun/security/tools/jarsigner/ConciseJarsigner.java |
| diffstat | 2 files changed, 25 insertions(+), 28 deletions(-) [+] |
line wrap: on
line diff
--- a/src/java.base/share/classes/sun/security/validator/PKIXValidator.java Wed Aug 21 18:07:29 2019 -0700 +++ b/src/java.base/share/classes/sun/security/validator/PKIXValidator.java Mon Aug 26 13:57:51 2019 -0400 @@ -195,6 +195,7 @@ ("null or zero-length certificate chain"); } + // Use PKIXExtendedParameters for timestamp and variant additions PKIXBuilderParameters pkixParameters = null; try { @@ -224,28 +225,30 @@ for (int i = 0; i < chain.length; i++) { X509Certificate cert = chain[i]; X500Principal dn = cert.getSubjectX500Principal(); - if (i != 0 && !dn.equals(prevIssuer)) { - // chain is not ordered correctly, call builder instead - return doBuild(chain, otherCerts, pkixParameters); - } - // Check if chain[i] is already trusted. It may be inside - // trustedCerts, or has the same dn and public key as a cert - // inside trustedCerts. The latter happens when a CA has - // updated its cert with a stronger signature algorithm in JRE - // but the weak one is still in circulation. - - if (trustedCerts.contains(cert) || // trusted cert - (trustedSubjects.containsKey(dn) && // replacing ... - trustedSubjects.get(dn).contains( // ... weak cert - cert.getPublicKey()))) { - if (i == 0) { + if (i == 0) { + if (trustedCerts.contains(cert)) { return new X509Certificate[] {chain[0]}; } - // Remove and call validator on partial chain [0 .. i-1] - X509Certificate[] newChain = new X509Certificate[i]; - System.arraycopy(chain, 0, newChain, 0, i); - return doValidate(newChain, pkixParameters); + } else { + if (!dn.equals(prevIssuer)) { + // chain is not ordered correctly, call builder instead + return doBuild(chain, otherCerts, pkixParameters); + } + // Check if chain[i] is already trusted. It may be inside + // trustedCerts, or has the same dn and public key as a cert + // inside trustedCerts. The latter happens when a CA has + // updated its cert with a stronger signature algorithm in JRE + // but the weak one is still in circulation. + if (trustedCerts.contains(cert) || // trusted cert + (trustedSubjects.containsKey(dn) && // replacing ... + trustedSubjects.get(dn).contains( // ... weak cert + cert.getPublicKey()))) { + // Remove and call validator on partial chain [0 .. i-1] + X509Certificate[] newChain = new X509Certificate[i]; + System.arraycopy(chain, 0, newChain, 0, i); + return doValidate(newChain, pkixParameters); + } } prevIssuer = cert.getIssuerX500Principal(); }
--- a/test/jdk/sun/security/tools/jarsigner/ConciseJarsigner.java Wed Aug 21 18:07:29 2019 -0700 +++ b/test/jdk/sun/security/tools/jarsigner/ConciseJarsigner.java Mon Aug 26 13:57:51 2019 -0400 @@ -23,7 +23,7 @@ /* * @test - * @bug 6802846 8172529 + * @bug 6802846 8172529 8227758 * @summary jarsigner needs enhanced cert validation(options) * @library /test/lib * @run main/timeout=240 ConciseJarsigner @@ -227,17 +227,11 @@ + "a.jar altchain") .shouldHaveExitValue(0); - // if ca2 is removed, -certchain still work because altchain is a - // self-signed entry and it is trusted by jarsigner + // if ca2 is removed and cert is imported, -certchain won't work + // because this certificate entry is not trusted // save ca2.cert for easy replay kt("-exportcert -file ca2.cert -alias ca2"); kt("-delete -alias ca2"); - js("-strict -keystore ks -storepass changeit " - + "-certchain certchain a.jar altchain") - .shouldHaveExitValue(0); - - // if cert is imported, -certchain won't work because this - // certificate entry is not trusted kt("-importcert -file certchain -alias altchain -noprompt"); js("-strict -keystore ks -storepass changeit " + "-certchain certchain a.jar altchain")