7025073: Stricter check on trust anchor makes VerifyCACerts.java test fail

Summary: loosen the check for version 1 and 2 X.509 certificate
Reviewed-by: mullan, weijun

src/share/classes/sun/security/provider/certpath/AdaptableX509CertSelector.java

@@ -46,10 +46,16 @@ import sun.security.x509.AuthorityKeyIdentifierExtension;
  */
 class AdaptableX509CertSelector extends X509CertSelector {
     // The start date of a validity period.
-    private Date startDate = null;
+    private Date startDate;
 
     // The end date of a validity period.
-    private Date endDate = null;
+    private Date endDate;
+
+    // Is subject key identifier sensitive?
+    private boolean isSKIDSensitive = false;
+
+    // Is serial number sensitive?
+    private boolean isSNSensitive = false;
 
     AdaptableX509CertSelector() {
         super();
@@ -97,15 +103,24 @@ class AdaptableX509CertSelector extends X509CertSelector {
         if (akidext != null) {
             KeyIdentifier akid = (KeyIdentifier)akidext.get(akidext.KEY_ID);
             if (akid != null) {
-                DerOutputStream derout = new DerOutputStream();
-                derout.putOctetString(akid.getIdentifier());
-                super.setSubjectKeyIdentifier(derout.toByteArray());
+                // Do not override the previous setting
+                if (getSubjectKeyIdentifier() == null) {
+                    DerOutputStream derout = new DerOutputStream();
+                    derout.putOctetString(akid.getIdentifier());
+                    super.setSubjectKeyIdentifier(derout.toByteArray());
+
+                    isSKIDSensitive = true;
+                }
             }
 
             SerialNumber asn =
                 (SerialNumber)akidext.get(akidext.SERIAL_NUMBER);
             if (asn != null) {
-                super.setSerialNumber(asn.getNumber());
+                // Do not override the previous setting
+                if (getSerialNumber() == null) {
+                    super.setSerialNumber(asn.getNumber());
+                    isSNSensitive = true;
+                }
             }
 
             // the subject criterion should be set by the caller.
@@ -148,11 +163,25 @@ class AdaptableX509CertSelector extends X509CertSelector {
             }
         }
 
-        if (version < 3 || xcert.getExtensionValue("2.5.29.14") == null) {
-            // If no SubjectKeyIdentifier extension, don't bother to check it.
+        // If no SubjectKeyIdentifier extension, don't bother to check it.
+        if (isSKIDSensitive &&
+            (version < 3 || xcert.getExtensionValue("2.5.29.14") == null)) {
             setSubjectKeyIdentifier(null);
         }
 
+        // In practice, a CA may replace its root certificate and require that
+        // the existing certificate is still valid, even if the AKID extension
+        // does not match the replacement root certificate fields.
+        //
+        // Conservatively, we only support the replacement for version 1 and
+        // version 2 certificate. As for version 2, the certificate extension
+        // may contain sensitive information (for example, policies), the
+        // AKID need to be respected to seek the exact certificate in case
+        // of key or certificate abuse.
+        if (isSNSensitive && version < 3) {
+            setSerialNumber(null);
+        }
+
         return super.match(cert);
     }
 

src/share/classes/sun/security/provider/certpath/ForwardBuilder.java

@@ -243,12 +243,6 @@ class ForwardBuilder extends Builder {
                     caTargetSelector.setPolicy(getMatchingPolicies());
             }
 
-            /*
-             * Require CA certs with a pathLenConstraint that allows
-             * at least as many CA certs that have already been traversed
-             */
-            caTargetSelector.setBasicConstraints(currentState.traversedCACerts);
-
             sel = caTargetSelector;
         } else {
 
@@ -282,12 +276,6 @@ class ForwardBuilder extends Builder {
             CertPathHelper.setPathToNames
                 (caSelector, currentState.subjectNamesTraversed);
 
-            /*
-             * Require CA certs with a pathLenConstraint that allows
-             * at least as many CA certs that have already been traversed
-             */
-            caSelector.setBasicConstraints(currentState.traversedCACerts);
-
             /*
              * Facilitate certification path construction with authority
              * key identifier and subject key identifier.
@@ -305,6 +293,14 @@ class ForwardBuilder extends Builder {
             sel = caSelector;
         }
 
+        /*
+         * For compatibility, conservatively, we don't check the path
+         * length constraint of trusted anchors.  Please don't set the
+         * basic constraints criterion unless the trusted certificate
+         * matching is completed.
+         */
+        sel.setBasicConstraints(-1);
+
         for (X509Certificate trustedCert : trustedCerts) {
             if (sel.match(trustedCert)) {
                 if (debug != null) {
@@ -323,6 +319,12 @@ class ForwardBuilder extends Builder {
          */
         sel.setCertificateValid(date);
 
+        /*
+         * Require CA certs with a pathLenConstraint that allows
+         * at least as many CA certs that have already been traversed
+         */
+        sel.setBasicConstraints(currentState.traversedCACerts);
+
         /*
          * If we have already traversed as many CA certs as the maxPathLength
          * will allow us to, then we don't bother looking through these