8227758: More valid PKIX processing

Reviewed-by: andrew

src/share/classes/sun/security/validator/PKIXValidator.java

 /*
- * Copyright (c) 2002, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2019, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -209,6 +209,7 @@ public final class PKIXValidator extends Validator {
                 ("null or zero-length certificate chain");
         }
 
+
         // Use PKIXExtendedParameters for timestamp and variant additions
         PKIXBuilderParameters pkixParameters = null;
         try {
@@ -234,30 +235,31 @@ public final class PKIXValidator extends Validator {
             for (int i = 0; i < chain.length; i++) {
                 X509Certificate cert = chain[i];
                 X500Principal dn = cert.getSubjectX500Principal();
-                if (i != 0 &&
-                    !dn.equals(prevIssuer)) {
+
+                if (i == 0) {
+                    if (trustedCerts.contains(cert)) {
+                        return new X509Certificate[] {chain[0]};
+                    }
+                } else {
+                    if (!dn.equals(prevIssuer)) {
                         // chain is not ordered correctly, call builder instead
                         return doBuild(chain, otherCerts, pkixParameters);
                     }
-
                     // Check if chain[i] is already trusted. It may be inside
                     // trustedCerts, or has the same dn and public key as a cert
                     // inside trustedCerts. The latter happens when a CA has
                     // updated its cert with a stronger signature algorithm in JRE
                     // but the weak one is still in circulation.
-
                     if (trustedCerts.contains(cert) ||          // trusted cert
                             (trustedSubjects.containsKey(dn) && // replacing ...
                              trustedSubjects.get(dn).contains(  // ... weak cert
                                 cert.getPublicKey()))) {
-                    if (i == 0) {
-                        return new X509Certificate[] {chain[0]};
-                    }
                         // Remove and call validator on partial chain [0 .. i-1]
                         X509Certificate[] newChain = new X509Certificate[i];
                         System.arraycopy(chain, 0, newChain, 0, i);
                         return doValidate(newChain, pkixParameters);
                     }
+                }
                 prevIssuer = cert.getIssuerX500Principal();
             }
 

test/sun/security/tools/jarsigner/concise_jarsigner.sh

@@ -22,7 +22,7 @@
 #
 
 # @test
-# @bug 6802846 8172529
+# @bug 6802846 8172529 8227758
 # @summary jarsigner needs enhanced cert validation(options)
 #
 # @run shell/timeout=240 concise_jarsigner.sh
@@ -207,15 +207,11 @@ $JARSIGNER -strict -keystore $KS -storepass changeit a.jar altchain
 $JARSIGNER -strict -keystore $KS -storepass changeit -certchain certchain a.jar altchain
 [ $? = 0 ] || exit $LINENO
 
-# if ca2 is removed, -certchain still work because altchain is a self-signed entry and
-# it is trusted by jarsigner
+# if ca2 is removed and cert is imported, -certchain won't work because this certificate
+# entry is not trusted
 # save ca2.cert for easy replay
 $KT -exportcert -file ca2.cert -alias ca2
 $KT -delete -alias ca2
-$JARSIGNER -strict -keystore $KS -storepass changeit -certchain certchain a.jar altchain
-[ $? = 0 ] || exit $LINENO
-
-# if cert is imported, -certchain won't work because this certificate entry is not trusted
 $KT -importcert -file certchain -alias altchain -noprompt
 $JARSIGNER -strict -keystore $KS -storepass changeit -certchain certchain a.jar altchain
 [ $? = 4 ] || exit $LINENO