提交 5a8f41f7 编写于 作者: M mullan

8073894: Getting to the root of certificate chains

Reviewed-by: weijun, igerasim, ahgross
上级 1b2bedf4
/* /*
* Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -159,12 +159,19 @@ public final class PKIXCertPathValidator extends CertPathValidatorSpi { ...@@ -159,12 +159,19 @@ public final class PKIXCertPathValidator extends CertPathValidatorSpi {
ValidatorParams params) ValidatorParams params)
throws CertPathValidatorException throws CertPathValidatorException
{ {
// check if anchor is untrusted
UntrustedChecker untrustedChecker = new UntrustedChecker();
X509Certificate anchorCert = anchor.getTrustedCert();
if (anchorCert != null) {
untrustedChecker.check(anchorCert);
}
int certPathLen = params.certificates().size(); int certPathLen = params.certificates().size();
// create PKIXCertPathCheckers // create PKIXCertPathCheckers
List<PKIXCertPathChecker> certPathCheckers = new ArrayList<>(); List<PKIXCertPathChecker> certPathCheckers = new ArrayList<>();
// add standard checkers that we will be using // add standard checkers that we will be using
certPathCheckers.add(new UntrustedChecker()); certPathCheckers.add(untrustedChecker);
certPathCheckers.add(new AlgorithmChecker(anchor)); certPathCheckers.add(new AlgorithmChecker(anchor));
certPathCheckers.add(new KeyChecker(certPathLen, certPathCheckers.add(new KeyChecker(certPathLen,
params.targetCertConstraints())); params.targetCertConstraints()));
......
/* /*
* Copyright (c) 2002, 2012, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -141,8 +141,18 @@ public final class SimpleValidator extends Validator { ...@@ -141,8 +141,18 @@ public final class SimpleValidator extends Validator {
// create distrusted certificates checker // create distrusted certificates checker
UntrustedChecker untrustedChecker = new UntrustedChecker(); UntrustedChecker untrustedChecker = new UntrustedChecker();
// check if anchor is untrusted
X509Certificate anchorCert = chain[chain.length - 1];
try {
untrustedChecker.check(anchorCert);
} catch (CertPathValidatorException cpve) {
throw new ValidatorException(
"Untrusted certificate: "+ anchorCert.getSubjectX500Principal(),
ValidatorException.T_UNTRUSTED_CERT, anchorCert, cpve);
}
// create default algorithm constraints checker // create default algorithm constraints checker
TrustAnchor anchor = new TrustAnchor(chain[chain.length - 1], null); TrustAnchor anchor = new TrustAnchor(anchorCert, null);
AlgorithmChecker defaultAlgChecker = new AlgorithmChecker(anchor); AlgorithmChecker defaultAlgChecker = new AlgorithmChecker(anchor);
// create application level algorithm constraints checker // create application level algorithm constraints checker
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册