提交 be371a45 编写于 作者: J juh

8066479: Better certificate chain validation

Reviewed-by: mullan
上级 e5813743
......@@ -707,6 +707,11 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
entry.protectedPrivKey = key.clone();
if (chain != null) {
// validate cert-chain
if ((chain.length > 1) && (!validateChain(chain))) {
throw new KeyStoreException("Certificate chain is "
+ "not valid");
}
entry.chain = chain.clone();
certificateCount += chain.length;
......@@ -1448,7 +1453,12 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
if (!(issuerDN.equals(subjectDN)))
return false;
}
return true;
// Check for loops in the chain. If there are repeated certs,
// the Set of certs in the chain will contain fewer certs than
// the chain
Set<Certificate> set = new HashSet<>(Arrays.asList(certChain));
return set.size() == certChain.length;
}
......@@ -2022,7 +2032,24 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
ArrayList<X509Certificate> chain =
new ArrayList<X509Certificate>();
X509Certificate cert = findMatchedCertificate(entry);
mainloop:
while (cert != null) {
// Check for loops in the certificate chain
if (!chain.isEmpty()) {
for (X509Certificate chainCert : chain) {
if (cert.equals(chainCert)) {
if (debug != null) {
debug.println("Loop detected in " +
"certificate chain. Skip adding " +
"repeated cert to chain. Subject: " +
cert.getSubjectX500Principal()
.toString());
}
break mainloop;
}
}
}
chain.add(cert);
X500Principal issuerDN = cert.getIssuerX500Principal();
if (issuerDN.equals(cert.getSubjectX500Principal())) {
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册