8066479: Better certificate chain validation

Reviewed-by: mullan

8066479: Better certificate chain validation
Reviewed-by: mullan
be371a45 · juh · e5813743 · be371a45
隐藏空白更改
内联并排

Showing with 28 addition and 1 deletion

src/share/classes/sun/security/pkcs12/PKCS12KeyStore.java src/share/classes/sun/security/pkcs12/PKCS12KeyStore.java +28 -1

未找到文件。
--- a/src/share/classes/sun/security/pkcs12/PKCS12KeyStore.java
+++ b/src/share/classes/sun/security/pkcs12/PKCS12KeyStore.java
@@ -707,6 +707,11 @@ public final class PKCS12KeyStore extends KeyStoreSpi {

        entry.protectedPrivKey = key.clone();
        if (chain != null) {
+            // validate cert-chain
+            if ((chain.length > 1) && (!validateChain(chain))) {
+                throw new KeyStoreException("Certificate chain is "
+                        + "not valid");
+            }
            entry.chain = chain.clone();
            certificateCount += chain.length;

@@ -1448,7 +1453,12 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
            if (!(issuerDN.equals(subjectDN)))
                return false;
        }
-        return true;
+
+        // Check for loops in the chain. If there are repeated certs,
+        // the Set of certs in the chain will contain fewer certs than
+        // the chain
+        Set<Certificate> set = new HashSet<>(Arrays.asList(certChain));
+        return set.size() == certChain.length;
    }


@@ -2022,7 +2032,24 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
                ArrayList<X509Certificate> chain =
                                new ArrayList<X509Certificate>();
                X509Certificate cert = findMatchedCertificate(entry);
+
+                mainloop:
                while (cert != null) {
+                    // Check for loops in the certificate chain
+                    if (!chain.isEmpty()) {
+                        for (X509Certificate chainCert : chain) {
+                            if (cert.equals(chainCert)) {
+                                if (debug != null) {
+                                    debug.println("Loop detected in " +
+                                        "certificate chain. Skip adding " +
+                                        "repeated cert to chain. Subject: " +
+                                        cert.getSubjectX500Principal()
+                                            .toString());
+                                }
+                                break mainloop;
+                            }
+                        }
+                    }
                    chain.add(cert);
                    X500Principal issuerDN = cert.getIssuerX500Principal();
                    if (issuerDN.equals(cert.getSubjectX500Principal())) {